United States: Actions Health Care Providers Should Take To Comply With The New HIPAA Privacy Rules

With the promulgation of the new federal privacy rules under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"),¹ health care providers need to assess how they collect and use certain patient information and implement procedural safeguards to protect that information. This Health Care Commentaries will provide a practical guide to the steps we believe providers should take to comply with the rules. The rules are currently being reviewed by the Bush Administration, which is under intense lobbying pressure to make changes or withdraw them altogether. HHS Secretary Thompson recently announced that the Agency will accept additional public comments on the rules until March 30, 2001. If that effective date stands, compliance with the rules would be required by April 14, 2003.² While that date may seem far away, health care providers should begin the planning process now so they can meet the many challenges posed by the new rules.

The first step toward HIPAA compliance is to analyze the functions performed by your organization to determine what type of covered entity it is under the rules. For example, in addition to being a "health care provider," if it operates a managed health care plan or HMO, it is also a "health plan" and hence subject to those parts of the rules applicable to plans.³ Moreover, if your organization offers a health plan to its own employees under ERISA, it is also a plan sponsor. Plan sponsors are not directly governed by the rules but nevertheless will have to make certain changes to ensure that the health information received from the plan about employees is not used in making decisions affecting their employment.

Concentrating on the organization’s status as a provider, the next step is to determine whether there are other separate legal entities with which it shares common ownership or control, e.g., physician practices, and with which it might want to seek designation as a single affiliated covered entity. ý164.504(d). Or, alternatively, if your organization is part of an "organized health care arrangement" with other independent entities, there could be advantages in seeking designation as such pursuant to ý164.506(f).

After these initial questions have been answered, an organization should designate a privacy official who, together with staff, will constitute the privacy office. Under the rules, the privacy official is the individual with primary responsibility for developing and implementing the many policies and procedures required by the rules. It is important that the privacy official have adequate resources, given the size and complexity of your organization, to discharge effectively his or her responsibilities under the rules. The privacy function should be treated as a part of your organization's overall compliance program.

Some of the major areas the privacy official will have to address are discussed below.

The rules require that providers implement policies to ensure that for each permissible use and disclosure of patient information, only the minimum amount necessary is used or disclosed. ý164.514(d). The notable exception to this is disclosures for purposes of patient treatment; there, it is sensibly assumed that physicians, nurses, and other providers should have access to the entire patient file. In order to satisfy the minimum necessary information standard, providers must:

1. Identify the persons or classes of persons in the workforce who need access to protected health information to carry out their duties, the category or categories of health information to which they need access, and the conditions that would apply to such access.
2. Identify routine and recurring disclosures, and implement policies and procedures (which may be protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.
3. For all other disclosures, develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which the disclosure is sought and review requests for disclosure against such criteria.
4. Identify requests for information that the organization makes on a recurring basis and develop policies and procedures (which may be protocols) that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made.
5. Review all other requests on an individual basis to determine that the protected health information sought is limited to the information necessary to accomplish the purpose for which it is sought.
6. Implement procedures to ensure that the whole patient record is not released unless the need for the whole record is specifically justified.

None of this is easy. It requires careful analysis of the flow of patient information within the institution, who needs what information for what purposes, what kinds of requests for information are routinely made by outsiders (e.g., insurers), and what kinds of requests the institution makes for information from outsiders. And if all this were not enough, providers are required to establish procedures to verify the identify of the person making the request. ý154.514(b).

Section 164.530(c) requires providers to establish appropriate administrative technical and physical safeguards to protect the privacy of health information. This standard covers a multitude of issues and may be one of the more difficult ones to implement. Issues include the physical location of patient records, issuance of passwords, instructions to turn off computer screens, placing locks on doors or drawers, and providing paper shredders. The preamble to the rules states that "the nature of the required policies and procedures will vary with the size of the covered entity and the type of activities that the covered entity undertakes" and that this is intended to be "a commonsense, scalable standard." It also references the Association for Testing and Materials and the American Health Information Association as bodies that have developed recommended practices for handling protected health information. Electronic information will be subject to this standard as well as the requirements of the HIPAA Security Standards.

Business associates are entities that perform functions on behalf of the provider (e.g., billing, collections, auditing, legal) that require the disclosure of protected health information. Because business associates are not "covered entities," the rules do not apply directly to them. However, the rules require that covered entities, like providers, enter into contracts with their business associates to ensure that the business associates do not misuse the information with which they are entrusted. Generally this means that business associates must agree to use protected health information only as permitted under the contract, to implement safeguards to prevent unauthorized use of the material, and, where feasible, to return or destroy the material at the termination of the contract. ý164.502(e) and 504(e).

The rules do not require that you monitor the business associate’s compliance, but they do require that you take steps to ensure that any problems you learn about are corrected, or where that is not feasible, that you terminate the contract.

Under the proposed rules, it would have been necessary to designate the patient as the "third-party beneficiary" of the contract between the provider and the business associate, which would have meant that the individual could sue if his or her protected health information was used or disclosed in violation of the contract. The final rules do not contain this requirement; however, it is still possible that courts in some states will find that the individual does have a private cause of action.

Once the foregoing processes have been completed, the next step is to formulate a "privacy notice" that complies with the requirements of ý164.520. Essentially, such a notice must describe the provider’s privacy policies in "plain English" and also explain the patients’ rights under the new rules. It is essential that the notice reserve the provider’s right to adopt amendments. There are a number of detailed requirements that must be met, and it is important to get the notice right, but if you have accomplished all the foregoing steps, drafting the privacy notice will be relatively easy.

Of course, there is one caveat. The privacy notice must take into account not only the federal law, but any state laws that are not contrary to the federal rules. This means in effect that you are bound by both state and federal law, and if your organization has operations in more than one state, you must comply with the laws of each state. The notice must be provided to individuals when they come for treatment, and, if you have a Web site, the notice must be prominently posted thereon.

The privacy notice serves as a sort of bridge, describing both the provider's privacy policies, discussed in the foregoing sections, and the right of the individual (i.e., patient) to control the use, disclosure, and even content of his or her health information. The patient's rights are discussed in the sections that follow, with emphasis on the procedures providers will have to implement in order to protect them.

The rules begin with the presumption that an individual should be able to control who sees and uses his or her health information, but the drafters recognized that such control could not be absolute. Therefore, they established four sets of "uses" and differing levels of control for each.

Disclosures for Purposes of Treatment, Payment, or Health Care Operations. The rules require that an individual give his or her "consent" to the use of his or her health care information for purposes of treatment, payment, and health care operations.⁴ These terms are broadly defined, and, with a few exceptions (e.g., emergencies), providers may condition treatment upon the individual signing the consent form. It will be necessary to draft a standard consent form that meets the requirements of ý154.506. As with the privacy notice, there are a number of technical requirements, and it is vitally important that the form be properly drafted, because even small deficiencies can render it invalid. ý164.506(d). In addition, providers must put into place procedures that allow individuals to ask for additional restrictions on the use of their health information but are not required to agree to such requests. If a provider does agree, however, it must document the restrictions agreed to and abide by them. Of course, even here there is an exception. Section 164.522(b) requires that individuals be permitted to request, and that providers must accommodate reasonable requests by individuals, to receive communications of protected health care information by alternative means or at alternative locations.

Since these requirements will apply to every patient, it is important that all employees that "receive" patients be trained to implement them. This includes admissions office, emergency room, and outpatient departments, plus any other patient care centers on or off campus.

Uses and Disclosures for which the Individual’s Authorization must be Obtained. Disclosures for purposes other than treatment, payment, or health care operations are permitted, with exceptions discussed in Sections 3 and 4 below, only upon the signed authorization of the individual. Section 164.508 sets forth in detail all the requirements for a valid authorization. Authorizations differ from consents in several ways. First, not all patients will need to sign them, and second, treatment cannot as a general rule be conditioned upon the individual signing an authorization.

Because the requirements of an authorization are complex, and vary with the reason for which the authorization is being sought, authorizations should be drafted or reviewed by the privacy officer, and staff asking individuals to sign them should be carefully trained. The rules contain detailed provisions for seeking authorizations with respect to research performed in conjunction with treatment.

Disclosures for Use in Directories and to Persons Involved in Patient's Care. Providers who wish to list patient names in directories or provide notice of their admission to clergy must permit the individual to agree or object to such use and disclosure. Procedures should be implemented to obtain and document the individual’s response. ý164.510(a)

Similarly, individuals are given the right to agree or object to the disclosure of information to a family member or close personal friend who is involved with the patient's care. The rules here are somewhat involved, but it is essential to train staff, since almost always there will be relatives or friends seeking information. Again, prudence would dictate that the patient’s response be documented. ý164.510(b). The individual must also be given the right to request restrictions of such disclosures, although the provider need not agree to the restrictions. ý164.522.

Disclosures Permitted Without Patient Consent, Authorization, or Opportunity to Agree or Object. Section 164.512 provides a number of circumstances in which disclosure is required or permitted without the individual being given the opportunity to consent, authorize, or agree. These include disclosure to public health authorities, disclosures for law enforcement, and a limited provision for use of information in research. Almost everyone has a set of restrictions and conditions attached to it. Therefore, requests under ý164.512 should normally be reviewed by the privacy official or his or her designee.

There are a few types of recurring disclosures where the requirements are fairly simple, e.g., disclosures to coroners, medical examiners, and for purposes of organ donation, and providers may decide that patient care staff can be trained to handle these situations. In addition, there are some kinds of disclosures where referral to the privacy office may not be practical. For example, police officers may need immediate information about a suspect or a crime victim in the middle of the night. Providers should consider having an "on call" employee in the privacy office who can be contacted in such emergencies. Alternatively, patient care staff could be trained.

Procedures should be established to document all uses and disclosures under this section, since most of them would be subject to the "accounting" requirement of ý164.528.

The rules give patients the right, with limited exceptions, to access and obtain copies of their health information. Providers must therefore establish procedures for receiving and processing requests for access within time frames established by ý164.524.⁵ If a request is denied in whole or in part, the provider must give a written explanation of the basis for the denial, provide an opportunity for review if the denial is based on one of the specified grounds for which review is available, and explain how the individual may file a complaint either with the provider or the Secretary of the Department of Health and Human Services.

Presumably all such requests would be processed through the privacy office, which would have the specialized knowledge of the grounds for denial, bases for appeal, and necessity for documentation.

Under ý164.526, patients have the right to request an amendment to their health care information. Again, there are designated grounds on which such requests may be denied. Providers will have to establish procedures to process requests for amendment. Where such requests are granted, the provider must inform the individual, persons identified by the individual as needing the amendment, and persons, including business associates that have relied, or foreseeably could rely, on the information to the individual’s detriment.

Where the request is denied, the provider must give the individual a timely response meeting the standards of the regulation, inform the individual of his or her right to submit a written statement of disagreement, and inform the individual of his or her right to complain to the provider or the Secretary. The provider must append any statement of disagreement to the record, or if the individual requests, must append the request for amendment and denial. The provider may, at its option, append a rebuttal statement if the individual files a statement of disagreement.

Providers are also required to amend their records when informed of an amendment by another covered entity, and they must establish procedures for doing so.

As with requests for access, it would make sense to locate the amendment process in the privacy office, which would have the expertise to process the requests, make appropriate amendments, and otherwise document the process as required by the rules.

Patients are also given the right to obtain an accounting of the uses and disclosures of their health information made during the six years prior to the date of the request. ý164.528. As with all other rights under these rules, this one is subject to limited exceptions. Procedures will also have to be established for processing and responding to requests for accounting. Again, this would seem to be a function best located in the privacy office.

For institutions conducting research involving the use of identifiable health care information, the rules set forth procedures that will have to be followed. Generally speaking, it will be necessary to obtain the individual's authorization whether or not the research involves treatment. Where the research is combined with treatment, there are additional requirements. ý164.508. Limited exceptions to this requirement exist where an institutional review board or privacy board has approved a waiver, where the use is for review preparatory to research, or where the research involves only information involving deceased individuals. ý164.512(i). These requirements are extremely complex and involve interaction with the consent requirements of ý164.506. Research authorizations should always be drafted or reviewed by the privacy official.

Section 164.530 sets forth a number of additional administrative requirements. These include:

1. Training all members of the workforce on the provider’s policies and procedures for protecting health care information. ý164.530(b).
2. Providing a process for individuals to make complaints concerning the provider’s policies and procedures or their compliance with them. ý164.530(d)
3. Developing and applying appropriate sanctions against members of the workforce who fail to comply with the privacy policies and procedures. ý164.530(e)
4. Implementing procedures to mitigate the harmful effect of an improper use or disclosure of health information. ý164.530(f)
5. Establishing procedures to document and retain documentation of their compliance. ý164.530(j). Documentation is required of compliance with almost all of the provisions of the privacy rules and is advisable even where not specifically required. Providers are required to retain such documentation for at least six years and must make it available to the Secretary for review.

As if the foregoing were not enough, there are certain optional procedures that providers may choose to implement. These include:

De-identification. Providers may establish procedures to "de-identify" health information by removing all information that could identify the individual to whom the information relates, as described in ý164.514. Such de-identified information is not protected under the privacy rules.

Marketing. Providers may establish procedures to facilitate marketing without the necessity of obtaining an authorization. Marketing without an authorization is permissible in face-to-face interviews with the patient or where the marketing involves items or services of nominal value. Alternatively, providers may use health information in mailings or other communications marketing either their own health-related products and services or those of third parties. In such instances, however, the communication must identify the provider as the originator, disclose any remuneration received, explain how the individual may opt out of receiving further information, and, in cases where the individual has been targeted based on his or her health status, meet certain additional requirements. Marketing that does not meet these requirements can only be done if the patient has signed an authorization. To ensure compliance, all marketing campaigns directed at current or former patients should be cleared in advance with the privacy office.

Fund Raising. Covered entities that wish to use or disclose protected health information for purposes of fund raising may do so without an authorization if such use is described in the facility's privacy statement, is limited to demographic information about the individual and the dates of health care, and the fund-raising material includes a description of how the individual may opt out of receiving further materials. ý164.514(f).

Again, it makes sense to have all fund-raising efforts reviewed by the privacy office for compliance with ý164.514(f) or the authorization provisions of ý164.508.

April 2003 seems far away, but there is much to be accomplished between now and then. Some steps are relatively easy; others require review and modification of how providers use patient information internally and to whom and for what purposes it is disclosed to outsiders. Many of the requirements are technical, and this Commentaries provides only an overview. But providers who take a look at the big picture and begin planning now will be able to come into compliance most efficiently and with the least disruption of ongoing operations.

1 45 C.F.R. Parts 160 and 164. In addition to the privacy provisions, HIPAA also establishes security standards and transaction standards for health information that is transmitted electronically.

2 The effective date for small health plans is one year later.

3 The rules also cover clearinghouses, and it is possible that some providers perform those functions as well.

4 A consent is narrower when the protected health information includes psychotherapy notes, and it may be necessary to obtain an authorization pursuant to ý164.508. Psychotherapy notes generally receive greater protection under the rules than other forms of health information. It would be advisable to identify any records containing psychotherapy notes and develop special procedures for dealing with them. Generally, use or disclosure of such records, for routine purposes should be pursuant to protocols established by the privacy official, and non-routine uses or disclosures should not occur without his or her clearance.

5 Section 164.524 sets forth special rules with respect to an individual’s access to his or her psychotherapy records.