What Is HIPAA and Whom Does It Cover?
HIPAA Overview
The HIPAA privacy regulations have their genesis from a law that has been around for some time. The Health Insurance Portability Accountability Act was passed in 1996. The law came about at a time when the Clinton administration was giving considerable consideration to modifying the health care system as it existed in the United States. The bipartisan Act followed an administrative study in which enormous inefficiencies were discovered in the American health care system.
The administrative study determined that approximately 27 cents of every health care dollar was spent on administrative tasks. The law set out to attack perceived problems with the availability of coverage and the efficiency with which health services were provided.
The Act first gained attention through its efforts to ensure the portability of health insurance for individuals losing or transferring their employment. This portability component was intended to eliminate the loss of health insurance due to pre-existing conditions when an individual had a change in employment status.
In addition to the portability aspect, the law also instituted a new fraud and abuse control program and created the possibility for medical savings accounts which enabled individuals to develop what, in essence, is a self-insurance program that can be turned into a savings account with preferential tax treatment.
The remainder of the Act is focused on streamlining the administrative simplification provisions intended to improve the efficiency of providing health care services in the United States. The first administrative simplification provision was the transaction and code sets. Through this effort, the federal government was to establish a national uniform set of transactions and code identifiers to increase the efficiency of payment processing efforts. The transactions and codes were to be implemented in October of 2002. Health care providers were afforded an opportunity to request an extension of time within which to use the transactions and codes. However, as a result of the government’s inability to establish the actual codes by October of 2002, a one-year extension for the implementation was granted.
The next new line of the administrative efforts is the privacy regulations which were finalized in August of 2002, and became effective, except for limited exceptions, as of April 14, 2003. The focus of this overview will be placed on the privacy regulations.
Following the privacy regulations, administrative requirements as they relate to the security of protected health information will be the next step implemented with an anticipated compliance date of April, 2004. Where the privacy regulations deal with how a covered entity handles and disseminates protected health information, the security regulations will govern how covered entities prevent unauthorized access to the information by third parties.
Following the security regulations, the attention of HIPAA will turn to a series of issues intended to provide uniformity to the provision, tracking and payment of medical services. These efforts, aimed at establishing uniformity, will include the establishment of national provider identifier codes, uniform employer identifiers, health plan identifiers, claim attachment standards and unique individual or patient identifiers.
As stated, the Department of Health and Human Services has provided extensive materials to assist with compliance. Its Website at http://www.hhs.gov/ocr/hipaa provides a valuable resource. Access to this site will provide the regulations as well as the Frequently Asked Questions and additional information.
Final Privacy Rule
The promulgation of the final privacy regulations has been a multi-year task. The Department of Health and Human Services, with the assistance of consultants from private industry, first submitted proposed regulations in December of 2000 which were reissued in April of 2001. The Department of Health and Human Services provided a Guidance on July 6, 2001, to assist in the understanding and implementation of the proposed regulations. Notice of the proposed regulations was issued on March 27, 2002, and the final regulations were published on August 14, 2002.
Since that time, the Department of Health and Human Services continues to issue guidance on the regulations, with the most recent occurring in December of 2002. In addition, web pages have been established to address frequently asked questions (“FAQ”). The answers to these FAQs have provided significant insight into the Department of Health and Human Services’ interpretation of the regulations. The final regulations which take effect April 14, 2003, are found at 45 C.F.R. Parts 160 and 164.
Despite the long process and considerable resources available, a lot of confusion has enveloped the privacy regulations. This confusion has been spurred by myths circulating around what HIPAA does and does not cover. Some of the myths are:
Sound-proofing doctors offices;
Locked filing cabinets;
A Multi-page consent form for every patient;
No longer allowed to use patient sign-in sheets
With a better understanding of the regulations, the myths can be dispelled and compliance obtained.
Covered Entities
The regulations establish a federal floor in terms of required privacy provisions for the handling of patients’ confidential medical information. Currently, the regulations are applicable only to “covered entities.” A covered entity is defined as “a health plan, a health care clearing house, and a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” 45 C.F.R. §160.102.
A “health plan” means an individual or group plan that provides, or pays the cost of, medical care. A health plan is further delineated by identifying 17 specific types of programs intended to pay for medical care.
A “health care clearing house” is defined as a public or private entity, including a billing service, re-pricing company, community health management information system or community health information system and “value-added” networks and switches that does either the processing or facilitates the processing of health information received from another entity in a non-standard format or containing non-standard data content into standard data elements or a standard transaction or receives a standard transaction from another entity and processes or facilitates the processing of health information into non-standard format or non-standard data content for the receiving entity.
“Health care provider” means a provider of medical or health services, and any other person or organization which furnishes, bills, or is paid for health care in the normal course of business. It covers hospitals, doctors, dentists, clinics, and other similarly situated individuals and entities.
“Transaction” as it relates to health care provider is defined as the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes: health care claims or equivalent encounter information; health care payment and remittance advice; coordination of benefits; health care claim status; and enrollment and dissenrollment in health plans; eligibility for a health plan; referral certification authorization; first report of injury, health claims attachments. As a result of this definition of transaction, covered entities include any health care provider who transmits or has someone else transmit (i.e., billing services) health information electronically using HIPAA standard transactions for payment. Health care providers who do not currently transmit information electronically are not responsible for the HIPAA compliance.
There are a number of reasons entities not technically covered may still wish to adhere to the new requirements. Initially, with the increased use of electronic billing the likelihood that a health care provider will become covered is ever increasing. In addition, the HIPAA regulation may become the standard of care as it relates to the handling of patient information. As a result, practitioners facing allegations of mishandling patient information before a licensing board or court may be measured against the HIPAA requirements. Finally, the definition may be expanded to cover all health care providers.
Protected Health Information
The focus of the HIPAA privacy regulations is to govern the use and disclosure of protected health information. Under the regulations, health information is defined to mean any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearing house, and relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual. In other words, it is any information that relates to an individual’s health, health care or payment for health care. Protected health information (“PHI”) means any individually identifiable health information. Individually identifiable health information includes demographic information collected from an individual which is created or received by a health care provider, health plan, employer or health care clearing house and relates to the past, present or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Examples of individually identifiable health information would include such things as a patient’s name, Social Security number, address and/or photographs contained in a medical file. Examples of items that would not qualify as individually identifiable health information would be x-rays with no identifiers or test results where identifying information has been redacted.
Business Associates
An additional aspect to the HIPAA privacy regulations is the establishment of rules as to how covered entities interact with various third parties with whom they associate in relation to the provision of health care. These entities are defined as Business Associates under HIPAA. They include such entities as answering services, billing services, collection entities and may include lawyers, accountants and other types of consultants.
The HIPAA regulations recognize that in order to efficiently provide health care services, covered entities must interact with certain other business vendors. HIPAA also recognizes that through this interaction, the other business vendors gain access to protected health information. HIPAA imposes a requirement that the covered entities obtain Business Associate agreements with these outside vendors, imposing upon the Business Associates the requirement to maintain the confidentiality of the protected health information and take certain steps should an improper disclosure occur.
In simple terms, the Business Associate agreement extends the protection afforded under HIPAA as imposed on covered entities to other entities and individuals who gain the protected information during the normal course of their business activities.
Preemtion of State Law
The regulations state a general position that they preempt state law. “A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of state law preempts the provision of state law.” 45 C.F.R. §160.203. However, the regulation then goes on to provide exceptions to this general rule. These exceptions exist if one or more of the following conditions is met: A determination is made by the Secretary of the Department of Health and Human Services that the provision of state law is necessary to prevent fraud and abuse related to the provision of or payment of health care; to ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation; for state reporting on health care delivery or cost; or for purposes of serving a compelling need related to public health, safety or welfare.
An exception also exists if the provision of state law relates to privacy of individually identifiable health information and is more stringent than the standard, requirement, or implementation established under HIPAA. Exceptions also exist if the state law, including any state procedure, provides for the reporting of disease or injury, child abuse, birth, or death, or the conduct of public health surveillance, investigation, or intervention. Finally, an exception exists if the provision of state law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation or the licensure or certification of facilities and individuals.
Under the first type of exception, determination to be made by the Secretary, a specific request must be made by the state’s chief elected official, or his or her designee, directly to the Secretary of the Department of Health and Human Services. Until the Secretary’s determination is made, the HIPAA standard, requirement or implementation specification under this chapter will remain in effect.
As of the date of these materials, no such exception has been requested by Pennsylvania. As a result, any exceptions to the general preemption will be limited to those areas where state law is more stringent, the state law pertains to the reporting of disease or injury, child abuse, birth, or death, or the conduct of public health surveillance, investigation or intervention, or the provision of state law requires the health plan to report for auditing or licensure purposes.
Examples where state law is not preempted include any subjects that Pennsylvania has specifically dealt with and determined contain heightened levels of confidentiality or privacy. These include HIV related information, mental health records, and drug treatment records. In these situations, the specific requirements of the various consent and disclosure statutes would have to be complied with in order to allow disclosure. The mere compliance with HIPAA Notice of Privacy Practices or even a standard consent or authorization would not be sufficient.
In addition, HIPAA would not preempt the mandated reporting requirements, such as those found for child abuse, and communicable diseases.