Under HIPAA, healthcare organizations must not only ensure the privacy of protected information, but also ensure that organizations with which they do business maintain this privacy.
In November 1999, under the mandate of the Health insurance Portability and Accountability Act (HIPAA) of 1996, HHS issued proposed standards to protect the privacy of electronically transmitted personal health information. With publication of the final standards due soon, healthcare organizations must prepare to implement new processes and information systems to comply with the HIPAA requirements. The privacy standards are intended to accomplish three broad objectives: define the circumstances in which protected health information may be used and disclosed, establish certain individual rights regarding protected health information, and require that administrative safeguards be adopted to ensure the privacy of protected health information. Among the required administrative safeguards are designation of a privacy officer, implementation of compliance training programs for all applicable staff, establishment of a complaint system, and implementation of appropriate sanctions for violations of privacy requirements.
Implementation of the health information privacy standards mandated by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 has caused substantial concern to the healthcare industry. Among the most significant concerns are the significant costs many healthcare organizations will incur to meet the new requirements for safeguarding electronically transmitted personal health information. HHS received roughly 52,000 comments during the comment period for the proposed rule, which was issued November 3, 1999. The sheer volume of comments caused HHS to delay publication of the final rule, which at press time was anticipated to occur before year-end 2000.
Given the extent of concern about the proposed standards, HHS may make some modifications to them before issuing the final rule. Nonetheless, the final rule is not likely to differ drastically from the proposed rule, and the final standards are certain to have a profound impact on the healthcare industry. Healthcare financial managers therefore should begin immediately to prepare for implementation of the final standards. They should familiarize themselves with the issues to ease the complex planning process that will be necessary to ensure compliance with the new privacy standards.
The HIPAA Standards
In general, the proposed HIPAA privacy standards were designed to accomplish three broad objectives:
Define and limit the circumstances in which entities that are subject to the standards (covered entities) may use and disclose protected health information;
Establish certain individual rights regarding protected health information; and
Require covered entities to adopt administrative safeguards to protect the confidentiality and privacy of protected health information.
As currently proposed, the HIPAA privacy standards would prohibit all covered entities from using or disclosing "individually identifiable health information" that is or has been transmitted or maintained electronically, except in certain circumstances. Unlike many medical records statutes, this requirement would not be limited to the record in which the information appears, but rather would apply to the information itself. Thus, any information that has been transmitted by fax, telephone, computer, electronic handheld device, or any other electronic means would be protected by the HIPAA standards thereafter in whatever form it might appear, including oral communications.
"Individually identifiable health information" refers to information that is created by or received from a healthcare provider, health plan, employer, or healthcare clearinghouse that relates to the past, present, or future physical or mental health or condition of an individual who is either identified directly or could reasonably be identified using the information.
"Covered entities" include healthcare providers, health plans, and healthcare clearinghouses. "Healthcare provider" refers to any provider of healthcare services as defined in relevant Medicare provisions and to any other person or organization that furnishes, bills, or is paid for healthcare services or supplies in the normal course of business. "Health plan" is defined broadly to include any individual or group plan that provides or pays the cost of medical care. "Healthcare clearinghouse" is defined as a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. Billing companies are considered to be healthcare clearinghouses.
The proposed regulations also affect business partners of covered entities. A "business partner" is a person (or other entity) to whom the covered entity discloses protected health information to enable that person to carry out or assist with the performance of a function for the covered entity, or perform the function on behalf of the covered entity. Examples of business partners include independent contractors or other persons or entities receiving information for the purposes noted above, including lawyers, accountants, auditors, consultants, billing firms, and other covered entities.
The proposed rule specifies that covered entities may not disclose protected health information to business partners without "satisfactory assurances" that the business partner complies with relevant standards. Satisfactory assurances include certain contractual language that must be included in all contracts between the covered entities and business partners. Accordingly, covered entities would need to consider HIPAA provisions when drafting contracts with independent contractors.
Covered entities also would be required to take "reasonable steps" to ensure business partners are in compliance with the proposed regulations. Such steps are important, as a covered entity would be liable for the misdeeds of a business partner if it knew or should have known of those misdeeds. Although HIPAA only authorized HHS to regulate healthcare providers, health plans, and healthcare clearinghouses, by requiring covered entities to be responsible for compliance of their business partners, HHS effectively extended the requirement of privacy protection to entities that it was not authorized to regulate.
Penalties for Noncompliance
The proposal does not allow for a private cause of action to be taken directly; rather, aggrieved persons would be able to lodge a complaint with the covered entity and with HHS. If the complaint were made to HHS, the agency would have discretion to make a formal finding of noncompliance and use it as a basis either to initiate an action under HIPAA or to refer the matter to the Department of Justice for prosecution under HIPAA.
Under the proposed rule, noncompliance with the HIPAA privacy standards could be punishable by civil fines of up to $25,000 per calendar year for each violation and criminal penalties that would increase in severity based on intent (eg, whether the entity intended to sell the information or reap personal gain from the disclosure) and that could include a fine of up to $250,000 or a 10-year prison term, or both.
- DeMuro, Paul & Andrew Gantt; HIPAA privacy standards raise complex implementation issues; Healthcare Financial Management; Jan 2001; Vol. 55; Issue 1.
The article above contains foundational information. Articles below contain optional updates.
Reflection Exercise #2
The preceding section contained information about the HIPAA privacy standards raising complex implementation issues. Write three case study examples
regarding how you might use the content of this section in your practice.
Ethics CEUs QUESTION 6
According to DeMuro, how did HIPAA extend the requirement of privacy protection to entities that it was not authorized to regulate?
Record the letter of the correct answer the