Davis Wright Tremaine LLP Davis Wright Tremaine LLP
Practice Areas - HIPAA/advisory bulletins
Home

Practice Areas: HIPAA
 

Legal Services

Related Practice Areas

Advisory Bulletins

Publications & Resources

HIPAA Search
 

 
News to Use
Recruiting
DWT in the Community
Seminars & Training
Bookstore
Lawyer Directory
Office Locations
Search & Site Map

Advisory Bulletin

HIPAA Is The Law: A Report on HIPAA's Current Status and Some Practical Recommendations for What to Do Now

By Gerry Hinkley, Tom Jeffry, Paul Smith and Richard Marks
[March 2001]

What Should We Be Doing About HIPAA Right Now?This question has been on everyone's lips since the change in administration and the re-opening of the final privacy regulations for comment.  These events have encouraged interest groups to press for amendments and delays.  Meanwhile, covered entities are faced with the questions of how to move forward with their compliance efforts and at what pace.  This Advisory provides a snapshot of HIPAA's current status and makes some practical suggestions.

HIPAA's Current Status

  • HIPAA is in effect now.  The statute requires covered entities that maintain or transmit health information to implement "reasonable and appropriate safeguards" to ensure its integrity and protect its privacy.   This obligation is independent of regulatory standards.  (See commentary below, "HIPAA is the Law.")

  • The Transaction Standards are Final. Unless the regulations are modified or delayed, health care providers who engage in electronic transactions, health plans and health care clearinghouses will be required to use these standards beginning October 2002 (implementation is delayed a year for small health plans).   The transaction standards are at the heart of HIPAA's administration simplification provisions.  They create standards for the format and content of electronic data interchanges between providers and payers, and their intermediaries. These standards have been the least controversial aspects of HIPAA, and enjoy wide industry support.  From a practical point of view, they could be implemented without the supporting privacy and security regulations. As a general rule, HHS may modify the transaction standards only once a year, although during the first year after adoption of a standard it may be modified as necessary to permit compliance with it.

  • Privacy Standards may be Final April 14, 2001.   Due to a bureaucratic snafu, the 60 day window for Congressional review of the privacy regulations published December 28, 2000, did not commence until February 13, 2001. Under the Congressional Review Act, little used until Congress recently overturned controversial work place safety rules, Congress has the ability to overturn a major rule within 60 days it receives the official report of the rule's adoption. There are no strong signs to suggest that Congress will disturb the HIPAA privacy rules. 

    Meanwhile, although the mandate of the existing statute leaves the Secretary with very limited ability to delay or suspend the regulations, Secretary Thompson took the unusual step of opening a 30-day comment period that closes March 30, 2001. In the notice announcing this action, Secretary Thompson stated:  "The significance of the Privacy Rule for the health care industry and for society as a whole, and the substantial nature of some concerns that have been raised have led us to conclude that an additional comment period on the Privacy Rule is warranted."  With the expectation that the Secretary will carefully consider comments, payers, providers, clearinghouses and potential "business associates" have the opportunity to tell their own story and make suggestions for changing the rule.  The re-opening of the rules for comment does not entail a delay in implementation, although it could result in changes to the regulations.

  • There is No Timetable for Final Security Regulations.  Proposed security standards were published August 1998.  They have not been finalized, and the administration is not predicting a date for final rules.   HHS has warned that failure timely to release security standards could cause it to postpone implementation of the privacy standards, because their implementation is so intertwined.


Prospects for Delay in Implementation

Given the statutory deadlines for implementation, the Administration seems to have very limited flexibility to delay the standards.  However, prominent commentators are calling for Congress to slow implementation:

  • National Organization of Governors:  Called on Congress to delay the HIPAA implementation schedule until all the regulations have been finalized, and a single, uniform date of compliance is established, allowing a sufficient and reasonable time period in which to implement "this complex law and its multitude of regulations." http://www.nga.org/

  • House Majority Leader Dick Armey (R-Texas): Wrote to HHS urging it to put the privacy regulations on hold until a comprehensive review can be conducted as to the wisdom of handing over personal medical records to the federal government.

  • Blue Cross Blue Shield Association:  Reported to be asking for a four-year delay in implementation. http://www.afehct.org/pdfs/washwire1110.doc

  • Workgroup for Electronic Data Interchange (WEDI):  Will recommend to HHS a modest delay in implementation of the transaction, privacy and security regulations.

  • American Hospital Association:  Urged members to ask HHS to suspend the rule and delay the implementation date to a workable, more realistic time frame beyond the current two years. http://www.aha.org/grassroots/grassroots.asp

One lone voice-the Association for Electronic Health Care Transactions (AFEHCT)-opposed   delay in the transaction standards and the other regulations. http://www.afehct.org/.


 What Should Covered Entities Be Doing Right Now?

Regardless of the likelihood of delay in implementation, be it a few months or longer, and keeping in mind that HIPAA's security requirements are currently enforceable federal law, whether or not the regulations become final law (see our analysis below under "HIPAA is the Law"), covered entities would be  foolish to stick their heads in the sand about HIPAA.  Two initiatives are worthy of consideration-first, take advantage of the extraordinary comment period to weigh in on the requirements of the privacy regulations and, second, take the basic steps to start your organization's thinking about how it will become HIPAA compliant, when the time arrives. 

  • Take Advantage of the Special Comment Period Expiring March 30, 2001

    There is strong bipartisan sentiment in Congress for strict privacy rules to protect - and enhance - the confidentiality of patients' medical data.  This concern is bolstered generally by continuing marketing abuses in the Internet world, and specifically by well-publicized incidents involving the improper disclosure of medical records.  Congressional support for further work on the final privacy rule is crucial.  That is why this new round of comments, while too late to delay the April 14 effective date of the privacy rule, offers those in the health care industry an exceptional opportunity.

    Comments will follow two basic themes:  First, achieving an appropriate balance of policies underlying the privacy regulations. For example:

    • Patients' rights to confidentiality of their medical records

    • Patients' rights to be free of unnecessary burdens in seeking health care through tedious privacy notice, consent and authorization formalities dictated by the regulation

    • Patients' rights to receive care in an environment where important clinical information flows are not impeded

    • Patients' rights to be free from the higher costs of medical care that will result from potentially unnecessary record-keeping imposed by the privacy rules

    • Patients' rights to a care environment that is friendly and hospitable

    Second, identifying specific changes to the proposed regulations:  These will likely include the following: 

    • Whether it would be desirable for HIPAA to pre-empt state law

    • Potential impracticality of requiring written consent before use of protected health information for scheduling, preparation for treatment, discharge planning

    • Permissible uses of protected health information following a revocation of consent to use (e.g., for billing, quality assurance, accreditation)

    • Whether clinical laboratories should be considered "direct providers" for purposes of consent requirements

    • Whether covered entities may charge for copying and other administrative costs of complying with access requests

  • Take Steps to Begin HIPAA Implementation

    There is a great deal to do.  Even if HIPAA's compliance deadlines are increased, there is still great urgency in getting started now in order to finish on time, and with due regard for budgets.  Example of some of these steps are:

    1.  Envision the future state (what your security systems will be like after the transition to electronic data interchange, advanced access and audit systems and the like, in order to facilitate planning and meeting HIPAA's certification requirements)

    2.  Make policy elections (e.g., whether you will operate, for various functions, as a single covered entity, organized health care arrangement, or hybrid organization, as contrasted to performing specified functions and structuring particular relationships business associate contracts)

    3.  Begin initial security analyses (including, where appropriate, "gap analyses")

    4.  Begin clinical and business process redesign; draft security and privacy policies (these are legal as well as operational documents, because they will feature prominently in any litigation over security or privacy lapses)

    5.  Begin audit trail design (aim for realism, and do not set up audit trail systems that create too much information for effective, timely  review; include features such as real-time alarms and systems for quick, affordable retrieval of targeted information)

    6.  Think about training needs

    7.  Consider the impact of other laws (Gramm-Leach-Bliley (financial privacy), UCC Article 4A, ESign, Uniform Electronic Transaction Act, Uniform Computer Information Transaction Act, European Union Privacy Directive's Safe Harbor, state law preemption)

    8.  Include appropriate HIPAA considerations in vendor negotiations for information and telecommunications systems, and appropriate HIPAA provisions in information and telecommunications system procurements

    9.  Assess the budget impact of HIPAA-mandated changes early, and anticipate continued iterations of budget planning

    10.  Initiate the basic steps to start your organization's thinking about how it will become HIPAA compliant, when the time finally arrives, make the business decisions described above, and start on security analysis and examination of your information flows.

All of this can be done economically and to advantage now, and none of it would be premature or lack usefulness-even if some of the HIPAA compliance deadlines are extended or the privacy rules are modified-because of the great lead time that is necessary for basic security work to be done.

* * *

HIPAA is the Law
Commentary by Richard Marks

The last 12 months' focus on final rules for transaction sets, privacy, and security, and the inexplicable delays attending publication of the final rules for privacy and security, continue to draw attention away from the parts of HIPAA that are in effect today.  People continue to concentrate on the rules and ignore the underlying statute; so a brief review of HIPAA's present impact is in order.

HIPAA is codified at Title 42 of the United States Code, at Section 1320d ("42 USC § 1320d").  Under § 1320d-6, there are criminal sanctions for "[a] person who knowingly and in violation of this part . . . obtains individually identifiable health information relating to an individual; or discloses individually identifiable health information to another person . . . ."  Note that the statute uses (and defines, in § 1320d(6)) the term, "individually identifiable health information."  The proposed final privacy rule uses the term, "protected health information," but the statute does not depend on that definition and neither does the availability of criminal sanctions.

What then does it take to act "knowingly and in violation of this part . . . ."?  The "knowingly" requirement in federal criminal law probably will be interpreted by courts to mean simply that a defendant knew he was making some use or disclosure of information.  The government probably will not need to prove that the person knew that he was doing something wrong in making the use or disclosure.  This is a low threshold.

The more difficult question is whether acting "in violation of this part" requires violating the privacy or security rules, neither of which is yet final and neither of which, by its terms, will be enforced earlier than April 2003.  The answer probably is no.  The reason is that § 1320d-2 (d)(2) requires each covered entity (a health plan, health care clearinghouse, or health care provider) to maintain reasonable and appropriate administrative, and physical safeguards . . . to ensure the integrity and confidentiality of the information [and] to protect against any reasonably anticipated . . .threats or hazards to the security of integrity of the information [and] unauthorized uses or disclosures of the information; and . . . otherwise to ensure compliance with this part by the officers and employees of such person."

What does all that mean?  That there is already in force a hefty security requirement.  It applies to covered entities that use or transmit individually identifiable health information.

For a hospital, physician practice, health plan, or clearinghouse, this existing statutory requirement should be motivation to focus on maintaining a high level of technical security and the business policies and actual practices that go with it.  Somewhere, somebody will be the victim of a hacker attack (such as the attack against the University of Washington) or an internal mistake (such as at the University of Michigan) or wrongful conduct by a disgruntled or malevolent employee.  Patient data will become public, possibly by posting to the web.  A U.S. Attorney may conclude that this demonstrates such disregard for HIPAA's requirements that a criminal prosecution is warranted.

This is hypothetical at the moment, but not really speculative.  Security in health care is not yet generally at the level that the statute specifies.

So, in asking what to do now, hospitals, physician practices, health plans, and clearinghouses should not slow their efforts in the area of security, even though Secretary Thompson is accepting a new round of comments on the final privacy rule and has yet to release the final security rule.  Neither rule cuts off the current security requirements of the statute.

There is another, possibly more important, reason why covered entities' efforts to achieve a high level of security are important:  the possibility of private suits under state law.  Potential plaintiffs are patients (or classes of patients) whose medical information is disclosed due to a security breach.  These plaintiffs can now point to the security obligations specified in § 1320d-2 (d)(2), quoted above.  Experts will testify that this statutory standard requires covered entities to exercise a high level of care where security of individually identifiable health information is at stake.  Most covered entities lack the necessary security; yet all are on notice that a high level has been required, and they have been since 1996.  No wonder the plaintiffs' bar is keenly anticipating the opportunities that HIPAA presents.

Note also that the final privacy rule will likely go into effect on April 14, 2001, even if HHS receives overwhelmingly adverse criticism of the rule in the new round of comments.  (It appears unlikely at this point that both house of Congress will vote to repeal the final privacy rule, which is what is required under the Congressional Review Act of 1996 in order for the rule to be revoked or modified in the short term.  In the long term, HHS can - and probably will - initiate another round of "notice and comment" rule making under the Administrative Procedure Act in order to modify aspects of the final privacy rule.)

Subsection 164.530 (c)(1) of the final privacy rule states:  "Standards:  safeguards.  A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information."  This parallels § 1320d-2 (d)(2) of the statute.  It also creates a mini-security rule as part of the privacy rule.  Of course, the proposed security rule is long and detailed, but this mini-security rule will remain in place even after the final security rule is published and takes effect; and, meanwhile, it is an independent basis for a plaintiff (or class of plaintiffs) to file suit in the event that protected health information is disclosed due to a security breach.

Remember:  HHS may not enforce the final privacy rule until 2003, but that may not prevent a private plaintiff from using it as one basis for a suit on negligence or similar grounds under state tort law.


return to Advisory Bulletins main page
Davis Wright Tremaine LLP
Home | Practice Areas | News To Use | Recruiting | DWT in the Community
Seminars & Training | Bookstore | Lawyer Directory | Office Locations | Search & Site Map
Davis Wright Tremaine LLP Davis Wright Tremaine LLP
return to Advisory Bulletin main page