McDonald, Hopkins, Burke & Haber Co., L.P.A.

 Attorneys at Law

 

The HIPAA Privacy Rules -- Frequently Asked Questions

 

Some HIPAA Basics

 

 

1.         What is HIPAA?

 

HIPAA is the acronym for The Health Insurance Portability and Accountability Act of 1996.  HIPAA provides for increased portability and continuity of health insurance, expands the scope of the fraud and abuse laws and mandates certain “administrative simplifications” intended to promote the electronic exchange of health information.

 

The administrative simplification aspects of HIPAA are meant to streamline many health care related administrative, financial and informational transactions, such as claim submission, verification and payment.  In furtherance of this objective, HIPAA mandates standardization of identifying information about participants in these transactions and the means for electronic transmission of information related to such transactions. Because mandated electronic exchange of sensitive, health information raises concerns about confidentiality, HIPAA includes, in its  administrative simplification component, requirements for the protection of the confidentiality of medical information.

 

2.         What are the HIPAA Privacy Rules?

 

The HIPAA Privacy Rules (the “Privacy Rules”) are regulations issued by the Department of Health and Human Services (“HHS”) as required by the administrative simplification/medical privacy provisions of HIPAA.  The Privacy Rules govern use and disclosure of “protected health information.” (See Q&A 8).  The Privacy Rules impose obligations on virtually any person who uses health information for patient care and treatment or in connection with the payment for health care services.

 

3.         Will there be future changes to the Privacy Rules?

 

Yes, the Privacy Rules are likely to change.  Further guidance is expected to eliminate uncertainties and help covered entities (see Q&A 5) with implementation.  HHS has indicated that changes are likely especially in those aspects of the Privacy Rules dealing with phoned-in prescriptions, referral appointments and the scope of allowable communications.

 

4.         How do I obtain a copy of the Privacy Rules?

 

The final Privacy Rules can be found at www.aspe.hhs.gov/admnsimp/. You may also obtain paper copies directly from the government by calling (202) 512-1800.

 

Compliance Generally

 

5.         Who must comply with the Privacy Rules?

 

All “covered entities” are bound by the Privacy Rules.  “Covered entities” include health plans, health care clearinghouses and health care providers who transmit any health information in electronic form in connection with certain transactions covered by HIPAA.  These include transactions related to health care claims, payment for health care services and certification of referrals.

 

·        Health care providers include those who provide health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

 

·        Health plans include individual or group plans such as group health plans, HMOs, Medicare, Medicaid, employee welfare benefit plans and Tricare/CHAMPUS, that provide or pay for medical care.

 

·        A health care clearinghouse is a public or private entity, including a billing service, re-pricing company, or community health management information system that receives health information in a non-standard format and processes that information into a standard transaction or receives a standard transaction and processes the health information into a nonstandard format or data content. (For these purposes, a “standard” transaction is one that meets HIPAA standards for the electronic transfer of health information, while “nonstandard” means not in conformity with those HIPAA electronic transfer standards.)

 

6.         What is the deadline for meeting the Privacy Rules?

 

Most covered entities have until April 14, 2003 to comply with the Privacy Rules. Smaller health plans, i.e., plans with less than $5 million in annual receipts, must comply by April 14, 2004.

 

7.         What are the basic requirements under the Privacy Rules for health care providers?

 

            The principal requirements of HIPAA applicable to “the average health care provider”   are to:

 

·        inform patients about their privacy rights and the use of protected health information (“PHI”)  (see Q&A 20-22);

·        obtain consent (see Q&A 10-19) from individuals before using PHI for treatment or other health care related purposes;

·        adopt clear privacy procedures (see Q&A 31);

·        appoint an individual to be responsible for implementing the requirements of and monitoring compliance with the Privacy Rules (see Q&A 29);

·        educate all employees as to the requirements of the Privacy Rules through a formal training program (see Q&A 30);

·        identify all Business Associates and obtain from them “assurances” that they are safeguarding PHI (see Q&A 23-28); and

·        identify and operate in accordance with appropriate safeguards to maintain the confidentiality of PHI (see Q&A 32).

 

8.         What is PHI?

 

            PHI includes any information, transmitted or maintained in any form or medium, which—

 

(a)                is created or received by a Covered Entity,

 

(b)               relates to –

 

(i)        the physical or mental health of an individual,

 

(ii)      the provision of health care to an individual, or

 

(iii)     the payment for the provision of health care to an individual,  and

 

(c)                identifies the individual  or can reasonably be expected to identify an            individual.

 

9.         What do the Privacy Rules require a Covered Entity to do with respect to PHI?

 

In most instances, the Privacy Rules require a health care provider to obtain prior consent or authorization from a patient before use and/or disclosure of PHI. All covered entities must maintain the confidentiality of PHI and have in place appropriate safeguards to protect the privacy of PHI.  Most covered entities must also provide individuals with a notice of their practices concerning protecting the confidentiality of PHI.  A Covered Entity must also train its workforce to be aware of the requirements affecting use and disclosure of PHI.

 

Use, Disclosure, Consent and Authorization

 

10.       What is the difference between “use” and “disclosure” under the Privacy Rules ?

 

Generally, “use” occurs when health information is shared within the entity that maintains the information, while health information is “disclosed” when it is shared outside the entity.  The Privacy Rules define “use” as the sharing, employment, application, utilization, examination or analysis of individually identifiable health information within the entity maintaining the information.  Disclosure is defined as the release of, transfer of, provision of access to, or divulging in any other manner of information outside the entity holding the information.

 

11.       When may a Covered Entity use or disclose PHI?

 

            A Covered Entity may use or disclose PHI as follows:

 

·        to the individual who is the subject of the PHI;

·        pursuant to and in compliance with a consent or authorization that complies with the Privacy Rules;

·        without consent, if consent is not required under the Privacy Rules (e.g., such as when a health care provider has an “indirect treatment relationship” (see Q&A 19) with an individual or in certain specific treatment situations such as providing emergency care or when substantial communication barriers exist; or

·        pursuant to an agreement with the individual.

 

12.       What is the difference between “consent” and “authorization” under the Privacy Rules?

 

Generally, consent is required only by those in a direct treatment relationship with a patient.  A consent allows use of PHI for both medical treatment and related activities, including payment for such treatment, quality review and improvement, and other ancillary activities related to treatment.  An authorization  is required for disclosure of PHI for non-treatment related purposes, such as to an employer, an insurer or for certain marketing purposes.

 

A consent is a general document that gives health care providers which have a direct treatment relationship with the patient permission to use or disclose protected health information in the context of treatment, payment and health care operations.  This means that doctors and other health care providers who actually treat a patient must obtain consent.  Health plans and health care clearinghouses, even though they are covered entities, are not required to procure consents.  It is always the health care provider’s responsibility to obtain a patient’s consent. A provider may condition the provision of treatment of an individual on the grant of consent by such individual.  One consent may cover, indefinitely, all uses and disclosures by the provider for treatment, payment and health care operations.  Persons who do not treat a patient directly, such as someone who acts on the orders of another provider or who provides services or test results to a health care provider who in turn interacts with the patient, are not required to obtain consent. A consent must refer to a health care provider’s “Notice of Privacy Practices.” (see Q & A 20-22).

           

Authorization is a more customized document required by all covered entities to use or disclose protected health information for specified purposes, other than for treatment, payment or health care operations. Unlike a consent, treatment or coverage decisions may not be conditioned on the individual providing an authorization.  An authorization is more specific than a consent and it covers only the uses and disclosures stipulated in the document.

 

13.       What is the significance of and what is meant by the terms “treatment,” “payment” and “health care operations”?

 

The terms treatment, payment and health care operations are significant because they specify the activities that may be undertaken by a health care provider pursuant to a consent.  These activities are referred to collectively as “TPO.” 

 

For these purposes –

 

·        “treatment” means the provision, coordination or management of health care and related services by one or more health care providers;

 

·        “payment” means activities undertaken by a health care provider to obtain reimbursement or by a health plan to obtain premiums or fulfill its coverage responsibilities; payment includes billing activities related to health care provided to an individual;

 

·        “health care operations” means activities related to functions of Covered Entities regulated by the Privacy Rules; these activities include quality assessment and improvement activities, medical review activities and underwriting and premium rating activities.

 

14.       Is a  “joint consent” permitted under the Privacy Rules?

 

            A Covered Entity that participates in an organized health care arrangement and has a joint          privacy notice with the other entities may comply with the consent requirement by having   a “joint consent.”  This consent must include the names of all the covered entities to        which the joint consent applies and if the joint consent is revoked, the entity receiving the             revocation must notify the other covered entities of the revocation.

 

15.       Are health plans or health care clearinghouses required to obtain an individual’s consent to use or disclose PHI to carry out treatment, payment or health care operations?

 

No.  Health plans and health care clearinghouses may use and disclose PHI for treatment, payment, and health care operations without obtaining consent.  These entities are permitted, but not required to obtain consent.  If they choose to do so, however, the consent must meet the standards, requirements and implementation specifications for consents set forth under the Privacy Rules.

 

16.       Will the consent requirement restrict the ability of providers to consult with other providers about a patient’s condition?

 

No.  Assuming that at the outset of the individual’s treatment, the consent requirements were satisfied, the consultation is covered by the consent given to the provider with the direct treatment relationship with the patient.  If a health care provider with a direct treatment relationship with a patient consults with another health care provider, e.g., a specialist, the consultation falls within the definition of “treatment” and, therefore, is covered by the consent. 

 

17.       If a single course of treatment of an individual involves multiple visits, is more than one consent required?  What about visits for unrelated conditions?

           

The Privacy Rules require a health care provider to obtain consent from a patient for use or disclosure of PHI only once.  This is true regardless of whether there is a connected course of treatment or treatment for unrelated conditions.  The only time a provider will need to obtain a new consent is where the patient has revoked the consent between treatments.

 

18.       May consent for use or disclosure of PHI be provided electronically?

 

Yes, so long as the electronic format satisfies all requirements of the Privacy Rules.  The Privacy Rules state that this means that the electronic format must allow for the consent to be signed by the patient, but do not explain how a patient signs such a consent.

 

19.       What is the “indirect treatment relationship” exception?

 

This exception permits a health care provider who does not have a direct treatment relationship with an individual to use or disclose  PHI without consent.  The use or disclosure must be for treatment, payment, or health care operations.  An “indirect treatment relationship” means a relationship between an individual and a health care provider in which the provider delivers health care to the individual based on the orders of another health care provider or delivers test results or a diagnosis to the provider who interacts with the patient.  For example, radiologists and pathologists generally have indirect treatment relationships with patients. 

 

Notice of Privacy Practices

 

20.       What is the “Notice of Privacy Practices” required under the Privacy Rules?

 

A Notice of Privacy Practices (a “Notice”) is a disclosure in plain language by a Covered Entity to individuals that describes the uses and disclosures of PHI that may be made by the Covered Entity, and the individual’s rights and the Covered Entity’s duties with respect to the PHI.

 

21.       What must a Notice contain?

 

            All Notices must contain the following provisions:

           

·        A prominent “header” stating “This notice describes how medical information about you may be used and disclosed and how you can get access to this information.  Please review it carefully.”

 

·        A detailed description of the uses and disclosures of PHI that may be made by the Covered Entity, including examples of disclosures for treatment, payment and health care operations, and a description of specific disclosures concerning certain uses such as for appointment reminders and information on treatment alternatives.

 

·        A statement of the individual’s rights with respect to the PHI, including the right to request certain restrictions on the use and disclosure of PHI, the right to receive confidential communications of PHI, and the right to inspect, copy and amend the individual’s PHI.

 

·        A statement of the Covered Entity’s duties with respect to PHI, including the Covered Entity’s obligations to maintain the privacy of PHI and to abide by the terms of the Notice.

 

·        A statement that individuals may complain to the Covered Entity and to HHS if they believe their privacy rights have been violated and a brief description of how an individual may file a complaint with the Covered Entity.

 

·        The name, title, and telephone number of a person or office to contact for further information about matters addressed by the Notice.

 

22.       What are the requirements for delivery of the Notice?

 

A health care provider with a direct treatment relationship with an individual must provide the Notice no later than the date of the first delivery of service to the individual subsequent to the effective date of HIPAA, i.e. April 14, 2003, for most covered entities,  A provider should keep copies of the Notice available where the provider delivers services in the event individuals request a copy of the Notice.  The Notice also must be posted in a clear and prominent location where it is reasonable to expect patients will be able to read the Notice.  If a Notice is revised, it must be made available upon request after the effective date of the revision.  If a Covered Entity maintains a website that provides information about its services or benefits, it must post the Notice on the website and make it available electronically through the website.  A Covered Entity should retain copies of the Notice as evidence that it has complied with requirements applicable to the Notice.

 

Business Associates

 

23.       What is a “Business Associate”?

 

            A Business Associate is a person or entity who, on behalf of a Covered Entity, performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information.  These functions and activities include claims processing or administration, data analysis, processing or administration, utilization or review, quality assurance, billing, benefit management, practice management and re-pricing.

 

The key to determining whether a person is a Business Associate is whether the person is acting “on behalf of” the Covered Entity.  For example, when a health care provider discloses PHI to a health plan for payment purposes, a Business Associate relationship is not established.

 

24.       When can a Covered Entity disclose PHI to a Business Associate?

 

PHI may be disclosed by a Covered Entity to a Business Associate only for the purpose of the Business Associate assisting the Covered Entity to carry out health care functions, such as treatment or payment activities or health care operations.  PHI may not be disclosed to a Business Associate for the independent purposes of the Business Associate.

 

25.       What are covered entities’ obligations with respect to a Business Associate?

 

A Covered Entity may disclose PHI to a Business Associate only if prior to such disclosure a Covered Entity has received “satisfactory assurances” that the Business Associate will safeguard the PHI and the Covered Entity documents the existence of such satisfactory arrangements through a written contract or other written agreement or arrangement with its Business Associates that meets the requirements of the Privacy Rules.

 

26.       How does a Covered Entity obtain satisfactory assurances from a Business Associate concerning its use of PHI?

 

The rule contemplates that covered entities and their Business Associates will enter into written arrangements, typically as a separate contract or as an addendum to an existing service contract, spelling out the Business Associates’ obligations with respect to the use of PHI disclosed by the Covered Entity.

 

27.       Are there specific terms which a written contract or other arrangement with a     Business Associate concerning the use and disclosure of PHI must include?

 

A contract between a Covered Entity and a Business Associate concerning the use and disclosure of PHI must –

 

·        delineate the permitted and required uses and disclosures of PHI by the Business Associate;

·        not authorize the Business Associate to use or further disclose the PHI in any manner that would violate the Privacy Rules if done by the Covered Entity (subject to certain limited exceptions); and

·        not use or disclose the PHI other than as permitted or required by the contract or by law.

 

            In addition, such a contract must require a Business Associate to:

 

·        use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by its contract;

·        report to the Covered Entity any use or disclosure of the PHI not provided for by the contract of which the Business Associate becomes aware;

·        assure that any agents of the Business Associate, including a subcontractor of the Business Associate, agree to the restrictions and conditions applicable to the Business Associate with respect to the PHI;

·        make available the PHI in accordance with certain requirements of the Privacy Rules concerning the access of patients to their PHI and/or the amendment of such PHI;

·        make available the PHI for the purposes of accounting for disclosures of the PHI;

·        make its internal practices, books and records relating to use and disclosure of PHI available to the Secretary of HHS for purposes of determining the Covered Entity’s compliance with the Privacy Rules;

·        return or destroy, upon termination of the contract, all PHI received from the Covered Entity that the Business Associate still maintains in any form and retain no copies of such PHI, to the extent such return or destruction is feasible;

 

The contract with a Business Associate must also permit termination of the contract by the Covered Entity if the Covered Entity determines the Business Associate has violated a material term of the contract.

 

28.       Are covered entities liable for the privacy violations of Business Associates?

 

No.  A health care provider, health plan, or other Covered Entity is not liable for privacy violations of a Business Associate.  Covered entities are not required to actively monitor or oversee the means by which their Business Associates abide by the requirements of their contracts.

 

If a Covered Entity becomes aware of a pattern or practice of a Business Associate that constitutes a material breach or violation of the Business Associate’s obligations under the Business Associate contract, the Covered Entity must take “reasonable steps” to cure the breach or to end the violation.  Reasonable steps will vary with the circumstances. 

 

If steps to cure or end the violation are not successful, the Covered Entity must terminate the Business Associate contract, if feasible. In circumstances where termination is not feasible, such as where there are no other viable business alternatives for the Covered Entity, the Covered Entity must report the problem to HHS.

 

Administrative Requirements

 

29.       Will it be necessary for a health care provider to assign responsibilities concerning compliance with the Privacy Rules?

 

Yes.  A Covered Entity must designate a contact person at its office who is responsible for receiving complaints concerning the Covered Entity’s compliance with the Privacy Rules and who is able to provide further information about matters addressed in the Notice.  The Covered Entity must also designate a “privacy official.”  This individual is to be responsible for development and implementation of the administrative policies and procedures of the Covered Entity concerning protection of the confidentiality of PHI.  The privacy official and/or the contact person may have other responsibilities within the office and one individual may serve as both the privacy official and the contact person.

 

30.       Do the Privacy Rules impose training requirements on covered entities?

 

Yes.  The Privacy Rules require that a Covered Entity train all members of its work force concerning its policies and procedures as to protection of the confidentiality of PHI.  Such training is to be “as necessary and appropriate” for the employees and contractors of the Covered Entity to carry out their duties as employees or contractors.  Training for existing members of a Covered Entity’s work force is to be provided by no later than the effective date of the Privacy Rules, i.e. April 14, 2003 in most cases.  Thereafter, new employees are to be trained within a reasonable time after they begin employment with a Covered Entity.  A Covered Entity should maintain documentation that it has satisfied its training obligations under the Privacy Rules.

 

31.       What policies and procedures should a Covered Entity adopt to implement the   Privacy Rules?

 

A Covered Entity must adopt such policies and procedures that are “reasonably designed,” taking into account the size and type of activities of the Covered Entity, to ensure compliance with all aspects of the Privacy Rules.

 

32.       Do the Privacy Rules require hospitals and doctors’ offices to be altered, to provide private rooms, and/or soundproof walls to avoid any possibility that a conversation is overheard?

 

The Privacy Rules do not require these types of structural changes to facilities.  Covered entities must have in place appropriate administrative, technical and physical safeguards to protect the privacy of PHI.  “Reasonable safeguards” mean that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the Privacy Rules.  HHS does not consider facility restructuring to be a requirement under this standard.  Covered entities must review their own practices and determine what steps are reasonable to safeguard their patient information.