The Impact of the HIPAA Privacy Requirements on Physicians

 

Part Two:  Protected Health Information

 

By Thomas J. Onusko

 

 

            This is the second in a series of articles that will address the impact of the final privacy regulations recently promulgated by the Federal government pursuant to the Health Insurance Portability and Accountability act of 1996 ("HIPAA").

 

            The HIPAA privacy regulations protect "individually identifiable health information" also referred to as "protected health information" or "PHI".  PHI is defined to include demographic information collected from an individual patient that:  (1) is created by or received from a covered entity (such as a physician); and (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (i) which identifies the individual, or (ii) with respect to which there is a reasonable basis to believe that the information could be used to identify the individual. 

 

            The final HIPAA privacy regulations expanded the scope of the proposed regulations to include protection of all individually identifiable health information in any form, electronic or non-electronic, that is held or transmitted by a covered entity.  This is a significant departure from the proposed rules which only governed PHI in an electronic form.  Thus, the final rules cover PHI not only in electronic form, but also in paper records and/or oral communications, even if they have never been electronically stored or transmitted.

 

            The HIPAA privacy regulations require that the confidentiality of PHI must be maintained not only when it is used or stored in a physician office, but also when it is transmitted with another party to carry out financial or administrative activities related to health care.  Examples of "covered transactions" to which the HIPAA privacy requirements apply include:  health care claims, health care payment and written advice, coordination of benefits, health care claim status, enrollment and disenrollment in a health plan, eligibility for a health plan, health plan premium payments, referral certification and authorization, first report of injury, and health claims attachments.

 

            The next article in this series will address the permitted uses of PHI by physicians pursuant to the HIPAA privacy regulations.  In the meantime, if you have a question about HIPAA and its requirements, you can contact Thomas J. Onusko at Tonusko@arterhadden.com.

 

            Mr. Onusko is a Partner in the law firm of Arter & Hadden and Chair of the firm's Health Care Practice Group.  He has over 20 years experience advising health care providers in legal and regulatory matters.  Mr. Onusko is also an adjunct professor in health care law at Case Western Reserve University School of Law and The Cleveland State University School of Business Administration - Health Care Administration Program.

 

614384

75987/10350