The first time that health care providers encounter the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the incredibly vast framework of privacy and security regulations may very well appear completely overwhelming. This is especially true when the question at issue – whether it is from a litigation or compliance perspective – is particularly narrow in scope. For the initiated and uninitiated alike, it is fairly easy to get lost in the morass of cross-referenced sub-parts that any given legal question implicates.
Through its privacy and security requirements, HIPAA impacts not only the medical community, but all individuals and industries that come into contact with the medical community. The implementation of HIPAA requires the development of new policies and procedures addressing the use and disclosure of medical information, as well as the appropriate utilization of available technology. Equally as important, as HIPAA has become more and more pervasive, compliance with the privacy and security regulations have necessarily involved attitudinal changes by everyone associated with the health care industry. HIPAA directly impacts the manner in which patients, providers, and payors interact with each other.
What Information is Protected by HIPAA?
The HIPAA Privacy Rule covers all uses or disclosures of "Protected Health Information" ("PHI") whether in paper, electronic, or oral form. PHI has many characteristics that make it somewhat easy to spot. Whether a malpractice attorney is attempting to acquire the medical records of a plaintiff, or a transactional attorney is assisting with due diligence in connection to the sale of a clinic, it is imperative that PHI is treated appropriately. Being able to recognize PHI is the first step. PHI has the following characteristics:
•It is created or received by a Covered Entity (as defined below);
•It relates to an individual's past, present, or future physical or mental health, or condition, or payment for health care. This includes "payment" information; and
•It identifies or can be used to identify a specific individual.
The following are illustrative examples of information that are considered "patient identifiers":
•Name, name of employer, names of relatives;
•Social security number, plan beneficiary number;
•Fax number, telephone number;
•Address, email address;
•Birth date, fingerprint, picture;
•Internet Protocol (IP) address, web site URL; and
•Vehicle license number.
Generally speaking, PHI may be used or disclosed without first acquiring the patient's consent in very limited circumstances. Other than allowing disclosure to the individual about whom the PHI describes, the Privacy Rule generally allows disclosure of PHI without the patient's consent for the purposes of treatment, payment, or health care operations. Additionally, there are certain situations, such as in response to an order of court, or subpoenas (so long as certain additional requirements are met), where PHI may be disclosed without the patient's consent. In most other situations, a patient must provide consent before his PHI can be used or disclosed.
To that end, each individual maintains six basic privacy rights. An individual has the right to:
•Receive a Covered Entity's Notice of Privacy Practices;
•Request restrictions of certain uses of PHI (although Covered Entities are not required to grant such restrictions);
•Be given access to the individual's own PHI;
•Request that an amendment or correction be made to his PHI;
•Request an accounting of PHI disclosures; and
•File complaints regarding PHI use or disclosure.
Additionally, a Covered Entity's use or disclosure (not including "treatment, payment, or operations," or with consent) of PHI must be only to the "minimum necessary" extent. This minimum necessary standard essentially requires a provider to consider what minimum amount of PHI will meet the purpose of the disclosure. Furthermore, once a Covered Entity agrees to a restriction regarding the use or disclosure of an individual's PHI, this restriction must be honored.
Likewise, use and disclosure of PHI must be consistent with a Covered Entity's Notice of Privacy Practices. When the exchange of health information is deemed necessary, but the value of the information is not the personally identifiable aspect of the information, PHI is often "de-identified." PHI can be freely used to create de-identified data, and no restrictions are placed on its use and disclosure.
To Whom does HIPAA Apply?
Although HIPAA appears to be extremely pervasive, it maintains authority over only certain types of entities. HIPAA specifically applies only to "Covered Entities." Generally, a Covered Entity is one of the following:
•Health care provider. This includes any person or entity that (a) furnishes, bills, or is paid for health care; (b) uses electronic means to transmit any of the following: health claims, remittance or payment advice, or any of the other electronic transactions included in HIPAA.
•Health plan. This includes any organization or entity that provides or pays the cost of medical care, including Medicare and Medicaid, HMOs, or PPOs.
•Health care clearinghouse. These are organizations that process data elements or transactions.
Most of the time, HIPAA questions will involve the activities of or information held by either a provider or plan. Because providers and plans must utilize the services of many different entities, it was necessary to find a way to extend the protections afforded by HIPAA when these essential non-Covered Entities are handling or creating PHI.
These non-Covered Entities that play such a critical role in the health care arena are termed "Business Associates." Examples of common Business Associates are billing firms, accreditation organizations, document destruction contractors, lawyers, and third-party administrators.
Importantly, a Business Associate relationship is formed contractually. When a Covered Entity engages another person or entity to perform a function on behalf of the Covered Entity that requires the disclosure of PHI or the creation of new PHI by that person or entity, it is imperative that the Covered Entity requires that person or entity to sign a contract called a "Business Associates Agreement" (often referred to as a BAA). The BAA extends the requirements of HIPAA to the Business Associate and requires the Business Associate to be aware of its responsibilities under HIPAA.. Furthermore, a Covered Entity that does not require Business Associates to sign a BAA is in violation of HIPAA itself.
SEE PART II
Any questions or comments should be directed to: firstname.lastname@example.org. Tracy Green is a principal at Green and Associates. They focus their practice on the representation of professionals, particularly health care professionals including individual physicians, corporate providers and group practices. Their website is: http://www.greenassoc.com/