Highlights of Final Federal Rule Governing Privacy of Health Care Information

By Jackie Huchenski, Moses & Singer LLP

President Clinton, in conjunction with a series of administrative simplification regulations requiring the standardization and security of electronic health care data, on December 20, 2000, signed the first ever federal rule protecting the privacy of an individual's health care information.¹ Unless Congress or the new administration takes action beforehand, the rule will be effective sixty days after publication in the Federal Register (which is expected December 28, 2000).

The following is a broad overview of key provisions of the proposed rule:

Scope. The final rule governs the use and disclosure of "individually identifiable health information"² in any form, whether electronic, written or oral ("Protected Health Information" or "PHI") by health plans, health care clearinghouses³, and health care providers who transfer such PHI electronically ("Covered Entities"). Disclosure is only required (i) if requested by HHS for compliance purposes, or (ii) to the individual, upon proper request.

Consent. Coverered health care providers directly providing treatment must obtain patient "consent" before using or disclosing PHI for treatment,⁴ payment,⁵ or health care operations,⁶ and in doing so must provide detailed written information on patients rights and how the PHI will be used. Health plans may obtain consent but are not required to. Both providers and health plans may condition treatment/enrollment (respectively) on obtaining such consent. Individuals may also request their provider to further restrict use and disclosure of their PHI for treatment, payment and health care operations. Consent documentation must be kept six years.

Specific Authorization. In addition to the one-time consent requirements above, all Covered Entities must obtain specific patient authorization to use and/or disclose PHI for all purposes other than treatment, payment or health care operations except as noted under Exemptions below. This requires patients to "opt-in" before such use/disclosure may be made. Treatment and/or payment may not be conditioned on obtaining such authorization. Covered Entities may make certain uses/disclosures of PHI for certain marketing and fundraising purposes without obtaining specific authorization but patients must be provided with notice and right to "opt-out" of future uses/disclosures. Authorization documentation must be kept six years.

Exemptions. No consent or authorization is required if (i) information is de-identified; (ii) information is given to a business associate (see definition below) for performance of services or functions for or on behalf of such Covered Entity; or (iii) information is to be used solely for certain national purposes (e.g. public health activities; oversight of the health care system; judicial and administrative proceedings; law enforcement; research (with written authorization from an Independent Review Board); and emergencies.) However, certain uses/disclosures (e.g. facility directories, next-of-kin) require patients be given an opportunity to "opt-out" of such use/disclosure.

Minimum Information Necessary. All uses/disclosures (other than between providers for treatment purposes) must consist of only the minimum amount of information necessary to accomplish the purpose for which they are made.

Business Associates; Contracts. The rule imposes liability on Covered Entities for the invalid use or disclosure of such information to or by such entity's "business associates" (which include persons who perform, or assist in the performance of, a function or activity for the covered entity or perform legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services). Covered Entities are required to have written confidentiality agreements with their business associates covering uses/disclosures of PHI and the Covered Entity may be sanctioned for prohibited uses and disclosures by such business associates.

Patient's Rights; Written Notice. The rule creates four individual rights: (1) to receive written notice of a Covered Entity's information practices, including notification of patients' rights with respect to PHI, and changes to such practices prior to implementing such changes; (2) to obtain access to the individual's own health information; (3) to obtain an accounting of how the individual's health information has been disclosed; and (4) to request a correction and/or amendment of the individual's health information. Specific time limits and processes are included. It provides no individual right to sue for violations (only Congress can create such a right).

Penalties. the Attorney General is vested with the authority to impose civil and criminal sanctions (up to $25,000 annually per provision violated and up to $250,000 and/or 10 years imprisonment, respectively). The rule provides a complaint process to the Secretary of HHS.

Compliance. The rule requires most Covered Entities within two years of the rule's effective date (which deadline is likely to be on or about February 28, 2003) to: implement administrative procedures to safeguard the confidentiality of health information; designate a privacy officer in the Covered Entity's place of business; implement confidentiality policies; train employees regarding the privacy policies; and develop a complaint process and sanctions for violations of such policies. The administration expects compliance to cost the industry $17.6 billion over ten years.

Preemption of State Law. The rule is intended to fill gaps in State law and will preempt it to the extent there is a conflict except in certain cases, including when state law is more stringent than the federal rule.

Footnotes:

¹ The Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), P.L. 104-191, called for the enactment by Congress of measures to protect the privacy of health care information by August 21, 1999; failure to do so resulted in the Secretary of Health and Human Services issuing rule, signed on December 20, 2000.

² "Individually identifiable health information" is defined as "information that is a subset of health information, including demographic information collected from an individual, and that: (1) Is created by or received from a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (i) That identifies the individual, or (ii) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual."

³ A "health care clearinghouse" is defined as "a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and "value added" networks and switches, that does either of the following functions: (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity." The preamble to the rule explains that, although clearinghouses are directly governed by this rule, their rights and obligations are limited to those of business associates when they are acting as a Covered Entity's business associate and may be further limited by contract with the Covered Entity."

⁴ "Treatment" means "the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another."

⁵ "Payment" is defined as: "(1) The activities undertaken by (i) A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or (ii) a covered health care provider or health plan to obtain or provide reimbursement for the provision of health care. (2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to: (i) Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims; (ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics; (iii) Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance) processing; (iv) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care and concurrent and retrospective review of services; (v) Utilization review activities, including precertification and preauthorization of services; and (vi) Disclosure to consumer reporting agencies of any of the following PHI relating to collection of premiums or reimbursements:

Name and address;
Date of birth;
Social Security number;
Payment history;
Account number; and
Name and address of the health care provider and/or health plan."

⁶ "Health care operations" are activities by or on behalf of a health plan or health care provider to carry out its management functions necessary for the support of treatment or payment including but not limited to conducting quality assessment and improvement activities; reviewing competence or qualifications of health care professionals and evaluation of practitioner and provider performance; activities relating to renewal of insurance; insurance rating; conducting and arranging for medical review and auditing services, including fraud and abuse detection and compliance programs; compiling and analyzing information for legal proceedings; and activities relating to business planning development, management and general administrative activities.

From the December 27, 2000 issue of iHealthcare Weekly, a Rising Tide Studios Publication. Reprinted with the Permission of the Publisher. All Rights Reserved. Copyright 2000. Please visit http://www.ihealthcareweekly.com/issues/ihcw12272000.html

Health Law Today Home | Moses & Singer LLP Home

Disclaimer | Privacy Policy