Health Insurance Portability and Accountability Act of 1996: Health & Public Welfare

• Jurisdiction: United States,Federal
• Publication year: 2020
• Citation: Vol. 37 No. 1

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996: Health & Public Welfare

Erin L. Hayes
Georgia State University College of Law, ehayes18@student.gsu.edu

Kathryn A. Vance
Georgia State University College of Law, kvance6@student.gsu.edu

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996

Health: Discussing Title 31 of the Official Code of Georgia Annotated, Relating to the Notification of Disease and the Control of Hazardous Conditions, Preventable Diseases, and Metabolic Disorders & Public Welfare: Discussing Title 45 of the Code of Federal Regulations, Relating to the Department of Health and Human Services, and Administrative Data Standards and Related Requirements

Code Section: O.C.G.A. § 31-12-2

C.F.R. Sections: 45 C.F.R. §§ 160, 164

Summary: The Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") establish a standard for the use and protection of individuals' health information and apply to certain covered entities or their business associates. Covered entities may only disclose an individual's protected health information in limited situations. Covered entities or individuals that fail to comply with the Privacy Rule standards may be subject to civil or criminal penalties.

Introduction

In late August of 1996, Congress enacted a law that has been likened to a Leo Tolstoy novel.¹ This reference is due in part to the epic, detailed, and comprehensive scheme that the Health Insurance Portability and Accountability Act lays out; but also, like the Russian tragedies Tolstoy is so famous for, the Act has evoked many

[Page 154]

emotions from the healthcare industry, ranging from confusion to angst.² The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was originally created to achieve two main goals: (1) to protect individuals and their families from losing their health insurance if they lost or changed their job; and (2) to reduce waste and fraud in the healthcare industry by creating a uniform electronic system for storing and sharing health data.³

Prior to HIPAA's enactment, most health data was managed and exchanged in paper format.⁴ To further complicate matters, many states had varying privacy laws, creating puzzling situations for those working or moving across state lines.⁵ The absence of uniform standards and requirements for protecting health information coupled with the advancement of technologies within the healthcare industry prompted the formulation of HIPAA.⁶ HIPAA served as the vehicle to modernize health data storage, tracking, and exchange.⁷ The Act was divided into five Titles that provided protection for health insurance coverage of workers, rules regarding privacy and administrability, and guidelines for ensuring compliance with the Act.⁸

While all Titles of the Act work together to create a scheme to efficiently and securely manage protected health information (PHI), Title II provides the majority of the provisions regarding the safekeeping, sharing, and enforcement requirements for healthcare providers and others who handle PHI.⁹ This Peach Sheet focuses

[Page 155]

specifically on Title II and its implications for PHI during the COVID-19 pandemic.

Overview of Title II

Title II can be broken down into five parts or "rules."¹⁰ These five rules address privacy, transactions and code sets, security, unique identifiers, and enforcement, respectively.¹¹ The first section, the Privacy Rule, outlines the goal for the entire Title: to prevent fraud and abuse of PHI.¹² Zeroing in on the Privacy Rule alone seems like enough focusing of the lens within the vast landscape of HIPAA. However, it stands that the yarn of the narrative needs more unravelling to create a suitable background for this Peach Sheet's discussion. More specifically, the Privacy Rule protects "individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral."¹³ This includes information that relates to physical or mental health, the provision of health care, or any form of payment for health care of an individual that "identifies the individual or provides a reasonable basis to believe the information can be used to identify the individual."¹⁴ Individually identifiable information includes names, addresses, social security numbers, or birth dates when this information is associated with health data.¹⁵

The need to protect this information stems not only from the fear of fraud but also from consideration of the implications an individual's health data may have on their employment or health insurance status. For example, the Privacy Rule protects an individual's psychiatric records and rehabilitation records, which

[Page 156]

prevents potential employers from discriminating against applicants based on past medical history. Additionally, it is imperative to protect the privacy of individuals living with conditions and diseases that carry a negative stigma because the presence of these conditions could hinder employment opportunities and living or social situations.¹⁶ Under the Privacy Rule, individuals may authorize disclosure of their PHI.¹⁷ This authorization requires written consent from the individual that includes, among other things, a description of the information being disclosed, the individual making the disclosure, the party to whom the disclosure is being made, the expiration date for allowable disclosures, and occasionally, how the information will be used.¹⁸ The Privacy Rule also contains several other requirements pertaining to the notices and copies of authorization that are to be provided to the patient.¹⁹

In total, the Privacy Rule also enumerates six exceptions that allow for, but do not require, disclosure of a patient's PHI.²⁰ These six exceptions encompass: (1) disclosures to the individual; (2) disclosures for treatment or payment purposes; (3) authorized disclosures; (4) disclosures of incidental information; (5) disclosures for benefit of public interest; and (6) disclosures where personally identifiable information has been removed.²¹

To facilitate the last exception, HIPAA created a "De-identification Standard," which states that "health information is not individually identifiable if it does not identify an individual and if

[Page 157]

the covered entity has no reasonable basis to believe it can be used to identify an individual."²² HIPAA further details two separate methods to ensure de-identification of PHI.²³

The fifth exception, which allow disclosure for the benefit of public interest, details twelve national priority purposes that trigger the exception and permit disclosure without authorization or permission from an individual.²⁴ One of the twelve national priority purposes includes "public health activities."²⁵ Public health activities allowed under this exception include: (1) situations in which "public health authorities [are] authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect"; (2) use for U.S. Food and Drug Administration (FDA) tracking for entities regulated by the FDA; (3) situtations in which "individuals who may have contracted or been exposed to a communicable disease [and] notification is authorized by law"; and (4) situations in which employers are seeking information concerning a work-related illness or injury.²⁶

State and Federal Law Interaction

It is important to note that circumstances leading to preemption may be an issue because HIPAA is federal law. Generally, due to the comprehensive regulatory scheme HIPAA provides, federal law preempts state laws contrary to the Privacy Rule.²⁷ However, there

[Page 158]

are several exceptions when state law may be involved. These exceptions include situations when state law provides greater privacy, the data is used for health surveillance and reporting, or when the data is used for health management or financial audits.²⁸ Additional factors may also be considered to determine which law controls.²⁹

Background

As COVID-19 emerged in the United States in early 2020, covered entities under the HIPAA Privacy Rule began to understand that protection of PHI in the midst of a global pandemic would be a challenge because covered entities must "juggle the protections [of HIPAA] but [also] meet the needs of policy makers."³⁰ As new cases emerged daily, the transmission of critical, "real-time" data of patients infected with COVID-19 to local and state health departments was necessary to prevent further spread.³¹ However, the Centers for Disease Control and Prevention (CDC) used this data differently than data collected during other smaller outbreaks that they had fought in the past.³² State officials and medical professionals were using the data in "real[]time" as they responded to COVID-19, which was not what the Department of Public Health (DPH) surveillance system was originally designed to do.³³ According to Dr. Kathleen Toomey, Commissioner of the Georgia DPH, "never before had there been this type of demand for data at the granular level . . . . Public health surveillance was never meant to provide real-time data."³⁴ Even so, there was an ever-present and

[Page 159]

urgent need from federal and state health agencies—and even the public in general—to have easy access to up-to-date numbers of COVID-19 cases.³⁵

Under normal circumstances, HIPAA "is always important and always in effect."³⁶ In a global pandemic when every day counts, however, local and state health agencies (such as the DPH) saw a loosening of these restrictions as they related to the disclosure of PHI to protect the public.³⁷ Beginning in February of 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the agency responsible for enforcing compliance with HIPAA, released several...