Health Insurance Portability and Accountability Act of 1996
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 starts innocently enough. The preamble states that it is "to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes." (Emphasis added). Among these "other purposes," HIPAA requires that "the Secretary of Health and Human Services shall submit . . . detailed recommendations on standards with respect to the privacy of individually identifiable health information." Since HIPAA and its associated regulations regarding the privacy of health information, which became effective on April 14, 2003, will have a significant impact on medical communications, every health care provider, including and especially those who care for HIV-infected patients, needs to be aware of the new requirements and the penalties associated with noncompliance.
Health care providers and patients have long recognized that an effective physician-patient relationship requires trust and strict confidentiality of the patient's medical information. Since before the time of Hippocrates, well-recognized ethical obligations regarding physician-patient privacy have protected patients from inappropriate disclosures of medical information. The Hippocratic Oath, which most physicians still recite on graduation from medical school, states that "What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about." In the past few hundred years or so, a layer of legal protection has been added as well. In the United States, there are common law and statutory rights of privacy that protect the patient's privacy regarding medical records and information. For the past 15 years or so, because of the significant implications associated with an HIV diagnosis, these have included prohibitions against disclosure of HIV status, except when the patient consents or when specifically authorized by law.
Some might argue that in view of these safeguards and the many state regulations regarding medical privacy, HIPAA is unnecessary. But, let's face it, American medicine has changed, and the ethical and legal disclosure standards that served us well for hundreds, if not thousands, of years have been significantly challenged by the current medical environment. In the past 50 years, American medicine has evolved from a system in which most patients had their own doctor who kept a paper chart in his or her office and whom they paid out of their own pocket on a fee-for-service basis to a system in which there may be multiple health care providers from a variety of disciplines involved with each patient's care, which they track using a variety of electronic tools, and in which most medical bills incurred by the patient are paid by third-party payers. As a result, electronic transfer of sensitive medical information between providers and to third-party payers and others has become customary, despite its not being as secure or confidential as perhaps it should be.
In recognition of these changes -- and the confusion among health care providers and others about who gets to know what about patients' medical records -- it is arguably appropriate that some national, minimal standard be set for protecting medical information. With the passage of HIPAA and the development and implementation of the regulations associated with that act, the US Congress and, more importantly, numerous associated regulatory bodies have boldly and heavily stepped into the breach. Still, this legislation might cause some cynics to think of the famous Mark Twain quotation, "No man's life or property is safe while the legislature is in session." They might also remark that while Congress seems paralyzed in the face of one of the greatest threats to modern medical health care for many Americans -- that is, a tort system that continues to spiral out of control, making malpractice insurance unaffordable and denying some communities such essential health services as emergency departments and readily available obstetricians -- it seems more than capable of drafting a new layer of legislation and bureaucracy that further burdens already-overloaded health care providers and supplies a potential basis for even more lawsuits. Regardless of which side you take in this ongoing debate, HIPAA is now the law, and compliance is mandatory.
HIPAA was initially passed and signed into law in 1996. As reflected by its name, HIPAA primarily was intended to make health insurance more portable, that is, in a society where people frequently change jobs, to make it easy for them to maintain health insurance when switching or leaving jobs. The primary intent of HIPAA is the territory of Title I of the act, "Health Care Access, Portability, and Renewability"; however, Title II of the act goes far beyond this goal and delves deeply into the area of medical record privacy.
The stated purpose of Title II of HIPAA -- "Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform" -- is "to improve the Medicare program under Title XVIII of the Social Security Act, the Medicaid program under Title XIX of such act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information." Title II of HIPAA provides patients with significant rights and protections regarding privacy and disclosure of medical information and places a significant burden on health care providers and others who have access to confidential medical information to keep it private and protected. It must be noted, however, that HIPAA specifically provides that it does not "supersede a contrary provision of state law, if the provision or state law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation." Therefore, if the state has more strict provisions than the federal regulations, as many do regarding HIV infection and disclosures, then the state law applies and must be followed.
As with any federal act or statute, after HIPAA was signed into law, an appropriate agency went to work to write the regulations that specify how the intent and details of law are to be carried out. Accordingly, the US Department of Health and Human Services (DHHS) has issued specific regulations regarding the implementation of HIPAA, including the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), which establish a national standard regarding the privacy and protection of certain health information. The Privacy Rule regulates the use and disclosure of "protected health information" by the "persons" required to comply with HIPAA (also known as "covered entities") as well as a person's right to understand and control his or her health information. The DHHS states that "a major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public's health and well-being."
The covered entities required to comply with HIPAA include a health care provider, a health plan, and a health care clearinghouse (regardless of size) "who transmits or on whose behalf is transmitted any health information in electronic form in connection with a transaction referred to in section 1173(a)(1)." Section 1173(a)(1) defines a transaction as just about everything that a health care provider could possibly imagine: "(A) Health claims or equivalent encounter information. (B) Health claims attachments. (C) Enrollment and disenrollment in a health plan. (D) Eligibility for a health plan. (E) Health care payment and remittance advice. (F) Health plan premium payments. (G) First report of injury. (H) Health claim status. (I) Referral certification and authorization."
In reality, health care providers who use electronic transactions in any form -- and that includes just about everybody -- should presume that they are a "covered entity" and that HIPAA applies to them. In addition, HIPAA and its associated regulations also apply to any "business associate" of the covered entity, which includes "a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information."
The protection afforded by HIPAA is quite broad. Among other things, HIPAA and its associated regulations protect "individually identifiable health information" (also known as protected health information [PHI] in the Privacy Rule) held or transmitted by a covered entity or its business associate, in any form or medium (electronic, paper, or oral). This involves "any information, including demographic information collected from an individual, that -- (A) is created or received by a health care provider, health plan, employer, or health clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and -- (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual."
Thus, HIPAA protects, among other things, medical records; medical information collected by the health care provider or communicated to him or her by any source; any information that relates to the patient's health, health care, or payment history; and any individually identifiable health information, whether communicated via oral, electronic, or paper routes. The scope of these restrictions and requirements should be interpreted broadly because a disclosure that contains any potentially identifying information regarding the patient -- age, sex, race, hospital admission date, birth date, occupation, address, social security number -- is likely to be a violation of them. In addition, health care providers should keep in mind that, with certain exceptions (disclosure to the person who is the subject of the information), when protected health information is disclosed, an effort must be made to limit the disclosure to the "minimum necessary" (the minimum amount of information needed to accomplish the intended purpose of the use, disclosure, or request).
Under the Privacy Rule, a covered entity is prohibited from using or disclosing protected health information except under defined circumstances. Permitted uses and disclosures under the Privacy Rule include those:
If it is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule as stated above, the covered entity must obtain the person's written authorization for any use or disclosure of protected health information. Further, except in limited circumstances, a covered entity cannot condition treatment, payment, enrollment, or benefits eligibility on the person granting an authorization. The authorization for the release of protected health information "must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data."
The medical record is one of the most important areas covered by HIPAA, and HIPAA requires that the provider supply the patient with information about his or her medical record and who has had access to it. Further, the provider must obtain patient consent before most medical disclosures. These provisions of HIPAA include requirements that the health care provider:
Since many may be unaware of HIPAA and the Privacy Rule, health care providers are required to provide patients with a written "Notice of Privacy Practices" (NPP). The NPP is a statement that gives a clear explanation of the provider's privacy policy. The provider must document that the patient (or, if appropriate, the patient's representative) received the NPP. In addition to being given to each patient, the NPP must be posted prominently in the office. The NPP should provide information in simple wording and contain the title "This Notice Describes How Medical Information About You May Be Used and Disclosed and How You Can Get Access to This Information. Please Review It Carefully." The NPP must include specific information describing the health care provider's plan for management of medical records and maintenance of privacy, the rights of the patient, and the duties of the provider. Before preparing the NPP, the provider should consult one of the resources above to make sure all of the requisite information is included. Finally, the provider must make a good-faith effort to obtain written acknowledgement of receipt of the NPP.
In addition, there are other basic requirements of HIPAA with which every health care provider must comply. The following is a brief, limited suggestion list of how health care providers should manage this new responsibility and attempt to meet the requirements of this law:
Finally, health care providers should note that HIPAA is not optional and that there are both criminal and civil penalties for failure to comply with its requirements. Civil penalties can be assessed in the amount of $100 per violation, up to $25,000 per person per year for each violation. Criminal penalties include:
While the DHHS has indicated that health care providers should be "reasonable" in their interpretation and implementation of HIPAA and associated regulations, health care providers must recognize that variance from the requirements comes with some risk. What seems reasonable is in the eye of the beholder, and what the medical provider views as reasonable may not be the same as what some bureaucrat or court decides in the future. Therefore, unless the requirement is extremely burdensome, providers should attempt to adhere to the letter of the law, regardless of what a so-called HIPAA expert may say. The provider should keep in mind that it will not be the "expert" who is penalized; it will be the provider.
HIPAA is going to make health care providers lives a little (in some cases, a lot) more difficult, and HIPAA is at times going to limit appropriate medical communications. Still, the law is the law, and ignorance of it is no excuse.
This column is part of a continuing series on medicolegal issues in HIV. Earlier columns appeared in April and September 2001 (AIDS Reader. 2001;11:182-190, 432-441).
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 starts innocently enough. The preamble states that it is "to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes." (Emphasis added). Among these "other purposes," HIPAA requires that "the Secretary of Health and Human Services shall submit . . . detailed recommendations on standards with respect to the privacy of individually identifiable health information." Since HIPAA and its associated regulations regarding the privacy of health information, which became effective on April 14, 2003, will have a significant impact on medical communications, every health care provider, including and especially those who care for HIV-infected patients, needs to be aware of the new requirements and the penalties associated with noncompliance.
Health care providers and patients have long recognized that an effective physician-patient relationship requires trust and strict confidentiality of the patient's medical information. Since before the time of Hippocrates, well-recognized ethical obligations regarding physician-patient privacy have protected patients from inappropriate disclosures of medical information. The Hippocratic Oath, which most physicians still recite on graduation from medical school, states that "What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about." In the past few hundred years or so, a layer of legal protection has been added as well. In the United States, there are common law and statutory rights of privacy that protect the patient's privacy regarding medical records and information. For the past 15 years or so, because of the significant implications associated with an HIV diagnosis, these have included prohibitions against disclosure of HIV status, except when the patient consents or when specifically authorized by law.
Some might argue that in view of these safeguards and the many state regulations regarding medical privacy, HIPAA is unnecessary. But, let's face it, American medicine has changed, and the ethical and legal disclosure standards that served us well for hundreds, if not thousands, of years have been significantly challenged by the current medical environment. In the past 50 years, American medicine has evolved from a system in which most patients had their own doctor who kept a paper chart in his or her office and whom they paid out of their own pocket on a fee-for-service basis to a system in which there may be multiple health care providers from a variety of disciplines involved with each patient's care, which they track using a variety of electronic tools, and in which most medical bills incurred by the patient are paid by third-party payers. As a result, electronic transfer of sensitive medical information between providers and to third-party payers and others has become customary, despite its not being as secure or confidential as perhaps it should be.
In recognition of these changes -- and the confusion among health care providers and others about who gets to know what about patients' medical records -- it is arguably appropriate that some national, minimal standard be set for protecting medical information. With the passage of HIPAA and the development and implementation of the regulations associated with that act, the US Congress and, more importantly, numerous associated regulatory bodies have boldly and heavily stepped into the breach. Still, this legislation might cause some cynics to think of the famous Mark Twain quotation, "No man's life or property is safe while the legislature is in session." They might also remark that while Congress seems paralyzed in the face of one of the greatest threats to modern medical health care for many Americans -- that is, a tort system that continues to spiral out of control, making malpractice insurance unaffordable and denying some communities such essential health services as emergency departments and readily available obstetricians -- it seems more than capable of drafting a new layer of legislation and bureaucracy that further burdens already-overloaded health care providers and supplies a potential basis for even more lawsuits. Regardless of which side you take in this ongoing debate, HIPAA is now the law, and compliance is mandatory.
HIPAA was initially passed and signed into law in 1996. As reflected by its name, HIPAA primarily was intended to make health insurance more portable, that is, in a society where people frequently change jobs, to make it easy for them to maintain health insurance when switching or leaving jobs. The primary intent of HIPAA is the territory of Title I of the act, "Health Care Access, Portability, and Renewability"; however, Title II of the act goes far beyond this goal and delves deeply into the area of medical record privacy.
The stated purpose of Title II of HIPAA -- "Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform" -- is "to improve the Medicare program under Title XVIII of the Social Security Act, the Medicaid program under Title XIX of such act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information." Title II of HIPAA provides patients with significant rights and protections regarding privacy and disclosure of medical information and places a significant burden on health care providers and others who have access to confidential medical information to keep it private and protected. It must be noted, however, that HIPAA specifically provides that it does not "supersede a contrary provision of state law, if the provision or state law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation." Therefore, if the state has more strict provisions than the federal regulations, as many do regarding HIV infection and disclosures, then the state law applies and must be followed.
As with any federal act or statute, after HIPAA was signed into law, an appropriate agency went to work to write the regulations that specify how the intent and details of law are to be carried out. Accordingly, the US Department of Health and Human Services (DHHS) has issued specific regulations regarding the implementation of HIPAA, including the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), which establish a national standard regarding the privacy and protection of certain health information. The Privacy Rule regulates the use and disclosure of "protected health information" by the "persons" required to comply with HIPAA (also known as "covered entities") as well as a person's right to understand and control his or her health information. The DHHS states that "a major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public's health and well-being."
The covered entities required to comply with HIPAA include a health care provider, a health plan, and a health care clearinghouse (regardless of size) "who transmits or on whose behalf is transmitted any health information in electronic form in connection with a transaction referred to in section 1173(a)(1)." Section 1173(a)(1) defines a transaction as just about everything that a health care provider could possibly imagine: "(A) Health claims or equivalent encounter information. (B) Health claims attachments. (C) Enrollment and disenrollment in a health plan. (D) Eligibility for a health plan. (E) Health care payment and remittance advice. (F) Health plan premium payments. (G) First report of injury. (H) Health claim status. (I) Referral certification and authorization."
In reality, health care providers who use electronic transactions in any form -- and that includes just about everybody -- should presume that they are a "covered entity" and that HIPAA applies to them. In addition, HIPAA and its associated regulations also apply to any "business associate" of the covered entity, which includes "a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information."
The protection afforded by HIPAA is quite broad. Among other things, HIPAA and its associated regulations protect "individually identifiable health information" (also known as protected health information [PHI] in the Privacy Rule) held or transmitted by a covered entity or its business associate, in any form or medium (electronic, paper, or oral). This involves "any information, including demographic information collected from an individual, that -- (A) is created or received by a health care provider, health plan, employer, or health clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and -- (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual."
Thus, HIPAA protects, among other things, medical records; medical information collected by the health care provider or communicated to him or her by any source; any information that relates to the patient's health, health care, or payment history; and any individually identifiable health information, whether communicated via oral, electronic, or paper routes. The scope of these restrictions and requirements should be interpreted broadly because a disclosure that contains any potentially identifying information regarding the patient -- age, sex, race, hospital admission date, birth date, occupation, address, social security number -- is likely to be a violation of them. In addition, health care providers should keep in mind that, with certain exceptions (disclosure to the person who is the subject of the information), when protected health information is disclosed, an effort must be made to limit the disclosure to the "minimum necessary" (the minimum amount of information needed to accomplish the intended purpose of the use, disclosure, or request).
Under the Privacy Rule, a covered entity is prohibited from using or disclosing protected health information except under defined circumstances. Permitted uses and disclosures under the Privacy Rule include those:
To the person who is the subject of the information.
For treatment, payment, and health care operations (obtaining written consent from persons for these is optional under the Privacy Rule for all covered entities).
With opportunity to agree or object (listing basic patient information in facility directories and notification of families in emergencies).
That are incidental (a disclosure occurs as a result of, or "incident to," a permitted use or disclosure of the medical information).
Of public interest and benefit (including, among others, those required by law or necessary for law enforcement purposes and those regarding public health activities; victims of abuse, neglect, or domestic violence; and judicial and administrative proceedings).
That constitute a limited data set (a data set from which direct identifiers of persons and their relatives, household members, and employers have been removed).
If it is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule as stated above, the covered entity must obtain the person's written authorization for any use or disclosure of protected health information. Further, except in limited circumstances, a covered entity cannot condition treatment, payment, enrollment, or benefits eligibility on the person granting an authorization. The authorization for the release of protected health information "must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data."
The medical record is one of the most important areas covered by HIPAA, and HIPAA requires that the provider supply the patient with information about his or her medical record and who has had access to it. Further, the provider must obtain patient consent before most medical disclosures. These provisions of HIPAA include requirements that the health care provider:
Provide the patient with access to his or her medical record, including a record of disclosures, and the opportunity to request corrections or amendments to that record if an inaccuracy is found.
Obtain specific patient consent to any nonroutine disclosure of medical information, which includes virtually anything that goes beyond payment, treatment, or health care operations, unless exceptional circumstances exist, such as emergencies, identification following death, research approved by an institutional review board, and disclosures required by the government for public health, law enforcement, or national defense.
Establish a system for receiving and managing patient complaints and documenting resolution.
Since many may be unaware of HIPAA and the Privacy Rule, health care providers are required to provide patients with a written "Notice of Privacy Practices" (NPP). The NPP is a statement that gives a clear explanation of the provider's privacy policy. The provider must document that the patient (or, if appropriate, the patient's representative) received the NPP. In addition to being given to each patient, the NPP must be posted prominently in the office. The NPP should provide information in simple wording and contain the title "This Notice Describes How Medical Information About You May Be Used and Disclosed and How You Can Get Access to This Information. Please Review It Carefully." The NPP must include specific information describing the health care provider's plan for management of medical records and maintenance of privacy, the rights of the patient, and the duties of the provider. Before preparing the NPP, the provider should consult one of the resources above to make sure all of the requisite information is included. Finally, the provider must make a good-faith effort to obtain written acknowledgement of receipt of the NPP.
In addition, there are other basic requirements of HIPAA with which every health care provider must comply. The following is a brief, limited suggestion list of how health care providers should manage this new responsibility and attempt to meet the requirements of this law:
Learn about HIPAA. Either find a local expert or visit one of the many Web sites dedicated to this area. Some of the best Web sites for information are those of the DHHS (www.hhs.gov/ocr/hipaa) and the American Medical Association (www.ama-assn.org/go/hipaa).
Appoint a privacy officer responsible for the development and implementation of the steps required by HIPAA. In a small office practice, this may be one of the doctors, the office administrator, or another person who can fill a part-time role.
Provide training to office staff regarding HIPAA and the associated regulations. This will not absolutely ensure compliance but may limit errors and decrease the exposure to penalties (discussed below) of the health care provider who, as "captain of the ship," is responsible for the mistakes of office staff.
Document thoroughly everything that involves patient contact, medical records, or sharing of medical information, and keep this information for the mandated 6 years.
Obtain a specific, written consent from the patient for every disclosure, no matter how seemingly insignificant, and disclose only that information clearly allowed by the consent. Obtaining consent for routine disclosures for the purposes of treatment, payment, or internal operations is optional but a good idea, and the provider can refuse treatment (except in an emergency) if the patient does not consent. Consent for all other disclosures and contacts is mandatory. Again, consult one of the resources to obtain more specific information; the consent has to be extremely specific in a number of areas.
Protect patient privacy by carefully managing information: Keep charts in private areas far from the view of a wandering patient's eye; prevent unauthorized computer access by use of passwords and automatic sign-off; separate the secretarial area from the reception area so that patient telephone or other conversations cannot be overheard; direct office staff not to discuss patient matters outside of the confines of the inner office; and never leave medical information (other than a name and return phone number) with a relative, on an answering machine, or at an e-mail address unless the patient has given specific, written consent for doing so (and even then, do it cautiously).
Provide patient access to medical records when requested, and consider amending the record if requested by the patient and if appropriate.
Finally, health care providers should note that HIPAA is not optional and that there are both criminal and civil penalties for failure to comply with its requirements. Civil penalties can be assessed in the amount of $100 per violation, up to $25,000 per person per year for each violation. Criminal penalties include:
Up to a $50,000 fine and a year in prison for improperly obtaining or disclosing health information protected by HIPAA.
Up to a $100,000 fine and 5 years in prison for using false pretenses to obtain health information protected by HIPAA.
Up to a $250,000 fine and 10 years in prison for disclosing health information protected by HIPAA with the intent to sell, transfer, or use it commercially or for personal gain or malicious harm.
While the DHHS has indicated that health care providers should be "reasonable" in their interpretation and implementation of HIPAA and associated regulations, health care providers must recognize that variance from the requirements comes with some risk. What seems reasonable is in the eye of the beholder, and what the medical provider views as reasonable may not be the same as what some bureaucrat or court decides in the future. Therefore, unless the requirement is extremely burdensome, providers should attempt to adhere to the letter of the law, regardless of what a so-called HIPAA expert may say. The provider should keep in mind that it will not be the "expert" who is penalized; it will be the provider.
HIPAA is going to make health care providers lives a little (in some cases, a lot) more difficult, and HIPAA is at times going to limit appropriate medical communications. Still, the law is the law, and ignorance of it is no excuse.
This column is part of a continuing series on medicolegal issues in HIV. Earlier columns appeared in April and September 2001 (AIDS Reader. 2001;11:182-190, 432-441).
Source...