Patient Privacy: Regulations of the
Health Insurance Portability and Accountability Act
II. History of Patient Rights
a. Privacy Act 1974
b. Privacy Rule
c. Health Insurance Portability and Accountability Act 1996
i. Covered Entities and Requirements
1. Health Plans
2. Healthcare Clearinghouse
3. Healthcare Providers
ii. Modification and Final Rule
d. Compliancy Dates and Penalties
e. Compliancy Process
f. Filing Complaints
g. Protected Health Information
h. Disclosure, Access, and Consent of PHI
III. HIPAA and Research
b. Roles and Responsibilities
IV. Employer’s and HIPAA
b. Employee Health Plans
V. HIPAA and the Family Educational Privacy Act (FERPA)
VI. HIPAA and the Future
a. Process for Amendments
1974, the Privacy Act provides
1. The right to see records about yourself
2. The right to amend that record if it is inaccurate, irrelevant, untimely, or incomplete.
3. The right to sue the federal government if it violates the statute (for example, allowing an unauthorized individual to access your records).
Health Insurance Portability and Accountability Act (HIPAA) of 1996
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), objective is to “promote the “portability” of insurance coverage, and “accountability” by providing funding for, and strengthening of, enforcement of compliance with health care regulations”. HIPAA also improves the efficiency and effectiveness of the health care system by including “Administrative Simplification” provisions that required the Secretary of the Department of Human Health and Services (HHS) to adopt national standards for the protection of health information, as applied to three different types of “covered entities”: health plans, health care clearinghouses, and health care providers who conduct certain health care transactions electronically. “HIPAA’s Administrative Simplification provision is composed of four parts, each of which has generated a variety of “rules” promulgated by HHS”. The four parts of Administrative Simplification are:
1. Standards for Electronic Transactions
2. Unique Identifiers Standards
3. Security Rule
4. Privacy Rule
The Privacy Rule is the foundation for federal protection for the privacy of protected health information has been established. As described by HHS, the Privacy Rule does the following:
· Gives patients more control over their health information
· It sets boundaries on the use and release of health records
· It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information (a comprehensive compliancy program).
· It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ rights.
· It strikes a balance when public responsibility supports disclosure of some forms of data (protecting public health).
· It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
· It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
· It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
· It empowers individuals to control certain uses and disclosures of their health information.
The standards for electronic transactions are set forth for the following administrative and financial health care transactions:
1. Health Claims and equivalent encounter information.
2. Enrollment and disenrollment in a health plan.
3. Eligibility for a health plan.
4. Health care payment and remittance advice.
5. Health plan premium payments.
6. Health claim status.
7. Referral certification and authorization.
8. Coordination of benefits.
All “covered entities” must use the standards when conducting any of the defined transactions covered under HIPAA. “If a covered entity conducts a transaction using electronic media, either with another covered entity or within the same “covered entity”, it must conduct the transaction as a ‘standard transaction’”. Internet transactions are also treated the same as other electronic transactions with the exception of “certain transmission modes in which the format portion of the standard is inappropriate”.
In the event of accepting nonstandard transactions, healthcare clearinghouses play a major role. “Healthcare clearinghouses may act as a business associate of a healthcare provider or health plan to standardize transactions that are not in standard format or content. Thus, a healthcare clearinghouse may receive a non-standard transaction (perhaps with non-standard format on non-standard consent) from another covered entity and translate it into a standard transaction for transmission on behalf of that entity”.
The regulations protect medical records and other individually identifiable health information, information that is on paper that can be transmitted via fax machines, in computers or communicated orally. The key provisions of the Rule includes:
· Access to medical records
· Notice of Privacy Practices
· Limits on the Use of Personal Medical Information
· Prohibition on Marketing
· Stronger State Laws
· Confidential Communications
With the plan requirements being flexible and scalable, all covered entities have the ability to implement them as appropriate for their business or practices.
Prior to fully enacting the rule, Secretary Tommy Thompson called for an additional opportunity for the public to comment on the privacy rule. This ensured that the Privacy Rule achieved its intended purpose without adversely affecting the quality of, or creating new barriers to patient care. As a result, the first round of modifications were made to the Rule and were published in March 2002. The modifications were to improve workability and avoid unintended consequences that could have impeded patient access to delivery of quality health care. The second round of modifications were adopted, following another round of public comment, in August 2002. HHS adopted this as the final Rule to ensure that the Privacy Rule worked as intended. As a general rule, future modifications to the Privacy Rule must be made in accordance with the Administrative Procedure Act (APA). HHS will comply with the APA by publishing proposed rule changes, in any, in the Federal Register through a Notice of Proposed Rulemaking and will invite comment from the public. After reviewing and addressing those comments, HHS will issue a modified final rule.
A specific element of the HIPAA Rule that was modified was the consent requirement. “The consent requirement created the unintended effect of preventing health care providers from providing timely, quality health care to individuals in a variety of circumstances.” Mandatory consent was replaced with voluntary consent to eliminate the barriers to health care. Voluntary consent enables the providers to deliver quality health care in a timely fashion, without disruption of services.
The final rule for HIPPA took effect on April 14, 2001. Most covered entities had two years to fully comply, April 14, 2003. Failure to timely implement these standards may have triggered the imposition of civil or criminal penalties under certain circumstances. Small health plans had until April 14, 2004 to become compliant. The Department of HHS, Office for Civil Rights (OCR), provided assistance to help covered entities prepare to comply with the rule. Since HIPAA is a federal law, noncompliance poses penalties ranging up to $25,000 per person, per year, per standard and criminal penalties for more abusive and egregious violations. Fines also include up to $250,000 and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information. The violations must be of the same standard in a calendar year.
also provides for projected net savings from the “standardization of electronic
transactions of $12 billion over 10
years for the entire
The process of becoming HIPAA compliant is indeed no small task. Covered entities have to strategically plan for the HIPAA implementation process within their organization. Some organizations may have hired a consulting firm while others managed the process internally. There are key elements that are to be included in every plan to make sure that the “covered entity” is HIPAA compliant. First, as the healthcare provider, determination must be made of whether or not the organization is covered by HIPAA. Once the “covered entity” determination has been made, the management level of the organization must be committed to the process, with the organization’s leadership taking an active role in the process. Establishment of a HIPAA committee, involving an adequate amount of committed key personnel, is vital to assist in the implementation phase along with designation of a key staff person assigned as the HIPAA pinpoint person. This key person must be “given authority, resources, and the time to prepare for the HIPAA changes”. In order to meet the HIPAA deadlines, the team should represent key areas such as clinical, billing, clinical records, finance, human resources, etc, and will be responsible for assessing the organizations readiness for the arduous task that lie ahead. The key staff person can also play an important role in educating others in the organization on the impact of HIPAA on the organization.
Assessing the organization includes reviewing where the organization currently stands relative to HIPAA compliancy. Review of personnel understanding and compliance, existing policies and procedures, as well as physical and system security measures, must initially be taken into account. Upon review of the existing policies and procedures, budget development specifically for the implementation of the modification process aids in the facilitation of the planning phase. Implementation of a risk analysis identifies confidentiality threats and weaknesses that the entity is faced with.
Further assessment involves reviewing existing documents such as consent forms for compliance. The entity is responsible for developing additional consumer documents that will aid in the entity becoming HIPAA compliant. All entities privacy practices must be developed and displayed, in plain language, for all consumers to see. An explanation of consumer’s rights, including the proper procedures for filing complaints must be included in the documents.
Additional HIPAA preparedness tasks include talking to the organization’s vendors or clearinghouse regarding software to ensure that the software is also HIPAA compliant by the established deadlines. The vendors must also make HIPAA changes and this information should be documented in the organization’s HIPAA files.
Filing Complaints and HIPAA
The U.S. Department of Health and Human Services has established a complaint process for those individuals who believe that a “covered entity” has violated health information privacy rights or committed another violation of the Privacy Rule. The complaint must be filed with the Office of Civil Rights (OCR). “OCR has authority to receive and investigate complaints against covered entities related to the Privacy Rule”. The alleged violation must have occurred after the HIPAA compliance date of April 14, 2003, or April 14, 2004 for the smaller health plans.
The HHS Department suggests following the basic procedures listed below when filing complaints to the OCR:
· Be filed in any written form;
· Name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of the Privacy Rule.
· Be filed within 180 days of when the act was known to have taken place.
Protected Health Information (PHI) is any information, whether oral or recorded in any form or medium, including demographic information collected from an individual that:
a. Is created or received by a health care provider, health plan, employer, or health care clearinghouse;
b. Relates to the past, present, or future physical or mental health or condition of an individual;
c. Either directly identifies the individual or indirectly provides a reasonable basis to believe the information can be used to identify the individual; and
d. Is transmitted or maintained in electronic media or any other form or medium.
Not all health information is considered protected health information. HIPAA exclusions include:
· Education records covered by Family Educational Rights and Privacy Act (FERPA);
· Medical records which are maintained as part of student education records;
· Employment records held by a covered entity in its role as employer.
PHI is different from other types of patient information referred to in other HIPAA guidelines. HIPAA distinguishes itself from other patient information such as Designated Record Sets (DRS), Limited Data Set (LDS), and De-identified Data. DRS are used primarily for access and copying PHI. More specifically, DRS include medical records and billing records about individuals maintained by or for a covered health care provider. DRS cover enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan.
LDS’s are direct identifiers of the patients, relatives, employers, or household members of the patient. Examples of LDS include but are not limited to: names; postal address information other than town or city, state and zip code; fax numbers; electronic mail addresses; social security numbers; etc. De-identified Data is patient information that does not identify a patient with respect to which there is no reasonable basis to believe that the information can be used to identify a patient.
Disclosure, Access, and Consent of Protected Health Information (PHI)
Disclosure of PHI has its restrictions. PHI may be disclosed with and without restrictions by covered entities. Permitted disclosure of PHI includes the collection or receipt of such PHI for the purpose of preventing or controlling disease, injury, or disability. Disease, injury, vital events such as birth or death, public health investigations, conduct of public events, and public health interventions at the direction of public health authority, etc. qualify under permissible disclosed PHI. In cases of reported cases of child abuse and neglect, PHI disclosure is permissible. Other acts that allow for permissible disclosure include:
· Persons subject to the jurisdiction of the FDA;
· Persons who may have been exposed to a communicable disease or may be at otherwise risk of contracting or spreading a disease or condition if the covered entity or public health authority is required to notify such person as necessary in the conduct of a public health intervention or investigation
“For the individual, restrictions apply to disclosure with the exception of psychotherapy notes; information complied in reasonable anticipation of, or for use in civil, criminal, or administrative actions or proceedings; or certain information maintained by clinical laboratories”.
Use of consent is needed for disclosure to carry out treatment, payment, or healthcare operations. In the case of the use of psychotherapy notes, consent is not required to carry out treatment, payment or healthcare operations. In emergency treatment situations, and with the exception of psychotherapy notes, disclosure of PHI in carrying out treatment, payment, or healthcare operations can be permitted without prior consent.
Under the direction of HIPAA, covered entities such as hospitals must make some attempts to verify the identity of people who inquire about a patient before revealing any of the patient’s PHI. Realizing that it can be dangerous to release medical information to anyone that may ask for it, which is particularly dangerous when the request is being made on the phone and there is no way of identifying the caller, hospitals must establish their own systems for the proper protection of PHI. This also applies for requests for copies of records.
“The HIPAA Privacy Rule established the conditions under which protected health information may be used or disclosed by covered entities for research purposes”. PHI can be used or disclosed for research regardless of the funding source if:
· The covered entity obtains documentation that alterations to or waiver of the authorization (as required by the authorization provision described below) has been approved by:
a. An Institutional Review Board
b. A privacy board that:
i. Has members with varying backgrounds and professional competencies to review the effect of the research protocol on the individual’s privacy rights and related interests;
ii. Includes at least one member who is not affiliated with the covered entity, research sponsor, or related to any person who is affiliated with such entities; and
iii. Does not have any member who is participating in the review of any project in which the members has a conflict of interest.
“The role of the National Institute of Health (NIH) is the development of educational materials for researchers, in collaboration with other DHHS research agencies. NIH is not involved in enforcing or monitoring compliance with the Privacy Rule”. “When conducting investigator-initiated research that involves a covered entity the Privacy Rule may influence the environment in which the research takes place. As a result, implementing the Privacy rule may affect the feasibility, design, and cost of the research”. NIH has instructions that will assist researchers with issues regarding the feasibility, design, and cost of research. The web based instructions provides detailed information with respect to the PHS 398 that discusses such issues in the research plan and budget sections of the application.
The Privacy Rule does not replace or act in lieu of existing regulations for the protection of human subjects found in 45 CFR 46, Federal Policy for the Protection of Human Subjects, which “applies to all research involving human subjects conducted, supported or otherwise subject to regulation by any Federal Department or Agency which takes appropriate administrative action to make the policy applicable to such research”. “Researchers should continue to consider issues of privacy and confidentiality as they affect the adequacy of protections of human subjects fro research risk, and when appropriate, address these issues in the Human Subjects section of the research”. 
As a healthcare provider, the entity may also be serving in the role of an employer. From the employer standpoint in a health care setting, what does that mean in terms of being HIPAA compliant? Healthcare employers must comply with another set of HIPAA regulations. The goal is to “extend privacy protections to employee’s health information when it can be obtained by employers through their group health plans or directly form providers.” Unless employers satisfy a series of requirement, they can’t get access to HIPAA.
HIPAA compliancy for health care employers applies to documents that are already generated between the employer and the group health plan. “Health plans cannot disclose PHI to the plan sponsor (a.k.a. the employer) unless the health plan documents are amended to restrict PHI uses and disclosures.” ERISA plans also qualify as covered entities despite the fact that an outside HMO or health insurer insures them and they have less compliance burdens than self-insured plans. They are also subject to the penalties of HIPAA. Employers must ensure the same kind of privacy protections thus amending their health plan documents to become HIPAA compliant.
For an employer to become HIPAA compliant, AIS.com spells out how they must amend their plan documents in the following ways:
1. Plan documents must certify that the employer will use employee PHI only as permitted by law.
2. Employers must furnish written verification to the health plan that the following occurs:
· PHI will be maintained in confidence and to describe permitted uses and disclosures.
· The employer’s agents to whom the plan sponsor provides PHI agree to these same restrictions
· The employer/plan sponsor will not disclose or use PHI it gets from a covered entity for employment-related actions and decisions or in connection with any other employee benefit.
· The employer/plan sponsor will report back to the health plan any use or disclosure that’s inconsistent with the above criteria. If the PHI gets used for the wrong purpose, the employer must report that to the group health plan.
· The employer/plan sponsor will return or destroy all PHI it no longer needs.
Employers must learn to distinguish what information is available to disclose. Information that employers receive when administering their health plan is PHI while information received by them in an employer capacity in not considered PHI. The fact that the Privacy Rule allows for a covered entity to “disclose PHI as authorized by and to the extent necessary to comply with, laws relating to workers’ compensation or other similar programs established by law that provide benefits or work-related injuries or illnesses without regard to fault”. 
In the University setting, University clinics must combine together two separate federal rules with regard to protecting students medical information: HIPAA and the Family Educational Rights and Privacy Act (FERPA). However, it is not clear where the two laws intersect. “FERPA is a federal law that protects the privacy of student education records.” “The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education”.
FERPA gives parents certain rights with respect to their children’s education records until the student reaches the age of 18. Those students are then considered “eligible students” because the parent’s rights have been transferred to them. Schools will ordinarily allow parents to have access to their child’s information, allowing the parents the right to inspect, review, and request in writing, student’s education records maintained by the school. “However, FERPA allows schools to disclose records without consent, to the following parties or under the following conditions”:
Due to the dual enforcement of privacy at the University clinics, ambiguity exists where HIPAA and FERPA intersect. HIPAA’s definition of protected health information excludes FERPA. The use and disclosure of student’s educational records are only subject to FERPA when that university receives federal funding. The HHS, which is responsible for HIPAA, made a determination to not interfere with other patient privacy protection statutes therefore, there remains two separate laws that may overlap in some aspects with regard to student health information. To further add to the confusion, if the university does not receive Federal funding, the student health clinic is then regulated by HIPAA in terms of PHI uses and disclosures. FERPA applies when the student medical records are released outside of the clinic. Also, FERPA does not apply to the medical records of non-students and university professors who may be treated at the same university clinic as the student - in this case, HIPAA rules.
As a means of establishing protecting the transfer of private health information, the Department of HHS and Congress established standardizations that will provide important rights for patients and the privacy of their health information. Covered entities such as hospitals, doctor offices, employers, and universities must now exercise caution when transferring identifiable health information. Federal regulations have been established that ensure that the privacy of patient information will be protected when it becomes portable via fax transfer and computer, as well as some oral communications.
As April 14, 2004, small health plans had to become HIPAA compliant while other covered entities had an earlier compliancy date of April 14, 2003. The Department of Health and Human Services (HHS), Office for Civil Rights (OCR), provided assistance to help covered entities become compliant. To access further information about HIPAA, the Privacy Rule, and the Family Educational Rights and Privacy Act, there are several websites, including the Department of HHS, which provide an abundance of HIPAA related information such as Fact sheets, press releases, reports, and checklists (refer to reference page for additional listings).
This document does not serve as an official authority on HIPAA. It is a compilation of resources thus providing an overview of HIPAA based on those various resources. For more information, there are numerous other links available yet not provided in the reference, a few of which are listed as follows:
· Center for Democracy and Technology (CDT); www.cdt.ort
· Computer Professionals for Social Responsibility (CPSR); www.eff.org
· Electronic Frontier Foundation; www.epic.org/privact/tools.html.
Business Associates - Other entities that the covered entities contract business with doing business such as providing legal, actuarial, accounting, consulting, administrative, management, financial, accreditation, or data aggregation services.
Family Education Rights and Privacy Act (FERPA) – a federal law that protects the privacy of student education records.
Healthcare – Care services, or supplies related to the health of an individual including: Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status of an individual or that affects the structure or function of the body; and sale or dispending of a drug, device, equipment, or other item in accordance with a prescription.
Health Care Clearinghouse – a public or private entity that processes standard transactions, such as billing services, re-pricing companies, community health management information systems or community health information systems, and “value-added” networks and switches.
Health Care Provider – any person or organization who furnishes, bills, or is paid for healthcare in the normal course of business such as self-insured employers, life insurers, information system vendors, universities, and various service organizations.
Health Plans – including managed care organizations and ERISA plans, but excluding certain small self-administered health plans; Government health plans including Medicare, State Medicaid programs, the Military Health System for active duty and civilian personnel, the Veterans Health Administration, and Indian Health Service program.
Identifiers – Unique codes for employers and providers (these regulations are in proposed form) and will establish unique identifiers for health plans (not yet proposed).
Limited Data Set – PHI that excludes identifiers of the patient or of relatives, employer, or household members of the patients.
Modification – refers to a change adopted by the Secretary, through regulation, to a standard or an implementation specification.
Portability - the ability to be carried or moved out; information transferred to another covered entity.
Privacy - An individual’s rights regarding his/her information and an organization’s responsibilities to control who is authorized to access information.
Privacy Rule - intended to protect the privacy of all individually identifiable health information in the hands of covered entities.
Psychotherapy Notes – Notes recorded (in any medium) by a provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record – excluding medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical test, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
Secretary – the Secretary of Health and Human Services or any other officer or employee of HHS to whom the authority involved has been delegated.
Security - The ability to control access and protect confidential consumer healthcare information from disclosure to unauthorized persons.
Security Rule – published in February 2003 (final), provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
Small Health Plan – a group health plan or an individual health plan with fewer than 50 participants.
Standard Transactions – a transaction that uses a standard set of data elements and data codes to undertake any of the transactions. These data elements and codes sets cannot be added to or modified.
Transaction – the exchange of information between two parties to carry out the financial and administrative activities related to health care.
Unique Identifiers – a standard identification format used by employers when conducting business with each other. The employer’s tax identification number (EIN) is used for electronic standard transactions.
Waiver – the legal instrument evidencing the act of intentionally relinquishing or abandoning a known right, claim, or privilege.
 National Council for Community Behavioral Healthcare. 2001.
 National Council for Community Behavioral Healthcare 2001.
 National Council for Community Behavioral Healthcare. 2001.
Retrieved on 3/9/04.
 National Institutes of Health. http://grants.nih.gov/grants/guide/notice-files/NOT-OD-03-025.html. Retrieved on
 Department of Health and Human Services. http://ohrp.osophs.dhhs.gov/humansubjects/guidance/45cfr46.htm.
Retrieved on 4/15/04.
 National Institutes of Health. http://grants.nih.gov/grants/guide/notice-files/NOT-OD-03-025.html. Retrieved on
 AIS Compliance/HIPAA. http://www.aishealth.com/Compliance/Hipaa/RMCHealthPlan.html. Retrieved on