HIPAA’s Privacy Regulation Readying for Compliance Providers Digging Down to Another Level

HIPAA's Privacy Regulation Readying for Compliance — Providers Digging Down to Another Level

Mark Lutes

  • Coverage of Providers
All Medicare providers and "any other person or organization who furnishes, bills or is paid for health care services or supplies in the normal course of business."
  • What of your information is covered?
"Individually identifiable health information" that "is or has been electronically transmitted or maintained by a covered entity." This information has a new term of art under the proposed rule. It is: "protected health information" — "PHI."

It is electronically transmitted if it goes by internet, extranet, leased lines, dial-up lines, telephone voice response, private networks, fax back etc.

It is electronically maintained if it is stored by a computer or on any electronic medium such a magnetic tape or disk, optical disk, etc.

Note: the "progeny" of electronic information is also covered — it does not lose its protection simply if it has been printed out of the computer.

  • What does the rule mean by "health information?"
It is created by or received by the provider and relates:
to an individual's past, present or future physical or mental health;
or to the provision of health care to an individual;
or to past, present or future payment for health care.
  • When is such information "individually identifiable?"
If it identifies the individual or

if there is a reasonable basis to believe that the information can be used to identify the Individual
  • Can it be "de-identified?"
Yes but?... there is an extremely rigorous standard to satisfy for it to be presumed to be de-identified. The following identifiers have to be removed or concealed:
Name   health plan beneficiary number
Address account number
Names of relatives certificate/license number
Birth date any vehicle or license number
Telephone numbers Web Universal Resource Locator
Fax numbers Internet Protocol Address number
e-mail address Finger of voice prints
social security number photographic images
medical record number any other unique number, characteristic, code

And the provider must have no reason to believe that any anticipated recipient of the information could use the information alone, or in combination with other information, to identify the individual!!!!

  • BASIC RULE: PHI must not be USED or DISCLOSED except as authorized by the patient or as permitted by this regulation or federal or state law. Any use of disclosure pursuant to the regulation must be consistent with the regulation's "minimum necessary standard."
A provider uses PHI when it employs it, applies it, examines it, utilizes it, or analyzes it. A provider discloses PHI when it releases it, transfers it, provides access to it, or divulges it in any manner outside itself.
  • How sweeping is the "minimum necessary" standard?
Very... a provider is required to make "all reasonable efforts" not to use or disclose more than the amount of PHI necessary to accomplish the intended purpose of the use or disclosure.

The determination is supposed to be made by a designated person, within the limits of technological capability, on an individual basis.

  • Assuming compliance with the "minimum necessary standard," what disclosures can be made without an individual authorization?
Use or disclosure can occur for:

    treatment (provision of care, coordination of care, risk assessment, case management, disease management, referrals)

    payment (determinations of coverage, improving methods of paying, adjudication of claims, risk adjustment, billing, medical data processing, UM activities) or

    health care operations (QA,QI, reviewing competence and qualifications of professionals, trainingstudents, accreditation, licensing, credentialing, insurance rating, fraud and abuse detection)

If the provider tells the patient what use or disclosure will occur and the patient has an opportunity to object to individual uses.
  • Must the provider honor the request for restriction of use of PHI for treatment, payment or health care operations?
  • Are there other allowable disclosures without individual authorization?
Yes, for:
Public health oversight of health care system
Research to state health data systems
Court proceedings law enforcement
Emergencies directory information
Financial institutions as other law requires

Specific conditions must be met under each of the proceeding categories.

  • If the provider is not disclosing to another provider for a referral, what rules apply?
That receiving entity is a business partner and the provider must not make the disclosure without receiving satisfactory assurance that the business partner will abide the requirement of HIPAA privacy?....

Satisfactory assurance means a contract binding the entity to the requirements of the rule, requiring it to report to the provider, bind its subcontractors, allow the Secretary to inspect books and records, and allow the provider to terminate because of material breach of the privacy provisions.

The contract must also make the provider's patients third party beneficiaries of the agreement.
  • If individual authorization is sought by the provider, what are the requirements?
The information must be identified specifically as well as the name of the persons to whom disclosure would be made and an expiration date. The individual must have the right to inspect the information and to refuse to sign the authorization. Moreover, the provider must disclose if financial gain will result to it from the use or disclosure. These authorizations must also be revocable.
  • What other individual rights are created?

    The individual has the right to inspect and copy his/her PHI. He can also request amendment or correction of information. Moreover, he gets to see an accounting of disclosure of his PHI (only in other than treatment, payment or health care operation situations?)
  • What other administrative procedures will providers have to put in place?

    Providers are to have policies and procedures for handling PHI, including how it will be used within the institution and to whom it will be disclosed.

    The proposed rule expects providers to designate a privacy official, train their work forces on confidentiality and security, implement safeguards against accidental or intentional misuse, provider a complaint mechanism, and impose sanctions on workforce and business partners that violate the provider's policies.

  • Does HIPAA privacy preempt state law?

    Only if the state law is less stringent that HIPAA. Thus, if either a state law or HIPAA forbids a disclosure, it cannot occur.

Please feel free to contact Mark Lutes at 202/861-1824 in the firm's Washington, D.C. office if you have any questions or comments. Mr. Lutes e-mail address is [email protected].

This publication is provided by Epstein Becker & Green, P.C. for general information purposes; it is not and should not be used as a substitute for legal advice.