April 2001

Trends and Issues

By Cherilyn G. Murer, JD, CRA

Privacy Packs a Punch

The who, what, when, and how of HIPAA

Through the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Congress called for a new health information system with specific rules for the electronic transmission of private health information. Congress required the Department of Health and Human Services (HHS) to make rules creating a set of national privacy standards and fair practices that gives all Americans basic protection and peace of mind knowing they have control over their private medical information.

When

The effective date for the Final Privacy Rule—Standards for Privacy of Individually Identifiable Health Information—published in the December 28, 2000, Federal Register, has recently been delayed by the HHS. The effective date is currently April 14, 2001, which leads to an implementation date of April 14, 2003. With the delay, due to an administrative glitch in submitting the Final Rule to Congress, HHS reopened the public comment period and accepted comments through March 30, 2001. Secretary Thompson, the recently appointed head of HHS, has stated that after review of this round of comments, there may or may not be changes to the Final Rule or to its effective date.

Many industry associations and representatives took advantage of this opportunity to comment on the provisions of the Final Rule. Critics say that it is too complex, requires too many financial and staff resources, and is too burdensome, and that the penalties for violation are too harsh. There is concern that the rule will impede the delivery of health care and prohibit patient access to medical information, exactly the opposite effect intended. Its proponents are applauding its sweeping coverage of privacy and its attempt to regain public confidence in the health care system.

Who

The Privacy Rule is intended to cover as many people and organizations as allowed by Congress. The rule uses the term “covered entities” to describe what and whom it covers.

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information in electronic form in connection with a standard transaction.

A health care provider is a provider of medical or health care services or any other person or organization that gives, bills, or is paid for health care services as part of their business. Remember that health care providers are covered by this rule only if they make a standard transaction or are employed by a health care provider that makes standard transactions. A transaction means transmitting information between two parties for financial or administrative activities related to health care. Examples include health care claims, health care payments, referral certifications, referral authorizations, or first reports of injury.

A covered entity is responsible for the actions of its workforce including employees and volunteers in regard to the requirements of the rule. The Privacy Rule also applies to organizations and people who are “business associates” of the covered entities. A business associate is a person (but not an employee of the covered entity) who helps in any task that would use or release private health information about a patient. A covered entity that gives information to a business associate is responsible for the associate following all of the appropriate rules. If the business associate breaks the rules, the covered entity that released the information must accept the consequences.

What

One of the main goals of the Privacy Rule is to protect the use and release of patient medical information. The rule says that a person or an organization covered by the rule cannot use or give out medical information except as specifically allowed in the rule.

In writing the rule, HHS tried to protect as much medical information as possible. The rule covers any medical information that can be identified to a person and is kept in any form, either on paper or electronically. There are many specific rules that must be followed when using or giving out this medical information. On the other hand, medical information that cannot be identified to a specific person may be used and given out.

The rule uses the term “individually identifiable health information” to describe what a person or an organization cannot use or release except in certain situations. The term covers health information collected from a person that is: created or received by a health care provider, health plan, employer, or health care clearinghouse; contains information about the past, present, or future medical condition or payment for medical care of a person; and identifies the person or there is a reasonable chance that it could identify the person.

The rule only protects certain individually identifiable health information. The rule uses the term “protected health information,” which is sent electronically from one person or organization to another, ie, via the Internet, private networks, or physically moved onto a CD or disk; kept in electronic form; or sent or kept in any other form. The rule applies to all “individually identifiable health information” that was ever electronically transmitted or maintained, so it applies to old records as well as new records.

How

The general tenet of the Privacy Rule is that protected health information may not be used or disclosed by a covered entity unless it is permitted or required. The only required disclosures are to the individual who is the subject of the information or compliance disclosures to the Office of Civil Rights. All other uses or disclosures are permissive.

A covered entity must obtain consent from the patient for treatment, payment, and health care operations before using or disclosing any protected health information. A health care provider may condition treatment on obtaining consent.

A covered entity may use or disclose protected health information without the express consent or authorization of the patient if the patient is informed of the use or disclosure and given an opportunity to agree or object in the following circumstances: facility directory information or involvement in the individual’s care or notification to family.

A covered entity may use or disclose protected health information without consent, authorization, or an opportunity to agree or object in the following circumstances: when required by law; for public health activities; about victims of abuse, neglect, or domestic violence; for health oversight activities; for judicial and administrative proceedings; for law enforcement purposes; about decedents for organ, eye, or tissue donation; for research purposes; to avert a serious threat to health or safety; and for specialized government functions.

When any use or disclosure of protected health information is made by a covered entity, excepting for treatment, it must make reasonable efforts to limit this information to the minimum necessary to accomplish the intended purpose. An individual will now have the right to request restrictions of uses and disclosures, to have reasonable requests for confidential communications accommodated by health care providers, to inspect and copy protected health information, to amend health records, to have an accounting of disclosures of protected health information, and to receive adequate notice of the provider’s privacy practices.

Enforcement of this rule allows for both civil and criminal penalties. Additionally, the rule will require covered entities to do the following: designate a privacy officer and/or a contact person for complaints; track the movement of protected health information; identify and assure contractual arrangements with all business associates; alter all policies and procedures related to information management; alter all patient consent forms; and effectively train all employees.

Cherilyn G. Murer, JD, CRA, is CEO and founder of the Murer Group, a legal-based health care management consulting firm in Joliet, Ill, specializing in strategic analysis and business development. She may be reached at (815) 727 3355 or via the Web: www.murer.com

LOOKING FOR EXPERT ADVICE? Experts here are available to answer all your questions! Please contact us for more information about this feature, or to become an expert.

MEDIA CENTER Interactive Media  Archives  · December 2008  · November 2008  · October 2008  · August/September 2008  · Fall 2008 Product Directory  · July 2008  · June 2008  · May 2008  · April 2008  · March 2008  · All Archives  Newsletter  · Rehab Today Resources Classifieds Calendar Consumer Resources Media Kit Advertiser Index EAB Reprints Submit an Article