• Coverage of Providers

All Medicare providers and "any other person or organization who furnishes, bills or is paid for health care services or supplies in the normal course of business."

  • What of your information is covered?

"Individually identifiable health information" that "is or has been electronically transmitted or maintained by a covered entity." This information has a new term of art under the proposed rule. It is: "protected health information" — "PHI."

It is electronically transmitted if it goes by internet, extranet, leased lines, dial-up lines, telephone voice response, private networks, fax back etc.

It is electronically maintained if it is stored by a computer or on any electronic medium such a magnetic tape or disk, optical disk, etc.

Note: the "progeny" of electronic information is also covered — it does not lose its protection simply if it has been printed out of the computer.

  • What does the rule mean by "health information?"

It is created by or received by the provider and relates:
to an individual's past, present or future physical or mental health;
or to the provision of health care to an individual;
or to past, present or future payment for health care.

  • When is such information "individually identifiable?"

If it identifies the individual or

if there is a reasonable basis to believe that the information can be used to identify the Individual

  • Can it be "de-identified?"

Yes but?... there is an extremely rigorous standard to satisfy for it to be presumed to be de-identified. The following identifiers have to be removed or concealed:

Name   health plan beneficiary number
Address account number
Names of relatives certificate/license number
Birth date any vehicle or license number
Telephone numbers Web Universal Resource Locator
Fax numbers Internet Protocol Address number
e-mail address Finger of voice prints
social security number photographic images
medical record number any other unique number, characteristic, code

And the provider must have no reason to believe that any anticipated recipient of the information could use the information alone, or in combination with other information, to identify the individual!!!!

  • BASIC RULE: PHI must not be USED or DISCLOSED except as authorized by the patient or as permitted by this regulation or federal or state law. Any use of disclosure pursuant to the regulation must be consistent with the regulation's "minimum necessary standard."

A provider uses PHI when it employs it, applies it, examines it, utilizes it, or analyzes it. A provider discloses PHI when it releases it, transfers it, provides access to it, or divulges it in any manner outside itself.

  • How sweeping is the "minimum necessary" standard?

Very... a provider is required to make "all reasonable efforts" not to use or disclose more than the amount of PHI necessary to accomplish the intended purpose of the use or disclosure.

The determination is supposed to be made by a designated person, within the limits of technological capability, on an individual basis.

  • Assuming compliance with the "minimum necessary standard," what disclosures can be made without an individual authorization?

Use or disclosure can occur for:

treatment (provision of care, coordination of care, risk assessment, case management, disease management, referrals)

payment (determinations of coverage, improving methods of paying, adjudication of claims, risk adjustment, billing, medical data processing, UM activities) or

health care operations (QA,QI, reviewing competence and qualifications of professionals, trainingstudents, accreditation, licensing, credentialing, insurance rating, fraud and abuse detection)

If the provider tells the patient what use or disclosure will occur and the patient has an opportunity to object to individual uses.

  • Must the provider honor the request for restriction of use of PHI for treatment, payment or health care operations?

No.

  • Are there other allowable disclosures without individual authorization?

Yes, for:

Public health oversight of health care system
Research to state health data systems
Court proceedings law enforcement
Emergencies directory information
Financial institutions as other law requires

Specific conditions must be met under each of the proceeding categories.

  • If the provider is not disclosing to another provider for a referral, what rules apply?

That receiving entity is a business partner and the provider must not make the disclosure without receiving satisfactory assurance that the business partner will abide the requirement of HIPAA privacy?....

Satisfactory assurance means a contract binding the entity to the requirements of the rule, requiring it to report to the provider, bind its subcontractors, allow the Secretary to inspect books and records, and allow the provider to terminate because of material breach of the privacy provisions.

The contract must also make the provider's patients third party beneficiaries of the agreement.

  • If individual authorization is sought by the provider, what are the requirements?

The information must be identified specifically as well as the name of the persons to whom disclosure would be made and an expiration date. The individual must have the right to inspect the information and to refuse to sign the authorization. Moreover, the provider must disclose if financial gain will result to it from the use or disclosure. These authorizations must also be revocable.

  • What other individual rights are created?

The individual has the right to inspect and copy his/her PHI. He can also request amendment or correction of information. Moreover, he gets to see an accounting of disclosure of his PHI (only in other than treatment, payment or health care operation situations?)

  • What other administrative procedures will providers have to put in place?

Providers are to have policies and procedures for handling PHI, including how it will be used within the institution and to whom it will be disclosed.The proposed rule expects providers to designate a privacy official, train their work forces on confidentiality and security, implement safeguards against accidental or intentional misuse, provider a complaint mechanism, and impose sanctions on workforce and business partners that violate the provider's policies.

  • Does HIPAA privacy preempt state law?

Only if the state law is less stringent that HIPAA. Thus, if either a state law or HIPAA forbids a disclosure, it cannot occur.


Please feel free to contact Mark Lutes at 202/861-1824 in the firm's Washington, D.C. office if you have any questions or comments. Mr. Lutes e-mail address is mlutes@ebglaw.com.

This publication is provided by Epstein Becker & Green, P.C. for general information purposes; it is not and should not be used as a substitute for legal advice.

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.