HIPAA and the Privacy Rules
For over a decade “covered entities” have been required to comply with the HIPAA privacy regulations.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 was originally enacted to protect health insurance coverage for workers and their families when they change or lose their jobs. In that respect, HIPAA works hand in hand with COBRA.
The HIPAA Administrative Simplification requirements, which are separate from the insurance portability requirements, are intended to reduce the costs and administrative burdens of health care by making possible the standardized, electronic transmission of many administrative and financial transactions. These health information privacy rules seem to be the cause of some confusion.
Impact of Other Laws
While COBRA and HIPAA still play a role in protecting insurance benefits for many; many of the benefits protection provisions of COBRA and HIPAA have been largely eclipsed by PPACA (or ACA, also known as Obamacare). See the ACA section for more on Obamacare. And, click here for more on the interaction between ACA and HIPAA.
Other federal laws that may affect the way you obtain and keep your health insurance coverage include:
- The Mental Health Parity Act of 1996 (MHPA);
- The Newborns’ and Mothers’ Health Protection Act of 1996 (NMHPA); and
- The Women’s Health and Cancer Rights Act of 1998 (WHCRA).
For more information on the other Administrative Simplification provisions visit the Centers for Medicare & Medicaid Services web site.
What Does HIPAA Mean For Me?
HIPAA may apply to you if you are an employee, employer, health care provider or other “Covered Entity.” Because HIPAA covers many unrelated aspects of health coverage, HIPAA may mean different things to different people. If you or your clients handle “protected health information” you may be affected by the new HIPAA privacy rules. Ignoring, misunderstanding, misinterpreting or incorrectly applying the rules could expose your organization to hefty civil fines–and even criminal liabilities. Employers must now be able to:
- Protect certain information covered by the new privacy rules;
- Determine if you qualify for exemption from any of the requirements;
- Notify plan participants about their privacy rights;
- Adopt and implement privacy policies and procedures; and
- Train employees to honor the privacy procedures.
HIPAA Opt-Out Materials
- Amendments to the HIPAA Opt-Out Provision made by the Affordable Care Act
- Procedures and Requirements for HIPAA Exemption Election
Model HIPAA Exemption Election Document
Model Notice to Enrollees of HIPAA Exemption
- HIPAA Opt-Out Elections for Self-Funded, Non-Federal Government Plans
- Procedures and Requirements for HIPAA Exemption Election through the Health Insurance Oversight System (HIOS)
Information Protected By the Privacy Rules
Information protected by the HIPAA privacy regulations is called “personal health information” or PHI. The privacy standards apply to any information–whether paper or electronic–that describes an individual’s health status or other characteristics that identify, or could be used to identify, that individual. This information includes not only the patient’s name and address and specific treatment information but also sex, ethnicity, and age.
The Privacy Rule establishes a federal requirement that most doctors, hospitals, or other health care providers obtain a patient’s written consent before using or disclosing the patient’s personal health information to carry out treatment, payment, or health care operations (TPO). Today, many health care providers, for professional or ethical reasons, routinely obtain a patient’s consent for disclosure of information to insurance companies or for other purposes. The Privacy Rule builds on these practices by establishing a uniform standard for certain health care providers to obtain their patients’ consent for uses and disclosures of health information about the patient to carry out TPO.
- Patient consent is required before a covered health care provider that has a direct treatment relationship with the patient may use or disclose protected health information (PHI) for purposes of TPO. Exceptions to this standard are shown in the next bullet.
- Uses and disclosures for TPO may be permitted without prior consent in an emergency, when a provider is required by law to treat the individual, or when there are substantial communication barriers.
- Health care providers that have indirect treatment relationships with patients (such as laboratories that only interact with physicians and not patients), health plans, and health care clearinghouses may use and disclose PHI for purposes of TPO without obtaining a patient’s consent. The rule permits such entities to obtain consent, if they choose.
- If a patient refuses to consent to the use or disclosure of their PHI to carry out TPO, the health care provider may refuse to treat the patient.
- A patient’s written consent need only be obtained by a provider one time.
- The consent document may be brief and may be written in general terms. It must be written in plain language, inform the individual that information may be used and disclosed for TPO, state the patient’s rights to review the provider’s privacy notice, to request restrictions and to revoke consent, and be dated and signed by the individual (or his or her representative).
- A covered entity must retain the signed consent for 6 years from the date it was last in effect. The Privacy Rule does not dictate the form in which these consents are to be retained by the covered entity.
- Certain integrated covered entities may obtain one joint consent for multiple entities.
- If a covered entity obtains consent and also receives an authorization to disclose PHI for TPO, the covered entity may disclose information only in accordance with the more restrictive document, unless the covered entity resolves the conflict with the individual.
- Transition provisions allow providers to rely on consents received prior to April 14, 2003 (the compliance date of the Privacy Rule for most covered entities), for uses and disclosures of health information obtained prior to that date.
Who Is Covered By These Rules?
The law uses the term “Covered Entities” to refer to individuals or organizations that are subject to the rules. These include entities that provide direct treatment to patients, as well as other entities that deal with personal health information.
The HIPAA Privacy Standards generally apply to
- health plans,
- health care clearinghouses and
- health care providers
that transmit health information in electronic form in connection with any transaction covered under the Electronic Transactions Standards.
Individually identifiable health information
“Individually identifiable health information” is defined as information that is a subset of health information, including demographic information collected from an individual, and that:
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and
- Which identifies the individual, or
- With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
The “Minimum Necessary” Requirement
The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for protected health information (PHI) to the minimum necessary to accomplish the intended purpose. The minimum necessary provisions do not apply to the following:
- Disclosures to or requests by a health care provider for treatment purposes.
- Disclosures to the individual who is the subject of the information.
- Uses or disclosures made pursuant to an authorization requested by the individual.
- Uses or disclosures required for compliance with the standardized Health Insurance Portability and Accountability Act (HIPAA) transactions.
- Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the rule for enforcement purposes.
- Uses or disclosures that are required by other law.
Uses and Disclosures of, and Requests for PHI
For uses of PHI, the policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access. For example, hospitals may implement policies that permit doctors, nurses, or others involved in treatment to have access to the entire medical record, as needed. Case-by-case review of each use is not required. Where the entire medical record is necessary, the covered entity’s policies and procedures must state so explicitly and include a justification.
For routine or recurring requests and disclosures, the policies and procedures may be standard protocols and must limit PHI disclosed or requested to that which is the minimum necessary for that particular type of disclosure or request. Individual review of each disclosure or request is not required.
For non-routine disclosures, covered entities must develop reasonable criteria for determining, and limiting disclosure to, only the minimum amount of PHI necessary to accomplish the purpose of a non-routine disclosure. Non-routine disclosures must be reviewed on an individual basis in accordance with these criteria. When making non-routine requests for PHI, the covered entity must review each request so as to ask for only that information reasonably necessary for the purpose of the request.
In certain circumstances, the Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Such reliance must be reasonable under the particular circumstances of the request. This reliance is permitted when the request is made by:
- A public official or agency for a disclosure permitted under § 164.512 of the rule.
- Another covered entity.
- A professional who is a workforce member or business associate of the covered entity holding the information.
- A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board.
The rule does not require such reliance, however, and the covered entity always retains discretion to make its own minimum necessary determination for disclosures to which the standard applies.
Entities covered by HIPAA are also responsible to ensure that some of their business associates protect the privacy of patient’s health information with the same care as the provider is required to provide. “Business associates” are defined as entities that perform a function or provide services involving PHI on behalf of covered entities; these include
- billing and collection companies, and
- central fabrication facilities.
The final rule requires a covered entity to have a written contract or other arrangement that documents satisfactory assurance that business associate will appropriately safeguard protected health information in order to disclose it to a business associate based on such an arrangement.
With some exceptions, most businesses will need to have a Business Associates Agreement in place, for each covered business associate, by April 14.
For more information, see the HIPAA Frequently Asked Questions.