Navigating the New Maze of Health Care Privacy Regulations

Health care insurers, providers, suppliers and others are now challenged to understand and comply with privacy rules promulgated by multiple regulators. Here we equip health care companies to recognize varied national approaches, understand the important new U.S. regulations which are effective in 2001 and to recognize certain globally repetitive themes around which the companies can build compliance programs.

The European Union privacy rules, the Directive on Data Protection, became effective in 1998. The Directive, unlike the US approach, applies to all business sectors. However, the Directive has been observed to be comprehensive in its scope but lacking in detail. Compliance is also complicated by national implementation and enforcement of the Directive's principles. Health care businesses should note that such implementation has, to date, been inconsistent across the EU. For instance, neither France nor Germany has implemented a new national privacy rule and businesses there operate under pre-Directive law interpreted in light of the Directive. For global companies, tracking the roll-out of the principles in national legislation will be a continuing challenge.

The approach in EU countries is often to require registration with the data protection authority prior to the collection of personal data. Such an approach has been rejected by Canada, Australia, Japan and others. On the other hand, privacy legislation in these three countries often incorporates EU-type principles around notice, choice and the individual's right to access the data and correct inaccuracies. The national laws also embody such principles as "opt-in" as to the disclosure of health data, "opt-out" as to the disclosure of other personal data, as well as data security.

Article 25 of the EU Directive has been especially controversial. Article 25 requires that companies transfer personal data to non-EU countries only where such countries provide an "adequate" level of privacy protection or an Article 26 exception applies. The EU has not found the US to provide such adequate protection. Article 26 exceptions include transfers supported by unambiguous consent and transfers necessary to perform a contract with a person (similar to an exception in the US GLBA rules discussed below). Article 26 also permits transfers where the recipient has agreed to contractual safeguards -- an approach followed by many global companies. Nevertheless the onerous nature of the model privacy contract clauses discourage some from using this route for compliance.

Other companies receiving personal data from the EU seek to fall within certain Safe Harbor Principles issued by the US Department of Commerce last July. The Safe Harbor is not a safe haven from EU national rules. However, it may gain some legitimacy as a basis from which to assert compliance with the principles enunciated in various national schemes.

Safe Harbor elements include: notice (inform individuals about purpose of data collection and its use, means to limit disclosure): choice (opt-in to sensitive information disclosure for purposes other than for what it was collected, opt-out right as to other disclosures), on-ward transfer (consistent with notice and choice and, where to service providers, subject to written agreement binding the provider to same principles); security, and data integrity.

This Spring the US is catching up to the rest of the world in privacy regulation -- at least in the health care sector. Health care insurers, providers and claims clearing houses are now subject to federal privacy rules promulgated to accompany the administrative simplification provisions of the Health Insurance Portability and Accountability Act ("HIPAA"). While these rules recently became effective the relevant enforcement agency (the Office of Civil Rights in the Department of Health and Human Services) will give covered entities a full two years to come into compliance. Even now though, HIPAA principles will be best practices in the industry and perhaps a new standard of care for tort liability purposes.

In July of this year, health insurers will generally become subject to a set of federally inspired but state implemented privacy regulation (a system not unlike the EU directive with national implementation), The Gramm Leach Bliley (GLB") financial institution modernization legislation, sets privacy standards for a range of financial institutions. Health insurers are considered to be financial institutions for GLB purposes but the implementing detail will come from state statutes and regulation.

Most states will be adopting a form of the model regulation put forth by the National Association of Insurance Commissioners. If they do, the states will require the publication of an annual privacy statement. Where the insurer discloses private data to third parties outside the context of one or more exemptions (including one applicable to disclosures which are necessary to process the transaction), it must also offer a pretransaction "initial" privacy statement accompanied by an opt-out offer.

Again, those same health insurers, as well as providers who send transaction electronically, have obligations under the new HIPAA privacy regulation. HIPAA requires that no disclosure, without authorization, be made outside the context of public health and other public policy type situations unless it is in the context of the treatment, payment or health care operations. The required elements of the authorization are spelled out in great detail in the regulation. This is typical of the nature of this regulation which is well over one hundred pages long and includes an interpretative preamble in excess of 1,000 pages. Thus global health businesses can expect very detailed privacy regulation in the US.

Other HIPAA concepts include the business associate agreement--a concept with analogues in a variety of national privacy regimes. The HIPAA business associate is any entity providing services to a covered entity. The covered entity is responsible for securing the adherence of the business associate to HIPAA privacy norms. Thus, business associate contracts will bring many global health care companies under the HIPAA tent.

HIPAA's privacy regulation is also remarkable for its concept of minimum necessary disclosures and uses. The principle has an analogue in the EU Directive. However, if not watered down by subsequent administrative interpretation, the documentation of the implementation of this principle will require considerable effort by covered entities.

HIPAA also calls for covered entities to appoint privacy officers, to track certain non-exempt disclosures and to train employees. Individuals acquire rights to view and amend "designated record sets" pertaining to them. Finally, HIPAA puts new limitations on the ability of the employer welfare benefit plan (or an insurer of such benefits) to transmit information to the employer/sponsor of the benefit plan and prohibits the sponsor's use of such information for employment decisions.

While HIPAA and GLB are the latest regulations they are not the exclusive sources of privacy regulation affecting health care entities in the US. There are privacy laws in each of the 50 states affecting various health care companies. For instance, a number of states have insurance information privacy statutes. The privacy aspects of traditional medical records statutes and professional licensure rules can also affect company operations. Finally, states will frequently have privacy rules specific to certain test results (e.g., genetic tests) and information concerning certain condition or disease states (mental health information, alcohol or drug abuse information, and HIV/AIDs).

The proliferation of privacy regulations will continue to challenge global health companies. On the other hand, these regulations do exhibit common themes from which health care companies can deduce global best practices. Those best practices, when implemented, can also become the foundation for health care entities' privacy compliance program.

Please feel free to contact Mark E. Lutes at 202/861-1824 in the firm's Washington, D.C. office if you have any questions or comments. Mr. Lutes' e-mail address is [email protected].

This publication is provided by Epstein Becker & Green, P.C. for general information purposes; it is not and should not be used as a substitute for legal advice.