By Andrea Kahn-Kothmann, Esq.
On December 28, 2000, the U.S. Department of Health and Human Services (HHS) published controversial final regulations establishing privacy standards for personal health information. At least initially, the extensive new requirements described in the Privacy Standards are likely to pose a substantial compliance challenge for covered organizations, including providers. Following a recent delay, the Privacy Standards are now scheduled to go into effect on April 14, 2001; however, most covered entities will not be required to comply with the new rules until two years later—April 14, 2003.
This article provides a description of the statutory and regulatory context for the Privacy Standards, a brief overview of the rules, and several recommendations of practical steps that physicians can take in order to begin planning for compliance with the new requirements. Please note that, due to space constraints, this article can necessarily furnish only a cursory explanation of the Privacy Standards, which, along with HHS’ explanatory guidance, comprised almost 400 pages of text in their final, published form. Thus, physicians who wish to obtain a more complete sense of how the new rules will affect their practices are strongly advised to seek additional guidance from their professional associations, appropriate industry groups and/or professional advisors.
Privacy as Part of Administrative Simplification
The Privacy Standards are part of a suite of regulations issued pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, known as HIPAA. With Administrative Simplification, Congress sought to promote the efficiencies and cost savings for the health care industry that the increasing use of electronic technology affords. To this end, Congress directed HHS to issue standards to facilitate the electronic exchange of information with respect to financial and administrative transactions carried out by health plans, health care clearinghouses and health care providers. HHS issued final electronic transaction and code set standards in August 2000, and compliance with these information transmission standards will be required by October 2002. HHS is also expected shortly to finalize standards for national provider, plan and employer identifiers.
Recognizing the potential challenges to the confidentiality of information that would accompany the increased electronic transmission and sharing of personal health information, Congress also ordered HHS to adopt standards to protect the security (namely, confidentiality, integrity and access) and privacy of such information. HHS published its proposed security standards in August 1998 and proposed privacy standards in November 1999. The final Privacy Standards published in December 2000 reflected numerous changes from the proposed rule, many of which responded to the approximately 52,000 comments received in response to the agency’s proposal.
Overview of the Privacy Standards
Organizations governed by the new rules, or “covered entities,” comprise health plans, health care clearinghouses and health care providers who transmit any health information in electronic form in connection with standard transactions (e.g., claims submission and eligibility inquiries) identified under HIPAA. The Privacy Standards apply to so-called “protected health information”—namely, individually-identifiable information transmitted or stored in any form (i.e., paper, oral or electronic) that concerns the individual’s past, present or future physical or mental health or that relates to the provision of health care to or payment of health care for the individual.
Covered providers who have a direct treatment relationship with an individual must obtain their written consent in order to use or disclose information for treatment, payment or health care operations (e.g., training, credentialing and business management activities). Use and disclosure of protected health information is permitted without the individual’s consent, authorization or agreement for specified public policy purposes (e.g., public health activities, law enforcement purposes, research and serious threats to health or safety). For any other use or disclosure of such information, a covered entity must obtain the individual’s written authorization (a more extensive document than a consent). Except with respect to disclosures to a provider for treatment purposes, covered entities must “reasonably ensure” that all uses and disclosures of information are limited to the minimum amount of information required to accomplish the intended purpose of the use or disclosure.
Covered entities will generally be permitted to disclose protected health information to “business associates,” provided that they obtain contractual assurances from the business associate that it will safeguard the information. A business association is created when the right to use or disclose information belongs to the covered entity and another party requires the information either (1) to perform a function for, or on behalf of the covered entity (e.g., billing or practice management services) or (2) to provide certain specified services (e.g., legal and accounting) to the covered entity. A business associate contract is not required where a disclosure is made for treatment purposes from one provider to another.
Patients are afforded a number of new rights under the Privacy Standards, including the right to adequate notice of privacy practices, the right to access protected health information, the right to an accounting of disclosures and the right to request amendment of protected health information. Covered entities are required to implement a number of administrative requirements (including designating a privacy official, training workforce members and establishing administrative, technical and physical safeguards for information), in order to effect these patient rights and achieve compliance with the other provisions of the rule.
HHS’ Office of Civil Rights has been charged with enforcing the Privacy Standards, and its focus will be on achieving organizations’ voluntary compliance with the rule. Where this goal cannot be attained, the HIPAA statute establishes a range of civil and criminal penalties for violation of the Privacy Standards.
Preliminary Compliance Recommendations
HHS emphasizes throughout its explanation of the Privacy Standards that they intend the requirements to be “scalable” and not rigid, so that they can be implemented appropriately within different types of covered entities ranging from solo physician practices to a national hospital chains. With the general principle of “scalability” in mind, physicians and physician groups can take the following initial steps toward compliance with the new Privacy Standards:
Get Started. Given that compliance with the Privacy Standards will not be required before April 2003, the need for compliance is not urgent. However, developing knowledge about the rules’ requirements, performing assessments, revising forms and instituting new administrative procedures will take time. Unless covered entities proceed diligently toward an understanding of and compliance with the Privacy Standards, the 24-month implementation period will slip by quickly.
Remember That This Is Not Y2K. Covered providers must bear in mind that the need for compliance with the Privacy Standards is fundamentally different from the preparations that were required (or thought to be required) for Y2K. Rather than involving safe passage through a moment in time, the new rules represent a sea-change in the on-going expectations surrounding use and disclosure of personal health information.
Become Familiar with the New Rules. Fortunately, it should not be necessary for providers to read all 370 pages of the privacy regulations in order know what they require. Numerous resources are available to physicians to assist them in understanding the Privacy Standards and how they apply to a private practice. These resources include professional societies, industry organizations (e.g., MGMA), professional advisors and the government, itself. As a start, providers can review HHS’ “Administrative Simplification” website at http://aspe.hhs.gov/admnsimp/.
Consider Performing a Compliance Assessment. At some level, it will be necessary for physicians to determine the areas in which their practices are or are not compliant with the Privacy Standards. With respect to areas of non-compliance, an assessment process can help practices prioritize their remediation activities. Depending on the scope of a physician practice’s operations, it may be appropriate for practice personnel to perform the assessment themselves (with the use of prepared assessment tools or questionnaires) or for the group to engage an outside advisor to oversee this effort.
Designate a Privacy Officer. The Privacy Standards require covered entities to appoint a privacy official responsible for the implementation of the organization’s privacy policies and procedures, and a contact person responsible for receiving complaints about the organization’s privacy practices and providing information about matters discussed in the notice of information practices. These functions can be served by the same person and, in a small physician practice, this is likely to be the case. The privacy officer should be identified as soon as possible so that he or she may start becoming familiar with the Privacy Standards and their application to the practice.
Identify Information Flows. Identify the various uses and disclosures of personal health information by the practice, focusing in particular on those unrelated to treatment, payment or health care operations. These can include participation in research protocols and disclosures for law enforcement purposes. As a general matter, providers will need to obtain a patient’s authorization for such disclosures or ensure that they comply with a recognized exception to the authorization requirement.
Develop Required Forms and Policies. The Privacy Standards mandate compliance with a number of documentation requirements, including use of forms of consent, authorization and notice of information practices. Covered entities must also adopt policies to address permitted disclosures (e.g., response to subpoenas) and other administrative requirements under the Privacy Standards.
Identify Business Associate Relationships. Vendors, contractors and advisors who meet the definition of “business associate,” as described above, must be identified and then steps must be taken in order to bring the documentation of the arrangement with that party into compliance with the regulatory requirements for business associate contracts.
Don’t Forget about the Transaction and Security Standards. Providers who conduct certain transactions (e.g., claims submission or claims status inquiries) with a health plan will be required to comply with HHS’ new standards for electronic transactions by October 16, 2002. Providers should discuss with their billing software vendors and third-party payors what steps they are taking to achieve compliance with the new standards. In addition, providers should become familiar with HHS’ proposed information security standards and begin to assess what steps will be required for compliance when final rules are issued.
The new Privacy Standards are part of a broad movement calling upon business—including the health care industry—to reshape the way it handles personal information. In this vein, new information practices standards have been established in the financial services and on-line industries. Although HHS may modify the Privacy Standards in certain particulars in the coming months, physicians are well-advised to assume that some form of heightened federal protection for privacy of health records is here to stay.
Andrea M. Kahn-Kothmann, Esq., is a senior associate with the law firm of Reed Smith LLP in the Health Care Group of the firm’s Philadelphia office.