HIPAA Privacy Regulations to Take Effect in April
By Christine Williams

On April 14, 2003, the privacy regulations issued under the Health Insurance Portability and Accountability Act (HIPAA) will go into effect. HIPAA was passed by the U.S. Congress and signed into law in 1996, and it contains “administrative simplification” provisions that require health plans and encourage health care providers to process health claims and payments (and to perform other administrative functions) electronically, using standard transactions and uniform code sets. The theory is that uniformity and electronic processing will reduce the administrative costs associated with health care. The administrative simplification provisions also include privacy and security safeguards for “protected health information” (PHI), and apply to health plans (including insurers and group health plans sponsored by employers, regardless of whether they are insured or self-funded), healthcare providers that choose to conduct certain transactions electronically (including claim submission, remittance advice and eligibility inquiry) and healthcare clearinghouses (referred to collectively as “covered entities”).

Protected Health Information

The regulations cover PHI held by covered entities. PHI is information that is individually-identifiable and that relates to a medical condition, treatment or payment for health care. For example, information on diagnoses, procedures, premium payments, claims, preexisting conditions, subrogation and coordination of benefits may be PHI. The privacy regulations cover all PHI, regardless of whether it is oral, on paper or in electronic form.

Use and Disclosure of PHI

Covered entities may not use PHI internally or disclose PHI externally, unless permitted to do so by the patient or enrollee or by the regulations. In general, the regulations permit PHI to be used or disclosed for treatment, payment or health care operations and as otherwise required by law. Other uses and disclosures require an “authorization.” The regulations require that an authorization be very specific in identifying who may make the use or disclosure, to whom it may be made, the purpose of the use or disclosure and the PHI to be disclosed.

Individual Rights Under HIPAA

The regulations grant significant new rights to patients and enrollees, including the right to:

• Obtain a copy of the covered entity’s notice of privacy practices,
• Inspect and obtain a copy of their PHI,
• Request amendment of their PHI,
• Receive an accounting of disclosures of their PHI,
• Request that uses and disclosures of their PHI be restricted, and
• Request use of alternative means or place of communications.

In some instances, state law already gives individuals similar rights.  However, the HIPAA regulations tend to be more specific than many state laws, and in some instances go well beyond what state laws require.

Other Compliance Obligations

In addition to limiting uses and disclosures of PHI, covered entities are required to: 

• Adopt and implement written privacy policies and procedures,
• Enter into contracts with business associates that receive PHI from the covered entities, requiring the business associates to comply with the same standards as the covered entities,
• Provide a notice of privacy practices to patients or enrollees,
• Train employees in the privacy policies and procedures,
• Appoint a privacy officer and a complaints officer, and
• Disclose only the “minimum necessary” PHI for the particular purpose.

Relation Between HIPAA Privacy Standards and State Laws

The HIPAA privacy standards establish a floor rather than a ceiling. If the federal standards are more stringent than state law, the federal standards apply. However, if the covered entity is subject to state law and the state law gives patients or enrollees greater protection, the state law applies. This means that covered entities that are subject to state law will have to comply with a patchwork of state and federal laws.

Penalties

HIPAA provides for criminal and civil penalties but no right of action by patients or enrollees against covered entities. However, the new regulations may become the measuring rod for what is “reasonable care” in handling health information, and state courts may use the regulations to gauge whether covered entities have acted reasonably in protecting health information.

Preparing for Compliance

Compliance with the new standards will require more than paperwork: most covered entities will have to redesign at least some aspects of their operations, and some covered entities will have to make major changes. The first steps on the road to compliance include:

• A thorough inventory of the covered entity’s records to determine what PHI it holds, who has access to it, to whom it is disclosed and what it is used for,
• A review of the inventory to determine to what extent the covered entity is not in compliance with the new standards, and
• An examination of the areas of non-compliance to determine how procedures and operations may be best changed to achieve compliance while still meeting the covered entity’s operational needs.

Previous	Next
Publications : Bar Bulletin: March, 2003