The HIPAA privacy rule: an overview of compliance initiatives and requirements; the privacy rule contains a maze of mandates and exceptions requiring that entities covered by HIPAA need the best of health care counsel.

• Author: Lawson, Nancy A.
• Position: Health Insurance Portability and Accountability Act of 1996

THE Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. No. 104-191) was created and enacted in response to the health care industry's request for standardization, as a remedy for increasingly frequent health care privacy breaches, and as an effort to halt steady increases in health care costs. It received bi-partisan Congressional and industry-wide approval and was signed into law on August 21, 1996.

HIPAA's enactment was without much fanfare. Most attention focused on the fact that HIPAA (1) amended the Employees Retirement Income Security Act (ERISA) to limit health plans' ability to use preexisting condition coverage exclusions and (2) barred discrimination by health plans in a variety of areas.

1. Privacy Rule

   More important for defense counsel, Title II of HIPAA, denominated "Administrative Simplification," required Congress to pass privacy, security and electronic health care transaction standards to regulate the use of health information transmitted electronically, which, by regulation, now has been expanded to encompass health information in any form or medium.

   In a nutshell, the HIPAA standards, when fully implemented, are expected to and will:

   * simplify the administration of health insurance claims and the costs associated with those claims by encouraging the promulgation of national standards;

   * give patients more control over and access to their medical information;

   * protect individually identifiable health information from real or potential threats of disclosure through the setting and enforcing of standards; and

   * improve efficiency in health care delivery by standardizing electronic data interchange (EDI).

   Title II stated that if by December 1999, Congress failed to pass meaningful health privacy legislation, with the input of the U.S. Department of Health and Human Services (HHS), then HHS was required to assume the responsibility. HHS's recommendations regarding federal privacy legislation were submitted to Congress in 1997, but Congress ultimately failed to act. As a result, HHS published the Standards for Privacy of Individually Identifiable Health Information, known as the Privacy Rule, in December 2000. (1)

   In March 2002, after receiving, reviewing and responding to more than 60,000 public comments on the rule, HHS issued proposed modifications. These changes were intended to alleviate problems with the original "final" rule that unintentionally impeded patient access to health care, while still maintaining the requirements for the privacy of individually identifiable health information. Primarily, the changes included: (1) eliminating the patient "consent" requirement, (2) modifying the definition of "marketing," (3) providing allowances for "incidental uses and disclosures" of protected health information, and (4) allowing additional time for compliance with the cumbersome business associate provisions.

   Finally, in mid-August 2002, after an additional comment period, HHS issued its final version of the Privacy Rule and thereby finalized the groundbreaking and controversial federal privacy regulations. For all intents and purposes, the proposed changes in the March 27, 2002, amendment were adopted. Covered entities are required to comply with the Privacy Rule's requirements on or before April 14, 2003, with the exception that small health plans are given an additional year to comply. Small health plans, by statute, are those with fewer than 50 participants and/or plans with annual receipts of $5 million or less.

2. Transactions and Code Sets Rule

   The Privacy Rule represents only one portion of HIPAA Administrative Simplification. In fact, well before the Privacy Rule was finalized, HIPAA-covered entities and their business associates already were implementing the Standards for Electronic Transactions, known as the Transactions and Code Sets Rule, as compliance with that rule originally was required on or before October 16, 2002, except for small health plans. In response to requests from many sectors of the health care industry, Congress passed the Administrative Simplification Compliance Act (ASCA), which allows most covered entities to request a one-year extension until October 16, 2003.

   If no ASCA compliance plan or extension request was submitted on or before October 15, 2002, it is assumed that the covered entity is in compliance with the Transactions and Code Sets Rule. HIPAA penalties for non-compliance can be assessed against entities that are not transmitting HIPAA standard transactions on October 16, 2002, including possible exclusion from Medicare. (2)

3. Security Rule

   HIPAA Administrative Simplification also calls for a Security Rule to be promulgated. One difficulty with compliance is that no final Security Rule had been issued as of the fall of 2002. Under HIPAA, and the proposed 1998 proposed Privacy Rule, certain security measures are required to be implemented. Fortunately, all indications are that the final Security Rule will not be significantly different from the proposed rule, so covered entities and their business associates can and should use the proposed rule as a guide for complying with the Privacy Rule's security mandates.

4. The Five Principles

   There are five principles of fair information practices that underlie all the HIPAA rules.

   First is the principle of openness, or notice, which has as its focus assuring that the existence and purposes of record-keeping systems are publicly known. Second, the principle of individual participation, or access, states that individuals should have the right to see their records and assure the accuracy, completeness and timeliness. Third, the security principle stands for the proposition that there should be reasonable safeguards in place for protecting the confidentiality, integrity and availability of information. The fourth principle is that of accountability, or enforcement, meaning that violations of the HIPAA rules should result in reasonable penalties, and mitigation should be permitted and encouraged. Finally, with respect to fair information practices, there should be limits placed on collection, use and disclosure of information (or choice). Information should be collected only with the knowledge of the individual, it should be used only in ways that are relevant for the purposes for which it is being collected, and it should be disclosed only with consent/notice or authority. (3)

5. The Road Ahead

   It is within this regulatory landscape that the Privacy Rule was constructed. Compliance with the rule on or before April 14, 2003, will require covered entities and those who advise them to be intimately familiar with the basic terminology and requirements of the rule and take the necessary steps to implement its requirements into their business practices. Covered entities would be wise to establish an integrated approach to HIPAA's Administrative Simplification rules for transactions, privacy and security, as such integration and understanding is essential to successful, cost-effective compliance initiatives.

   PRIVACY RULE BASICS

1. What the Rule Does

   The Privacy Rule is composed of two regulatory subparts (45 C.F.R. Parts 160 and 164, and it is centered on one basic concept: covered entities (and by extension, their business associates) are prohibited from using or disclosing protected health information (PHI) unless they follow the Privacy Rule and strictly adhere to its requirements. 45 C.F.R. [section] 164.502 states: "A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this chapter."

   What does this mean? As a starting point, the Privacy Rule calls for the following:

   * It limits the ability of covered entities and their business associates to use or transmit PHI without specific advance notification of the covered entity's privacy practices to the individual whose information is at issue, and, in certain circumstances set out in the rule, the advance authorization of the individual for a particular use or disclosure.

   * It grants covered entities a variety of exceptions from the advance authorization requirement, as explained below.

   * It requires that, even when permitted to disclose protected health information, covered entities make reasonable efforts to limit disclosure to the "minimum necessary" to accomplish the intended purpose of the use or disclosure. The rule sets out a variety of exceptions to the "minimum necessary" standard.

   * It allows individuals to inspect, copy and amend their protected health information, where specific criteria are satisfied, and it also grants individuals the right to request an accounting of unauthorized uses and disclosures of their protected health information.

   * It allows individuals to request restrictions on the uses or disclosures of protected health information for which the covered entity may otherwise possess the right to use or disclose. The covered entity does not have to agree to the restriction. If the covered entity agrees, then it must document compliance with the restriction.

2. Application of the Rule

   The Privacy Rule applies to all "covered entities," which under 45 C.F.R. [section] 160.102 include: (1) health plans, (2) health care clearinghouses and (3) health care providers who transmit any health information in electronic form in connection with a transaction covered by HIPAA. It is worth noting that health care providers who do not submit HIPAA transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on their behalf. In addition, business associates of covered entities who use, disclose or have access to protected health information are indirectly affected by the Privacy Rule's mandates.

   Necessarily, then, the next logical inquiry is to determine what transactions are considered HIPAA transactions for purposes of deciding...