HIPAAs Medical Privacy Standards:

The Long and Really Winding Road

Michael D. Bell, Esq.Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.Washington, D.C.(202) 434-7481mbell@mintz.com

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)The Road to Privacy

The Multiple Components of HIPAA

Components of Administrative SimplificationNationalStandardProviderIdentifierSecurityStandardsElectronic Signature StandardsAdministrativeSimplification

Standards for Electronic Transactions

Standards, Transactions and Code SetsIn December 2001, Congress extended the deadline for the transaction set ruleNew deadline is October 16, 2003Entities that want an extension must submit a detailed plan for compliance to HHSNo effect on deadline for Privacy Regulation

ASCAOn December 27, 2001, President Bush signed into law the Administrative Simplification Compliance Act. By October 16, 2002, covered entities must either:be in compliance with the Standards for Electronic Transactions and Code Sets; orsubmit a summary plan to the Secretary of Health and Human Services describing how the covered entity will come into full compliance with the standards by October 16, 2003.No effect on deadline for Privacy Regulation

ASCAHHS recently issued a model form that covered entities must complete in order to obtain the one-year compliance extensionMultiple related covered entities that are operating under a single implementation plan are permitted to submit one formForms are due by 10-15-02http://www.cms.hhs.gov/hipaa/hipaa2/ASCAForm.asp

Privacy RegulationFinal regulation became effective April 14, 2001, and providers have 2 years from that date to be in complianceHHS issued its first set of implementation guidance in July 2001Major revision issued March 27, 2002, 67 Fed. Reg. 14776

Privacy Regulation GOALSGive consumers control over their health informationRegulate the use, disclosure and receipt of an individuals health informationEnsure security of personal health informationEstablish accountability for health information use and release

Privacy RegulationCOMPLIANCE DATECovered entities must be in compliance with the rule by April 14, 2003March 2002 Proposal would extend Business Associate requirements for a year, under certain circumstances

March 2002 Proposed ChangesIn March 2002 HHS issued proposed changes to the Privacy RegulationExtensive and far-reaching changesGenerally well-received by the health care communityComments due by April 26thDoes not affect compliance date

March 2002 Proposed ChangesConsent becomes optionalGood faith effort to obtain acknowledgement of Notice of Privacy PracticesSimplifies Minimum Necessary requirementsDelays compliance of Business Associate contracts, until modification or renewal

March 2002 Proposed ChangesSimplifies marketing requirementsEases restrictions on research usesGreater rights to parents with respect to their childrenNew standards for de-identification

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)Scope of the Privacy Regulation

In a NutshellThe Privacy Regulations govern a covered entitys use and disclosure of protected health information and grant individuals certain rights with respect to their protected health information.HIPAA sets the floor not the ceilingmore stringent state laws are not preempted.

Who is covered?Covered entities health plans;health care clearinghouses; andproviders that transmit health information in electronic form in connection with a HIPAA standardized transactionAlso reaches the Business Associates of the covered entity

Organizational StructuresA hybrid entity means a single legal entity that performs both covered and non-covered functions. Affiliated Covered Entities--the rules permit legally distinct covered entities that share common ownership or control to designate themselves, or their health care components, together to be a single covered entityOrganized health care arrangements are arrangements involving clinical and/or operational integration among legally separate covered entities

Hybrid Entity March 2002 Proposed ChangesIn the March 2002 Proposal, HHS eliminates the primary purpose requirement, permitting any covered entity whose business activities include both covered and non-covered functions to designate itself as a hybrid entity.

Protected Health Information (PHI)All individually identifiable health information that is transmitted or maintained in any form or medium.

Individually Identifiable Health InformationCreated or received by a covered entity or employer; andRelates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or payment for the provision of health care to an individual and which:Identifies the individual; or Offers a reasonable basis for identification of the individual

De-IdentificationPHI does not include information that has been de-identified:specified list of identifiers removed; or determination by statistical expert that risk of identification is very smallCovered entity may assign code or other means of record identification to allow de-identified information to be re-identified if:code not derived from or related to information otherwise capable of identifying the individual; and covered entity does not use/disclose the code for any other purpose or disclose the mechanism for re-identification

De-IdentificationMarch 2002 Proposed ChangesMarch 2002 Proposal requests comment on an alternative approach to de-identificationPermits disclosure of limited data set that includes certain identifiersDisclosure only for research, public health, and health care operationsRecipients of data would have to agree to limit its use

De-IdentificationMarch 2002 Proposed ChangesLimited Data SetAdmission, discharge and service datesDate of deathAgeFive digit zip code

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)Key Concepts

Uses and Disclosures of PHI4 types of PermissionsConsentOral agreementNone requiredAuthorization

ConsentDirect health care providers must obtain consent from an individual before using or disclosing PHI for treatment, payment, or health care operationsOnce a consent is obtained, it may be used forever unless it is revoked in writing by the individual who gave it. In most circumstances, if the patient refuses to give consent for TPO, the provider may refuse to treat the patient

ConsentUnder the March 2002 ProposalConsent not required for TPO, although providers have the option of obtaining itProviders with a direct treatment relationship are required to make a good faith effort to obtain written acknowledgement of receipt of NoticeCovered entity can disclose PHI to another entity for payment activities and some health care operations of the other entity, without consent

AuthorizationsIf not otherwise permitted by the regulation, an authorization must be obtained e.g., certain marketing activities, research, employment determinations, fund raising, psychotherapy notesMust be written in plain language and contain specific elementsOnly valid until the date/event specified, or until it is revoked in writing by the patient

AuthorizationsUnder the March 2002 ProposalRequires all authorizations to contain certain core elementsWhere the individual that is the subject of the PHI initiates authorization for his own purposes, he does not have to reveal purposeOnly marketing authorizations have to disclose any remuneration that may result

AuthorizationsUnder the March 2002 ProposalAll authorizations must contain statements regarding the following:The right to revoke and process for doing soTreatment, payment, enrollment eligibility for benefits not conditioned on authorizationWhere conditioning is permissible, statement regarding the consequencesThe potential for re-disclosure by recipient

ResearchResearch has same definition as in the Common RuleCovered entities may use/disclose PHI for research if:Obtain patient authorization; Obtain documentation of an IRB or Privacy Board approval of a waiver of authorization; orObtain from the researcher representations that the use/disclosure is sought solely to review PHI as necessary to prepare a research protocol, no PHI will be removed from the covered entity in the course of the review, and PHI is necessary for the research purposes

Research Under the March 2002 ProposalCriteria for waiver made more consistent with requirements of Common RuleSimplify research authorizations:Permit end of research or none for expiration dateEliminate special authorization for research involving treatmentPermits research authorization to be combined with other legal documents related to the research

Minimum NecessaryWhen using, disclosing or requesting PHI, a covered entity must limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request except when:Disclosing for purposes of treatmentUses or disclosures made to the individualDisclosures made to HHS Uses or disclosures required by law

Minimum NecessaryUnder the March 2002 ProposalPermits incidental uses and disclosures, so long as reasonable safeguards in placeExempts from minimum necessary rule any uses or disclosures where entity has valid authorizationMakes requirements applicable to requests for PHI more consistent with those applicable to disclosures of PHI

Business AssociatesBusiness associates (BA) are defined as persons, other than workforce members, who perform or assist in the performance of a function on behalf of, or provide services to, a covered entity and such function or service involves the use or disclosure of PHI.

Business AssociatesIt is important to note that the BA relationship does not describe all relationships between covered entities and other persons or organizationsBA contracts are only required where/when:the covered entity is disclosing PHI to someone or some organization that will use the info on behalf of the covered entityBA requirements do not apply to covered entities who disclose PHI to providers for treatment purposes (i.e., hospital and physician; laboratory and physician)

Business AssociatesIf the covered entity becomes aware of a violation of the rule by a business associate and fails to act in response, it can be PENALIZED. The fact that the business associate is performing the functions on behalf of the covered entity DOES NOT insulate the covered entity from enforcement.

Business AssociatesUnder the March 2002 ProposalExisting contracts with BAs will not have to be compliant until April 14, 2004, unless renewed or modified in the interimSample contract language is included in the appendix

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)Patient RightsAdministrative RequirementsEnforcement

Patient RightsNotice of Privacy PracticesAccess, inspect and copyAccounting of disclosuresRequest amendments Restrict disclosuresRequest privacy protections

Notice Of Privacy PracticesPurpose is to inform patients about kinds of uses and disclosures of PHI that may occur, their rights with respect to the PHI, and the covered entitys duties under the rulePlain languageSpecified elements ComplaintsContact personRevisions (going forward only)

NoticeUnder the March 2002 ProposalNotice is more important under March 2002 changesGood faith effort to obtain individuals written acknowledgement of receipt of NoticeNot applicable to indirect treatment providersNo standards for how provider obtains the patients acknowledgement

Access, Inspection, And CopyingSee and make copies of records Facility must respond within 30 or 60 days Facility may deny requests under limited circumstances Psychotherapy notes excluded

Accounting Of DisclosuresAll disclosures of PHI other than for treatment, payment, or health care operationsSpecified elements Patient entitled to receive accounting for previous 6 years Facility must respond within 60 days Patient entitled to one free accounting per yearFacility must document disclosures, the written accounting given to patients, and the name and title of the person in the facility responsible for handling requests

Request AmendmentsPatients have the right to request amendmentsUnder some circumstances, facility may deny patients request Procedures to follow for requesting amendments and responding to requests Facility must act on a request within 60 days

Restrict DisclosuresPatients have the right to request that the facility restrict the use or disclosure of PHIFacility may choose not to grant the request If the facility agrees, is it boundFacility must establish policies and procedures to deal with requests

Request Privacy ProtectionsPatients may request that the provider communicate PHI by alternative means or at alternative locations. Example: if a patient does not want his family to know that he is receiving treatment, he may request that the facility send all communication to his work address. Facility must accommodate reasonable requests.

Administrative RequirementsDesignation of a Privacy OfficialPolicies and Procedures TrainingReporting and complaint processing mechanismSanctionsDuty to mitigate

Enforcement Efforts Prison and fines HHS Office of Civil Rights Guidance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)Implementation

Getting StartedIdentify HIPAA organizational structure(s)Create a Privacy Task ForceDetermine scope of the projectHIPAAstate privacy lawcorporate complianceConduct an assessment and inventory

Compliance StrategyInventory uses of PHIIdentify covered entities and business associatesDevelop and implement privacy procedures Develop and implement privacy procedures with business associatesMonitor state laws

Thank You!Michael D. Bell, Esq.Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.Washington, D.C.(202) 434-7481mbell@mintz.com

Plan must include:an analysis reflecting the extent to which and the reason why, entity not in compliance;budget, schedule, work plan and implementation strategy;whether the person plans to use or might use a contractor or vendor to assist;Timeframe for testing that begins by 4/15/03.

Model form for request to Secretary by 3/31/02. Otherwise could be excluded from Medicare. Model form was released in March.

The Administrative Simplification provisions of HIPAA will radically alter the way health care organizations do business. There are significant civil and criminal penalties for non-compliance with the rule. Health care providers:Must transmit health information in electronic form in connection with a standard transactionProviders become covered entities if they use another entity to conduct standard transactions on their behalfHealth plan: HMO; Insurance company; Employee welfare benefit planHealth Care Clearinghouse: Billing services; Repricing companies; Information systems or community health information systems; Value added networks and switches; Processes health information received in a nonstandard format or containing nonstandard data elements or vice versa

BAs: Reaches them indirectly because the CE is required to obtain certain assurances from the BA. The BA itself, however, is not covered by the regulation.

A hybrid entity: Examples include: a school or business with a clinic; an employer that self administers a health plan; and entity with different insurance linesSignificance is that if appropriate safeguards are implemented (eg. Firewalls) the requirements are inapplicable to the other components within the organization; Training implications; Access, accounting of disclosures

CEs that could qualify as a hybrid entity would be allowed to choose whether or not they want to be hybrid entities. In order to be a hybrid entity, a CE that otherwise qualifies would be required to designate health care components. If a CE did not designate health care components, the entire entity would be considered a CE. Health care components would include: (1) components of the CE that engage in covered functions, and (2) any component that engages in activities that would make such component a BA of a component that performs covered functions if the two components were separate legal entities. A hybrid entity would be required to include in its health care component(s) any component that would meet the definition of covered entity if it were a separate legal entity. In addition, under the Proposed Rule, a component that is a health care provider and that engages in standard electronic transaction would have to be included in the health care component, but a component that is a health care provider but that does engage in standard electronic transactions could, but would not be required to, be included in the health care component of the hybrid entity. (Mintz Levin HIPAA Advisory)

Affiliated entity--Common control exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policy of another entityCommon ownership exists if an entity or entities possess an ownership or equity interest of 5% or moreSignificant implications: single notice of privacy practices, single consent Organized Health Care Arrangement: Administration of privacy compliance program may be centralizedIncludes: clinically integrated care settings, certain organized health systems, and certain group health plan relationshipsOrganized health systems must (1) hold themselves out to the public as participating in a joint arrangement; and (2) participate in joint activities that include at least one of the following 3 activities: UR--QA/QIPaymentBenefits: One consent (joint consent); No business associate agreements needed between parties; Not business associates; Accounting of disclosures does not apply to disclosures made for health care operations, which is defined as activities of a covered entity or an organized health care arrangementExamples: HMO and group health plan; Hospital and member of medical staff; HMO and participating provider; IPA is an exampleThe Administrative Simplification provisions of HIPAA will radically alter the way health care organizations do business. There are significant civil and criminal penalties for non-compliance with the rule.The safe harbor requires removal of so much information that the kind of information that can be disclosed may be useless.

Treatment: The provision, coordination, or management of health care and related services by one or more health care providers and includes:-Coordination or management of health care by provider with a third-party-Consultation between providers relating to the patient-Referrals from one provider to another

Payment: Action by the facility to obtain or provide reimbursement for the provision of health care. Payment activities include:-Determinations of coverage-COB-Adjudication or subrogation of health claims-UR activities

Health care operations: Include general administrative and business functions necessary for a covered entity to remain a viable business, such as: QA/QI; training; customer service; business planning and development, management activities and general administrative functions; due diligence, internal grievance resolution, and customer service to provide data and statistical analysis.

An authorization for use/disclosure of PHI created for research that includes treatment: May be combined with a consent for the use/disclosure of PHI to carry out TPO, a consent to participate in the research, or a notice of privacy practices. There are particular content requirements for authorizations for the use/disclosure of PHI created for research that includes treatment.

IRBs and Privacy Boards: There are specific requirements for the composition of these.Obtain IRB/Privacy Board Documentation: There are specific requirements for this documentation of waiver approval. For instance: (1) identification and date of action; (2) waiver criteria (see below); (3) PHI needed for the research; (4) review and approval procedures; and (5) required signature. Waiver: IRB or Privacy Board may waive if: (1) use or disclosure of PHI involves no more than minimal risk to individuals; (2) waiver does not adversely affect privacy rights or welfare of individuals; (3) research cannot practicably be done without waiver; (4) research cannot practicably be done with access to PHI; (5) privacy risks are reasonable in relation to anticipated benefits; (6) plan exists for protection of personal identifiers from improper use/disclosures; (7) plan exists to destroy identifiers at earliest opportunity consistent with research; and (8) there is adequate written assurance that PHI will not be reused or disclosed to a third party except as required or permitted by law. Research on decedents PHI: There are special requirements for use/disclosing a decedents PHI for research purposes. The CE may disclose if it obtains from the researcher: (1) representation that the use/disclosure is sought solely for research on the PHI of decedents; (2) documentation, at the request of the CE, of the death of such individuals; and (3) representation that the PHI is necessary for the research purposes.Implementation Specifications:-Identify persons or classes of persons who need access to, and the categories of, PHI needed to carry out duties-For routine or recurring requests and disclosures, develop policies and procedures to limit same to the minimum necessary-For all other requests and disclosures, develop criteria and review requests on an individual basis using the developed criteria

Covered entities may rely on requests from: public officials; other covered entities; professionals who are employees or business associates for the purpose of providing professional services and if the professional represents that the information requested is the minimum necessary; persons requesting information for research purposes.

Treatment: The provision, coordination, or management of health care and related services by one or more health care providers and includes:-Coordination or management of health care by provider with a third-party-Consultation between providers relating to the patient-Referrals from one provider to another

Payment: Action by the facility to obtain or provide reimbursement for the provision of health care. Payment activities include:-Determinations of coverage-COB-Adjudication or subrogation of health claims-UR activities

Health care operations: Include general administrative and business functions necessary for a covered entity to remain a viable business, such as: QA/QI; training; customer service; business planning and development, management activities and general administrative functions; due diligence, internal grievance resolution, and customer service to provide data and statistical analysis.

If covered entity becomes aware of a violation by one of its business associates, it must take reasonable steps to cure the breach or end the violation.

If it cannot, it must terminate the contract if feasible. If termination is not feasible, the CE must report the violation to the Secretary of HHS.Access - 164.524See and get copies of their medical records;Denial of access permitted:Psychotherapy notesSubject to Privacy Act requirementsEndangerment of health or safety of self,othersLikely to cause harm to anotherConfidential information if reveals sourceInformation compiled for a legal proceedingAccounting of disclosures - 164.5286 years prior (after compliance date)Doesnt include uses made for payment, treatment or opsIncludes disclosures to or by business associatesReply w/n 60 days of receipt of requestOne accounting per 12 months @ No charge Documentation: Disclosures, written accounting, titles of persons accountable for processing requestRight to have covered entity amend PHI - 164.526May deny ifNot created by covered entityNot part of the designated record setNot available for inspectionIs accurate and completeRight to request restriction of uses and disclosures - 164.522(a)Covered entity not required to agreeTerminationDocumentationRight to request confidential communication by alternative means and at alternate places - 164.522(b)Covered entity must accommodate reasonable requestsComplaints: Must include information about how the patient can may complain to the covered entity and the Secretary of HHS if they believe their privacy rights have been violated.

Contact: The facility must designate a contact for patients who want further information.

Revisions: The facility must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individuals rights, the covered entitys legal duties, or other privacy practices stated in the notice. When changes are made, they only apply going forward, not retroactively, as of the date of the notice that describes them. Time period: This right exists for as long as the facility maintains the information.E.g., if a former patient comes to the facility 5 years after she was treated there and asks to see her medical records, and the medical records have been sent off-site for storage, what should the facility do? Even if its inconvenient for the facility to produce the documents for the patients, it must do so.In Writing: The facility may require patients to request access to their medical records in writing, but if the facility chooses to impose this requirement, it must inform patients of it.Denials: Under certain limited circumstances, the facility may deny the patients request to see his or her medical records. Sometimes a denial may be subject to further review, but sometimes the denial is final. Denials must be in writing.Another exception: If a licensed health care professional has determined that the access is reasonably likely to endanger the life or safety of the individual or another person, but this denial is reviewable.The facility may charge reasonable cost-based fees for the copying.

Right to request: Patients have the right to request amendments of their medical records for as long as the facility holds the information, but the facility is not always required to make such amendments. In writing: The facility may require the patient to make this request in writing, but it must notify the patient of this requirement.Process for requests/denials: Patients must follow certain procedures when requesting an amendment of their medical records, and the facility must follow certain procedures in granting or denying the request.The facility must establish a policy and procedures to deal with requests for restrictions and documentation of restrictions that are agreed to by the facility. Fines/Jail: HHS has the authority to impose civil monetary penalties for non-compliance, up to $25,000 for each calendar year for each provision that is violated. The regulation also provides for criminal penalties for wrongful use or disclosure of information, including between $50,000 and $250,000 in fines and between one and ten years in prison. OCR: The Office of Civil Rights at the Department of HHS is responsible for enforcing the statute and regulations.Guidance: HHS is expected to issue enforcement guidance at some point in the next year or so. It will apply to all the HIPAA regulations, not just the privacy regulation.

Other LawsCOPPAGLBState lawsPractice acts and licensure lawsMedical records privacy lawsInsurance lawNew electronic media initiativesFraud and abuse lawsEuropean Union Data DirectivePrivacy Task Force: Privacy Officer--responsible for the development and implementation of the policies and procedures of the covered entity. Task force--assists with the development and day-to-day operations of the Privacy ProgramProject Scope: HIPAA. State statutes, regulations, and common law. Other federal privacy laws (e.g., COPPA). Corporate Compliance: OIG Guidance forthcoming; Medicare drug benefit forthcoming; growing number of government settlements with pharmacies; marginal increase in cost and efforts; numerous benefits.Assessment: Identify: (1) the flow of PHI throughout the covered entity; (2)data elements within the record; (3) the purposes for uses and disclosures; (4) whether there is a sale of data; (5) the retention period for data; (6) the final disposition of the data; and (7) the instrumentality.Gather existing policies and procedures. Identify available infrastructure. Compare your findings to the requirements set forth in the regulations and state statutory, regulatory and common law.Assess state laws: The Privacy Regulations do not preempt or supercede certain state laws that are contrary to the requirements set forth in the Privacy Regulations. State laws that are contrary to the requirements of the Privacy Regulation, and are deemed by the Secretary of HHS as necessary to achieve the following goals are not preempted: prevent health care fraud and abuse; ensure appropriate state regulation of insurance and health plans; state reporting on health care delivery or costs; addresses controlled substances; or other purposes serving a compelling need related to public health, safety and welfare. In addition, the HIPAA statute provides that the Privacy Regulations shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.