Advisory Bulletins
eHealth Law Advisory Bulletin, February
2000
Now That You've Handled Y2K: Here Come
HIPAA's New Federal Confidentiality Standards
By W. Clark Stanton, Partner
The Secretary of the U.S. Department of
Health and Human Services ("DHHS") has published for public
comment proposed regulations that would establish comprehensive
minimum privacy standards for medical information.1
Publication of the regulations was required by the Health Insurance
Portability and Accountability Act of 1996 ("HIPAA") following
Congress' failure to pass legislation establishing federal medical
privacy standards. Among other things, HIPAA establishes security
and privacy standards intended to promote the standardized, electronic
transmission of many administrative and financial health care transactions
that are currently carried out manually on paper. According to the
Wall Street Journal of January 3, 2000, consultants who have begun
working on HIPAA estimate it could cost two or even three times
as much as the year-2000 computer effort, which set the nation's
hospitals back $8 billion.
The confidentiality of most health information
is currently controlled by state law, and protections vary from
state to state. The proposed federal regulations establish a uniform
minimum 'floor' of confidentiality protection, preempting all contrary
state laws unless those laws provide for more stringent protection.
While some of the confidentiality concepts embodied in the regulations
will be familiar, in many cases they go beyond existing laws and
establish new concepts and standards. This Advisory highlights key
provisions and new concepts of the proposed federal regulations.
Who Must Comply?
The regulations would apply to the following entities and individuals
("covered entities"):
- Health Care providers. Entities
and individuals that provide medical or other health services
or furnish, bill, or are paid for health care services or supplies
in the normal course of business. They include typical health
institutions (e.g., hospitals) and individuals (e.g., physicians),
as well as clinical laboratories, durable medical equipment suppliers,
and pharmacies (including "online" Internet pharmacies).
- Health plans. Individual or group
plans that provide for, or pay the cost of, medical care. They
include managed care plans, insurance plans, government health
plans (e.g., Medicare and Medicaid), and employee welfare benefit
plans.
- Health Care clearinghouses. Public
or private entities that process or facilitate the processing
of "nonstandard data elements" of health information into "standard
data elements." They include billing services, community health
information systems, and so-called "value-added" networks.
The regulations also will reach, albeit
indirectly, entities and individuals referred to as "business partners"
of covered entities (see below under What Are the Key Provisions
and New Concepts?).
What Information Is Covered?
The regulations will apply to information
related to an individual's health or medical condition that was
created or received by a health care provider, health plan, clearing-house,
or other specified person, and has at some point been put into
electronic format, even if not currently in such format ("protected
health information"). Information that has never been in electronic
format is not covered.
What Are the Key Provisions and New Concepts?
The overall confidentiality scheme is similar to that currently
used by most states. For example, the regulations permit certain
uses of information without requiring patient authorization (e.g.,
allow internal sharing for treatment and administrative purposes).
However, some key points and concepts are either new or substantially
strengthened. These include:
- Minimum necessary disclosure.
Disclosure of protected health information, even where authorized
by law, is to be limited to the "minimum necessary" to accomplish
the purpose for which disclosure is made.
- Business partners. Covered entities
must have written contracts with individuals and entities that
perform or assist them with a function or activity and receive
protected health information ("business partners"). These contracts
must include specified confidentiality assurances, the breach
of which may be imputed to the covered entity. Further, these
contracts must recognize individuals as third party beneficiaries,
which, depending on state law, may allow individuals to sue covered
entities for violations of their privacy rights. Business partners
include individuals and entities such as lawyers, auditors, consultants,
third party administrators, health care clearinghouses, and data
processing and billing firms.
- Notice of information practices.
Covered entities must provide patients with a written notice that
in plain language describes their practices for handling and using
protected health information (in sufficient detail to put the
patient on notice of the uses and disclosures to be made of his/her
protected health information) as well as the patients' rights
with respect to that information.
- Patient rights. Patient rights
include the right to access, inspect, and obtain copies of their
health information, the right to request non-disclosure in certain
circumstances, the right to request corrections and amendments
to their health information, and the right to an accounting of
disclosures of their information.
- Accounting of disclosures. Covered
entities must give patients an accounting of all disclosures of
protected health information, except for disclosures for treatment,
payment, health care operations, and — in some circumstances
— disclosures to health oversight or law enforcement agencies.
Covered entities must have procedures that can give patients the
date of each disclosure, the name and address of persons receiving
protected health information, the information disclosed, the purpose
for which disclosure was made, and copies of all requests for
disclosure.
- Specified authorization forms.
The regulations include detailed requirements for forms authorizing
the release of protected health information. These requirements
differ depending upon whether the authorization is initiated by
the covered entity or the patient.
- Administrative procedures.
Covered entities must have policies, procedures, and systems in
place to protect health information and individual rights. Requirements
include: designation of a privacy officer; privacy training for
employees; safeguards to prevent intentional or accidental misuse
of protected health information, and sanctions for employee violations
of these requirements.
- De-identification. The regulations
do not apply to health information that has been "de-identified"
by removing, coding, encrypting, or otherwise eliminating or concealing
all individually identifiable information. Information is presumed
not to be individually identifiable if certain information, as
specified in the regulations, is removed or otherwise concealed.
- Preemption of State law. The federal
regulations preempt all 'contrary' state laws unless a state law
is 'more stringent.'
- Contrary.
State law is deemed to be contrary to the federal standard when
an entity would find it impossible to comply with both the state
and federal requirements or when the state law is an obstacle
to the accomplishment of the purposes and objectives of HIPAA.
States may apply to DHHS for time-limited exceptions
to this provision for laws that promote important state interests.
- More stringent. A state law is
more stringent than the federal standard if the state law
- Further limits the use or disclosure of protected health information;
- Provides individuals with greater rights of access to their
health information (with exceptions for minors);
- Increases penalties for unauthorized disclosure of information;
- Allows for greater information or increased rights to individuals
regarding the use of their health information;
- Provides stricter terms for authorizing disclosure of health
information;
- Imposes stricter standards of record-keeping or accounting;
or
- Strengthens privacy protection for individuals.
DHHS may issue advisory opinions, at the request of a state or
on its own initiative, on the question of whether a particular
state law is "more stringent."
Penalties. Failure to comply with
the regulations could result in significant civil monetary penalties
(up to $25,000 per standard per year) or, in the event of certain
wrongful disclosures, criminal penalties (fines ranging from $50,000
to $250,000 and possible jail time).
When Will this Go into Effect?
The new standards will be enforceable twenty-four months after adoption,
except that "small health plans" are given an additional twelve
months to come into compliance.
What Should You Do Now?
Determine if the regulations apply to you. If so, become familiar
with them and work through their implications for your organization.
Speak up if you see problems with implementation of the regulations.
DHHS will accept comments on the proposed regulations until February
17, 2000.
Begin preparations for coming into compliance
with the new requirements. Compliance may require significant changes
to existing policies and procedures, and advance preparation will
be essential. While the final regulations may differ in some details
from the proposed regulations described in this memorandum, the
changes are unlikely to be significant.
What If I Need Assistance?
Davis Wright Tremaine LLP and its eHealth Law Practice Group can
assist with any questions you may have and can work with you in
your efforts to come into compliance with these new requirements.
Just contact your DWT attorney or any of the members of the eHealth
Law Practice Group.
1
Standards for Privacy of Individually Identifiable Health Information;
Proposed Rule, 64 Fed. Reg. 59918 (Nov. 3, 1999); corrections to
the Proposed Rule were published in 65 Fed. Reg. 427 (Jan. 5, 2000).
Return to top of page
|
