Did you arrive here by via search engine?
Click here to view the original version of this article

Click to Print This Page
(This section will not print)

HIPAA -- Part I: Privacy Takes Center Stage

Course Authors

Ilise L. Feitshans, J.D., Sc.M.

Ms. Feitshans is Adjunct Associate Professor, George Washington University School of Public Health and Health Services, Washington D.C., and Legal Advisor, WHO/RAMS Committee of Experts on Reproductive Health at Work. She reports no conflict of interest.

Estimated course time: 1 hour(s).

Albert Einstein College of Medicine – Montefiore Medical Center designates this enduring material activity for a maximum of 1.0 AMA PRA Category 1 Credit(s)™. Physicians should claim only the credit commensurate with the extent of their participation in the activity.

In support of improving patient care, this activity has been planned and implemented by Albert Einstein College of Medicine-Montefiore Medical Center and InterMDnet. Albert Einstein College of Medicine – Montefiore Medical Center is jointly accredited by the Accreditation Council for Continuing Medical Education (ACCME), the Accreditation Council for Pharmacy Education (ACPE), and the American Nurses Credentialing Center (ANCC), to provide continuing education for the healthcare team.

 
Learning Objectives

Upon completion of this Cyberounds®, you should be able to:

  • Discuss implementation of new 2003 HIPAA regulations for medical privacy

  • Discuss the significance of preventing unauthorized disclosure of personal medical information

  • Describe at least 5 basic components of an in-house compliance system that secures protected health information (PHI).

 

HIPAA, the Health Insurance Portability and Accountability Act of 1996 (also known as Kennedy-Kassenbaum) requirements for medical privacy protection are, in some ways, nothing new. Indeed, for many years, legislators passed laws that created a complex in-house system for safeguarding health insurance information, subject to federal enforcement oversight and with civil and criminal penalties for violations.

In addition, many professional organizations and state laws long attempted to protect, with mixed results, the medical privacy of patients. In 1898, U.S. Supreme Court Justice Brandeis published an article, Right to Privacy in the Harvard Law Review, urging protection of privacy. His effort was unsuccessful, his ideas overtaken by the very technology he decried in his article. Interestingly, however, the new privacy protections in HIPAA's 2003 regulations echo the protections Justice Brandeis tried to invent, protections that do not exist under the U.S. Constitution.

The Myth of Privacy

Justice Brandeis argued that individuals should have the right to control the use of their photographic image in the press in order to preserve their dignity in face of the prying eyes of new technologies. He argued, too, that individual privacy was a public good that should be protected because it was more valuable than the interest of the peering eyes of the general public. Furthermore, he understood that if no such protections to the right of privacy existed under law, eventually new machines would completely overtake each citizen's lifestyle, making public their medical information, their personal finances and a vast variety of personal information that is indeed readily available through databanks today.

There is a popular myth that suggests a thriving "right to privacy," similar to the one outlined by Justice Brandeis. The reality, however, is that there are few legal protections for privacy and none of them is expressly protected in the U.S. Constitution today. On the contrary, our system of governance has always suspected secrecy. All too often even medical information of prominent public figures and their lifestyle choices are discussed in any newspaper or TV show. And, few protections under law exist that draw the line between ordinary citizens and celebrities.

Although the ability for a physician to keep secret confidential information disclosed by patients in the course of treatment is a fundamental cornerstone of medical practice, the net effect of many confidentiality laws destroys privacy because there are so many valid exceptions in which disclosure of patient confidences can be allowed or are even required. A host of state laws, for example, require mandatory reporting of certain conditions and a porous system of health insurance regularly displays patients' personal information through recordkeeping, data storage, consultation and billing.

The new medical privacy regulations described below recognize this reality and have attempted to change that imbalance in the existing health system, by striking the balance in favor of creating a new apparatus whose sole purpose is to uphold patient privacy rights in so called "Protected Health information" (PHI).

It is interesting, significant and perhaps sad that many of the fears expressed by Justice Brandeis so long ago have today become commonplace, socially acceptable and legally supported intrusions into individual privacy. Into this realm of confusion between the popular desire for a right to privacy under law and the lack of actual protections for medical privacy, there appeared in the 1990s the Health Insurance Portability and Accountability Act (HIPAA).

What, Really, Is HIPAA?

Health law professors who have examined the details of HIPAA can only agree on one point: HIPAA's text is so complex that no one really understands the full ramifications of this law. Passed in 1996, HIPAA was instantly controversial. Critics and proponents alike claimed it was a broadbrush response to the nation's health problems. HIPAA made no attempt to hide its intentions -- its mammoth legislative pronouncement, running nearly 200 pages, forcefully sent the message that the lawmakers envisioned that HIPAA would produce an overhaul of health care in the United States, especially with respect to privacy, which it promised to protect by the year 2002.

HIPAA specifically requires insurers to provide on-going health insurance to previously insured individuals without regard to "pre-existing conditions." Pregnancy and genetic conditions are expressly included in the list of situations that cannot be the legitimate reason for exclusion from a policy, despite the expense and high-risk among these populations.,,, HIPAA further requires that the Secretary of Health and Human Services (HHS) propose recommendations intended to strike a balance between permitting socially important uses of information and "protecting the privacy of people who seek care and healing."

Who is a "Covered Entity?"

Among health care professionals who do not have professional legal training, recent implementation discussions about the new HIPAA regulations have focused on "Who Is a Covered Entity?" Yet, in the statute and the regulations, the definition of covered entity is so broad that a better question is probably, "Who is NOT?" The exceptions are few and the circumstances that could bring any provider acting as an independent contractor within the tentacles of the long arm of these regulations are many, as demonstrated below.

The new HIPAA regulations are officially cited as 45 CFR 164. Non-lawyers and lawyers alike can read the actual regulatons by turning to the 45th volume of the Code of Federal Regulations (CFR) section 164, 165 and related sections. The proposed changes in 45 CFR 164 that were published in August 2002 made clear that the Department of Health and Human Services (DHHS) intended to remain consistent with the very broad Congressional intent as expressed in HIPAA. According to the preamble of the CFR, the definition for "Covered Entity" includes "the entities described in section 1172(a)(1): Health plans, health care clearinghouses and health care providers who transmit any health information in electronic form in connection with a transaction referred to in section 1173(a)(1) of the Act (a "standard transaction")." Furthermore, health care 'operations' includes activities such as quality assurance, peer review, training and business planning activities.

The covered entity is required to implement access controls that may include encryption, context-based access, role-based access, or user-based access; audit control mechanisms, data authentication and entity authentication. Significantly, DHHS further stated: "We note that health care providers who do not submit HIPAA transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on their behalf. A provider could not circumvent these requirements by assigning the task to its business associate since the business associate would be considered to be acting on behalf of the provider."

These definitions embrace a variety of independent contractors and equipment concerns as well as actual hospital staff, doctors and insurance carriers themselves. This broad definition is required by the logic of attempting to protect privacy: once a confidential bit of information has been publicly disclosed, privacy is gone and cannot be recaptured or restored.

What Are the Penalties?

  • HIPAA applies to health care providers that accept federal funds
  • Fraud and abuse prevention, e.g., "death penalty" of debarrment from federal contracts
  • HIPAA establishes both civil monetary penalties and criminal penalties for the knowing use or disclosure of individually identifiable health information in violation of HIPAA.

HIPAA is probably best known because it includes strong prohibitions on health care fraud and abuse, with criminal, as well as civil penalties, for offenders. HIPAA contains several significant health care fraud and abuse preventive provisions. Included are the creation of a coordinated fraud and abuse control program; expansion of the anti-kickback provisions of Medicare and Medicaid statutes to other federal health care programs; marked increase in the size and categories for civil penalties; criminalization of health care fraud; and instituting a "death penalty" for organizations that have "two or more" convictions for such crimes.

HIPAA further holds health care providers and health insurers accountable for enforcing this penalty by instituting criminal penalties against organizations that have been convicted of HIPAA crimes. Rather than offering one section labeled criminal sanctions, HIPAA has several types of criminal sanction provisions sprinkled throughout the statute, which means that different provisions may be able to stand on their own even if other criminal sanctions are declared invalid by a court of law. Deliberate links also exist between HIPAA's plain language and the U.S. Sentencing Commission Guidelines for Organizations. A "two-tiered approach" to preventing corporate crime under the Sentencing Guidelines requires that so-called "bad actors" expressly face stiffer penalties.

In the period from 1997-2000, the HHS Office of Inspector General (OIG) reported overall savings of $31.0 billion based on effective oversight of compliance with HIPAA and related laws. This included $226 million in audit disallowances, $2.1 billion in investigative receivables, and $28.7 billion in savings from implemented legislative or regulatory recommendations and actions to put funds to better use. Improper payments in Medicare fee-for-service totaled an estimated $13.5 billion, or about 8 percent of the $169.5 billion in fee-for-service payments processed in fiscal year 1999. This represented a reduction over the last four fiscal years of 42 percent from FY 1996, from a midpoint of $23.2 billion (14 percent) in 1996, to $13.5 billion (8 percent) in FY 1999 -- a drop of $9.7 billion. Following the provisions of HIPAA, OIG also encourages beneficiaries to identify allegedly fraudulent activities using the OIG Hotline, which reportedly handles about 48,000 calls per month.

Compliance Program: Purposes and Requirements

  • Pre-existing conditions can cost a lot to cover but cannot be excluded
  • Protected health information (PHI) is secured by establishing transaction standards for the exchange of health information, security standards
  • Regulations now require a Privacy Security Officer who is accountable for encryption procedures and stray information.

HIPAA is most famous (or notorious) for its claim that "pre-existing conditions" cannot be the basis for excluding people who previously had health insurance from any or all new health insurance policies that they may purchase or acquire in the context of their employment. The statute specifically prohibits "genetic discrimination," on the basis of genetic testing, as a "pre-existing condition," and lists pregnancy, ongoing disabilities, permanent injuries and other illnesses as types of conditions that cannot be the basis for exclusion from an employer's health insurance plan. This is significant because employers may be compelled to absorb into their health insurance risk pools a variety of conditions that require ongoing treatment, regardless whether they were the employer at the onset of the expensive condition, and the health care provider is now more likely to be providing care for employees who require special medical care.

HIPAA: Individual Rights -- Wow!

  • Right to a notice of a covered entity's privacy practices.
  • Right to request restrictions and confidential communications concerning protected health information.
  • Right to obtain access to protected health information for inspection and copying.
  • Right to obtain an accounting of certain disclosures.
  • Right to request amendment of protected health information.

The new provisions of HIPAA regulations have three major requirements:

  • Protection for the privacy of protected health information (PHI)
  • Protection for the security of protected health information (PHI)
  • Standardization of electronic data interchange in health care transactions.

Many of the provisions in the HIPAA medical privacy regulations effective in 2003 may resemble common sense or common courtesy. To providers, the protections may seem cumbersome, certainly at first. For patients, the concept of having control over their own identifiable health information may seem liberating but also may prove to be a burden in some instances. Most important of all, it is unclear how these protections will be implemented without creating a huge administrative burden on the entire health care system.

Under the new regulations, all "covered entities" must provide to the patient a Notice of Privacy Practices that explains how each provider might use the patient's health information. Covered entities may only use and disclose PHI as permitted by HIPAA or more protective state rules. In order to waive the rights described in the Notice of Privacy Practices, special permission, called an authorization, must be obtained for uses and disclosures other than treatment, payment and health care operations (TPO). Even when disclosing information to family or friends involved in the patient's care, a covered entity need not obtain an authorization but must give the patient the opportunity to agree or object.

Authorization may be required to use PHI for research purposes or marketing activities. Significantly, PHI embraces more than a name and social security number. Providers must demonstrate that they have made reasonable efforts to ensure that they use, disclose or request only the minimum necessary information. These procedures must demonstrate a concern to limit the protected health information disclosed. Individualized review may be required.

Individual Rights Trump Research

There are strong limits upon the use of PHI in research. HIPAA requires patient authorization or a waiver of the authorization requirement for the use, disclosure or creation of PHI in research. There are few exceptions: the traditional forms of mandatory reporting such as reporting to public health authorities, emergencies, research studies in which a waiver has been obtained from an Institutional Review Board ("IRB"). An authorization is not required for research using only "de-identified" data. But it should be noted that de-identification is difficult: many identifiers exist AND the researcher must enter a data use agreement with the entity that holds the records.

HIPAA Compliance: New Privacy Security Requirements

  • HIPAA requires security standards for all health information pertaining to an individual that is electronically maintained or transmitted. DHHS has not yet issued the security rule.
  • Proposed regulation outlines the general security measures, including administrative, technical and physical safeguards- many comments!

Each covered entity that discloses protected health information (PHI) must generate a record, or an "accounting," of disclosures made and, if requested, provide that accounting to the patient. There is a complex system for "deidentification" of patient records that contain PHI. HIPAA requires security standards for all health information pertaining to an individual that is electronically maintained or transmitted. DHHS has not yet issued the security rule but general security measures include administrative, technical and physical safeguards and may include: implementing access controls that may include encryption, context-based access, role-based access or user-based access; audit control mechanisms, data authentication and entity authentication.

Yes, these protections must exist even though the detailed security rules have not been finalized. In addition, the health care provider must show evidence of a structure that will apply these rules, and is just waiting to plug these rules into the overall compliance structure, once the regulations will have been finalized. Even though this sounds strange, this is not an onerous burden to covered entities because there is a great deal of lead time required to create the internal compliance structure for security measures.

You Must Demonstrate Diligence

Although it was expected, special compliance programs to ensure the privacy of PHI are now required under the HIPAA regulations. Each covered entity must exhibit demonstrable efforts to develop policies, procedures and guidelines for use of personal computing devices (workstations, laptops, hand-held devices), and for ensuring mechanisms are in place that allow, restrict and terminate access (access control lists, user accounts, etc.) appropriate to an individual's status, change of status or termination. Components of such compliance programs include:  

  • Designate a privacy official responsible for development of policies
  • Implement an internal complaint process to handle complaints relating to privacy rules and to explain privacy procedures
  • Workforce training by the compliance date April 14, 2003
  • Implementation of administrative, technical and physical safeguards for PHI
  • Develop and enforce sanctions for failure to comply with policies and procedures
  • Develop procedures to reduce adverse effects of a prohibited use or disclosure
  • Whistle-blower protection.

Under the proposed rules, providers must:

  • Assign responsibility for security to a person or organization
  • Assess security risks and determine the major threats to the security and privacy of protected health information
  • Establish a program to address physical security, personnel security, technical security controls, security incident response and disaster recovery
  • Certify the effectiveness of security controls.

Conclusions: Physicians Need to Be Aware of Relevant Laws

The new regulations that implement long-promised protections for medical privacy (as mandated by the U.S. Congress in 1996 when it wrote HIPAA) make sense. The complexity of the regulations underscores, once again, the importance of understanding the legal system that surrounds and sometimes confines the practice of medicine in the United States. There is no way in our society that one can escape legal responsibility by turning a blind eye to legal rights and obligations. That is not allowed.

Modern American medicine is now so inextricably linked to the HIPAA that one must have a working knowledge of the legal superstructure and a general sense of the purposes and provisions of the law in order to function as a health care provider. There is no insurance policy that protects one against breaking the law, regardless how unintentionally. Not only is it true that patients who know their rights under law are likely to assert them, but HIPAA also includes a strong component of third party oversight by compliance officers, patient representatives and government enforcement staff. Thus, prudent health care providers will be aware of HIPAA requirements and respect the laws.

Resources

U.S. Department of Health & Human Services

HIPAA and ADA and other confidentiality provisions (under OSH Act) discussed in Designing An Effective OSHA Compliance Program, Ilise L. Feitshans, JD and ScM. Westlaw.com under "treatises."