Search
About RMF Attorneys Practices News & Events Media Center Publications Careers Contact Us

  returntoarticles
   

HIPAA Privacy Regulations

By: Sandra C. Maliszewski, FNP, CNM, JD


In an effort to move the nation toward certain uniform standards for data interchange, the federal government enacted the Health Information Portability and Accountability Act of 1996 (HIPAA). One of HIPAA’s goals is to provide administrative simplification through the implementation of the Standards for Electronic Transactions (EDI), the Standards for Privacy of Individually Identifiable Health Information (Privacy regulations) and Security Standards. These sets of regulations will ultimately improve efficiency and effectiveness of the healthcare system in this country. The Electronic Transactions regulations establish the uniform rules and codes that healthcare entities must utilize when conducting specific electronic transactions. The compliance deadline for these transactions was October 16, 2002. The Privacy regulations require adherence to certain standards for preserving the confidentiality of “protected health information” (PHI) by those entities and individuals who conduct the electronic transactions identified in the electronic transactions regulations. The Privacy rules require “covered entities” (CE) in the healthcare industry and “business associates” (BA), with whom CEs do business, to protect the privacy of this information. Compliance with the Privacy rules will be required by April 14, 2003 and is mandatory.

HIPAA requires CEs to comply with the electronic transactions regulations, the privacy regulations, and any other HIPAA administrative simplification regulations issued in final form. CEs include health plans, health clearinghouses, and healthcare providers who conduct certain electronic transactions involving the exchange of patient or resident health information. “Healthcare providers” are defined to include any (1)“provider of services;” (2) “provider of medical or other health services;” (3) “any other person who furnishes, bills or is paid for health care services and/or supplies in the normal course of business.” This broad definition includes licensed/certified healthcare practitioners including nurse practitioners, midwives, physicians, therapists, technicians; a researcher who provides healthcare to subjects of research; free clinics; licensed healthcare professionals located at a school or business; institutional providers (hospitals, Skilled Nursing Facilities, Home Health Care agencies; out-patient facilities); clinical labs; suppliers of durable medical equipment, pharmacies and even “on-line” pharmacies.

The Privacy regulations also apply to “business associates”(BA) of a CE. A business associate performs functions or services for a CE involving the use of PHI. To the extent that a business entity receives, uses and/or discloses health information on behalf of a CE, it becomes subject to certain requirements of HIPAA. Business Associates include (a) any agent, contractor or other person who receives PHI from CE or from another BA of a CE; (b) companies/consultants that perform functions for healthcare plans and healthcare providers; and (c) persons to whom a CE discloses PHI so that the person can carry out, assist with the performance of or perform on behalf of, a function or activity for the CE. Although not directly covered by the Privacy rule, HIPAA does establish specific conditions regarding how and when a CE may share information with a BA. Written adequate assurances that would prohibit the BA from further using or disclosing PHI for any other purpose as well as maintain the safeguards must be contained in contracts between the CE and BA (BA agreements). Examples of BAs include attorneys, auditors, CPAs, third party administrators, bill collectors, computer specialist, accreditation organizations, healthcare clearinghouses, data processing firms, and other CEs.

The Privacy regulations cover “Protected health information” (PHI) which is defined as “individually identifiable health information” maintained and/or transmitted in any form-oral, written or electronic. PHI includes information created by a healthcare provider, health plan, employer or healthcare clearinghouse that identifies an individual and is related to his/her health condition. It includes information relating to (a) past, present or future physical or mental health of a person; (b) provision of healthcare; (c) provision of payment for healthcare; and in any form created/received by a CE. De-identified health information, that is, information which does not include identifying information such as names or social security numbers, is not considered to be “individually identifiable health information” and is therefore not PHI.

The Privacy regulations place various restrictions on a CE’s use and disclosure of PHI. With some exceptions, they require that proper patient “authorizations” be obtained by CEs before disclosing an individual’s PHI. The regulations also limit the quantity of PHI that a CE may disclose. When disclosing information, CEs must apply a “minimum necessary” standard and disclose only the minimum amount of health information necessary to accomplish the intended purposes of the disclosure.

The Privacy regulations also require CEs to permit individuals to access their health information. This requirement establishes (a) a federal right for patients to inspect/copy their own health information; (b) deadlines by which a CE must respond; and (c) procedures for denial of such requests.

HIPAA requires that CEs develop privacy policies to implement the Privacy regulations. A CE must provide written notice regarding its privacy practices. It must also have in place appropriate technical, administrative, and physical safeguards to protect health information, including reasonable safeguards against intentional and/or unintentional use or disclosure. The CE must designate a privacy officer whose job is to develop and implement policies and procedures related to PHI. Training of personnel regarding those policies and procedures must be done as well.

The Health and Human Services Office of Civil Rights will enforce compliance of the Privacy regulations; CMS will enforce the EDI regulations. Penalties include substantial civil and criminal liability as well as monetary penalties. The HIPAA regulations are minimum standards in that where state law is more stringent on a particular issue that HIPAA addressed, then state law will apply. For more information visit www.cms.giv/hipaa.
 
   



Disclaimer     
Attorney Advertising