72 J. Kan. Bar Assn. 4, 32-43 (2003). Caught Up in the Expanding Net: Regulation of the Business Associate Under the HIPAA Privacy Regulations.

• Author: By William P. Matthews

Kansas Bar Journals

Volume 72.

72 J. Kan. Bar Assn. 4, 32-43 (2003).

Caught Up in the Expanding Net: Regulation of the Business Associate Under the HIPAA Privacy Regulations

Kansas Bar Journal72 J. Kan. Bar Assn. 4, 32-43 (2003)"Caught Up in the Expanding Net: Regulation of the Business Associate Under the HIPAA Privacy Regulations"By William P. MatthewsI. Introduction

On April 14, 2003, the privacy regulations promulgated by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will go into effect.1 Brought about in great part due to the changes wrought on our society by the rise of computer technology and the Internet,2 these regulations fundamentally alter the way in which most health care providers, health plans, and health care clearinghouses (referred to as covered entities)3 deal with the health information of their patients and insureds, and, therefore, significantly impact relations between these covered entities and the individuals whose information they possess.

The scope of the privacy regulation is not limited to those directly regulated. Most independent contractors, vendors, and other actors in the health care industry not directly regulated by the HIPAA privacy regulation but that will or may obtain the health information of an individual, (so-called "business associates"4), will become ensnared in the HIPAA's wide net.

This article will briefly investigate the history behind the HIPAA privacy regulations, outline the general requirements of covered entities under those regulations, and detail a covered entity's business associate requirements and how business associates are indirectly regulated under the HIPAA privacy regulations.

It used to be that there was not a great concern over the privacy of one's personal information when filing cabinets ruled the world.5 The manual collection, organization, and referencing of information was very burdensome and expensive.6 The wide scale dissemination of that information in paper form was extremely prohibitive and was the nearly exclusive province of governments and media organizations.7

Enter computers, the internet, and the information age. As our society has increasingly gathered information in electronic form, the cost and burden of collecting, organizing, referencing, and disseminating information drastically decreased. It is now within the power of small companies and individuals to collect and disseminate large amounts of information at very little cost.8

This was a primary concern of Congress when it passed the Health Insurance Portability and Accountability Act of 1996.9 Although the primary purpose of HIPAA was the portability of health benefits by employees to new employers,10 a major portion of HIPAA dealt with "administrative simplification."11 At the time of HIPAA's enactment in 2000, there were no less than four hundred different formats for electronic health claims used in the United States.12 Because most providers could support only a handful of formats, the submission of electronic claims was limited.13 In order to achieve cost savings through reduction of paper claims, the health insurance industry lobbied Congress to create uniform standards for transactions and the codes used in those transactions.

Despite the apparent benefits a national standard would bring,14 there was a large outcry that increased use of electronic claims would only decrease the privacy of, and increase the risks of disclosure of, personal health information of patients.15 This risk is emphasized by the increasing complexity of the health care delivery system brought about by the rise of information technology.16 In the past, the delivery of health care was a face-to-face transaction between the patient and the health care provider.17 Today's health care system is an integrated network of health care providers and payment entities requiring the sharing and processing of patient information.18 While such complexity may lead to improvements in care and reduction of costs,19 it exposes a greater number of persons, including a greater number of "outsourced" independent contractors otherwise not affiliated with a patient's physicians or health plans to a patient's medical information.20 It is estimated that on average a 150 persons access a patient's medical records during the course of a typical hospital stay.21

To alleviate concerns about the protection of health information, Congress required that the U.S. Department of Health and Human Services (HHS) provide detailed recommendations to Congress with respect to the protection of the privacy of individuals' health information, including the rights of an individual in the individual's health information, the procedures to be established to exercise those rights, and the uses and disclosures of the health information of individuals that should be authorized or required.22 If Congress did not pass legislation dealing with protection of individuals' health information within three years, HHS was to enact final regulations for the protection of the privacy of individuals' health information within four years.23

Congress did not pass legislation aimed at the protection of health information within the required period, and on August 21, 1999, HHS published proposed privacy rules.24 After receiving numerous comments,25 HHS published the final regulations concerning health information privacy in December 2000, to become effective in April 2003.26 However, following publication, HHS received numerous inquiries and unsolicited comments concerning the impact and operation of the final privacy rule.27 HHS reexamined the final privacy rule28 and published29 and finalized30 significant modifications to the privacy rule in August 2002, but the effective date remained unchanged.31

The Privacy Rule will go into effect on April 14, 2003, for most covered entities.32 The Privacy Rule represents a fundamental change in the way health care providers, health plans, and health care clearinghouses handle the health information of their patients, clients, and insureds, which significantly alters the way these persons do business and interact with these individuals. HHS was not content to stop there. In addition to those directly regulated, the Privacy Rule requires covered entities to enter into agreements with third parties with whom they disclose individuals' health information. These agreements extend to these business associates many of the requirements (and, therefore, costs) of compliance under the Privacy Rule.

2. Summary of the Obligations of the HIPAA Privacy Rule

   1. Definitions of Covered Entity and Protected Health Information

      The Privacy Rule is applicable to and directly regulates covered entities.33 The term "covered entity" includes three types of entities: health plans, health care clearinghouses, and certain health care providers.34 For purposes of the Privacy Rule, a health care provider includes physicians, nurses, hospitals, skilled nursing facilities, home health agencies, and any other person who furnishes, bills, or is paid for health care in the normal course of business.35 However, only health care providers who transmit health information in electronic form are included.36 Providers who submit only paper claims to payors are not directly regulated by the Privacy Rule.37 A health plan is any individual or group that provides or pays the cost of medical care, and includes a group health plan, a health care insurance issuer, an HMO, Medicare, Medicaid, and a host of other private and government health plans.38 A health care clearinghouse is an entity that processes or facilitates the processing of health information of another entity from a nonstandard format or containing nonstandard data into a standard format or standard transaction,39 or visa versa.40 Health care clearinghouses typically include billing services, repricing companies, and "value-added" networks and switches.41

      The Privacy Rule concerns itself primarily with dealings in protected health information (PHI). PHI is information related to the "past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual," that is "created or received by a health care provider, health plan, employer, or health care clearinghouse," and either identifies an individual or reasonably may identify an individual.42 The Privacy Rule excludes certain educational records and information held by employers in their role as an employer rather than a covered entity, (such as a health plan).43 Information in any form, electronic or otherwise, qualifies as PHI.44

      Underlying the definition of PHI, and at the center of many of the provisions of the Privacy Rule, is the concept of the "individual." As used in the Privacy Rule, the individual is the person who is the subject of the PHI.45 In some contexts, such as the exercise of individual rights under the Privacy Rule,46 an individual may mean the personal representative of a person who is the subject of PHI.47 For example, the parent or guardian of an unemancipated minor typically has the authority to act on behalf of the minor, and the executor or administrator typically has the authority to act on behalf of a deceased individual.48

   2. Summary of the Obligations of Covered Entities Under the Privacy Rule

      The Privacy...