By now, the entire healthcare industry has likely heard of the "HIPAA Privacy Rule" in one form or another. However, not all in the industry necessarily are aware of its massive scope and potential impact.

Background

To address widespread concerns about unauthorized access to private electronic healthcare information, on Nov. 3, 1999, President Clinton signed a rule proposed by the secretary of Health and Human Services protecting the privacy of an individual's healthcare information. Although the proposed "HIPAA Privacy Rule," as it is often called, is not yet final (the official comment period closed Feb. 17), the core components of the rule probably will remain relatively unchanged.

Scope and Timing

The proposed rule imposes sweeping requirements for the use and disclosure of "protected health information."

Protected health information is defined as "individually identifiable health information" that is or has been electronically transmitted or maintained by health plans, healthcare clearinghouses, and healthcare providers (in short, "covered entities"), including such information in any other form.

In most circumstances, other than the exceptions described below, a specific written release is required from the individual to whom the protected health information pertains to use or disclose it.

The rule safeguards protected health information during the life of the individual and in most cases, for two years after death. Covered entities generally have two years from the date the rule becomes effective to bring their operations into compliance; "small health plans" (those with $5 million or less in annual receipts) have three years to comply.

Exceptions

Of course, there are exceptions to the rule. The use and disclosure of protected health information without specific authorization from the patient is allowed if:

1. It is necessary for treatment, payment or healthcare operations.
2. The information is de-identified.
3. The information is given to a business partner (see definition below) to perform services or functions for, or on behalf of, the covered entity.
4. . The information is to be used solely for certain national purposes (e.g., public health activities, oversight of the healthcare system, judicial and administrative proceedings, law enforcement, directory information, research [with written authorization from an independent review board], and in emergencies).

The rule is intended to fill gaps in state law. It takes precedence over state law when there is a conflict, unless state law is deemed by the secretary to be necessary, more stringent than the proposed rule, or concerned with controlled substances.

Liability for Business Partners & Contracts

One of the most controversial and burdensome aspects of the rule is that it imposes liability on covered entities for the invalid use or disclosure of protected health information by "business partners."

Business partners are defined as persons "to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity." This definition includes auditors, consultants, third-party administrators, healthcare clearinghouses and billing firms.

Covered entities must have written confidentiality agreements with their business partners any time a disclosure is made, with or without a release, and they can be sanctioned for prohibited uses and disclosures by their business partners.

Patient's Rights, Written Notice & Penalties

Although we will cover the issue of access to information more thoroughly later in this series, here is a brief summary of the individual patient's rights created by the rule.

Patients have the right to:

1. Receive written notice of a covered entity's information practices.
2. Obtain access to their protected health information.
3. Obtain an accounting of how their information has been disclosed.
4. Request a correction and/or amendment to this information.

Individuals also may request their provider to further restrict use and disclosure of their protected health information for treatment, payment and healthcare operations, although the provider has the discretion to decide whether to agree to such a request.

Compliance

The rule also imposes new compliance requirements, mandating covered entities to:

• Implement administrative procedures to safeguard the confidentiality of health information.
• Designate a privacy officer in the covered entity's place of business.
• Train employees regarding the privacy policy and procedures.
• Implement confidentiality policies.
• Develop sanctions for violations of these policies.

While the new HIPAA Privacy Rule creates a uniform standard in the healthcare industry for the protection of identifiable health information to streamline healthcare operations, the rule also clearly imposes significant administrative costs on the healthcare industry. Additionally, the rule gives covered entities a very short time in which to comply with its sweeping requirements. Whether these requirements will cure the problems they are meant to address or just create new burdens remains to be seen.