The law of unintended consequences: HIPAA and liability insurers; at first glance, the Privacy Regulations appear to be adverse to insurers and defense counsel, but McCarran-Ferguson and exceptions may save the day.

• Author: Antognini, Richard L.
• Position: Health Insurance Portability and Accountability Act of 1996

WHEN the U.S. Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. No 104-191), it had little idea of the impact the legislation would have on insurance claims in general and health claims in particular. Four years after that act went into effect, the Secretary of Health and Human Services issued a comprehensive set of regulations (Privacy Regulations) designed to guard the privacy of health information.

In theory, these regulations may have a dramatic impact on casualty insurers and their clients. They may allow plaintiffs to block discovery of their health information in personal injury or medical malpractice cases. Conversely, they may permit plaintiffs to demand disclosure of any record containing protected health information, including insurers' claims files and defense counsel files. On closer examination, however, the regulations contain exceptions that will allow normal discovery of health data in civil cases and will protect documents that fall with the attorney-client privilege.

ORIGINS OF THE REGULATIONS

HIPAA was lengthy legislation whose main goal was to enable employees to keep health insurance coverage when they changed jobs. Buried in the act, however, was a section that related to the protection of the privacy of individuals' health information. Section 264 of the act provides:

(a) In general. No later than 12 months after the date of the enactment of this act, the Secretary of Health and Human Services shall submit ... detailed recommendations on standards with respect to the privacy of individually identifiable health information.

(b) Subjects for recommendations. The recommendations made under subsection (a) shall address at least the following:

(1) The rights that an individual who is a subject of individually identifiable health information should have.

(2) The procedures that should be established for the exercise of such rights.

(3) The uses and disclosures of such information that should be authorized or required.

Congress gave itself three years to pass legislation guaranteeing the privacy of health information. If it did not do so, the HHS Secretary was authorized to draft and promulgate regulations to do the job. Section 264 continued:

(c) Regulations. (1) In general. If legislation governing standards with respect to the privacy of individually identifiable health information ... is not enacted within 36 months after the date of the enactment of this act, the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this act. Such regulations shall address the subjects described in subsection (b).

Congress failed to enact health privacy laws by 1999, the deadline under HIPAA. The HHS Secretary then issued the Privacy Regulations, which became final on April 14, 2001. The regulations were required to carry out the purposes enumerated in Section 264--that is (1) explain the rights held by an individual who is a subject of individually identifiable health information; (2) set out the procedures to protect those rights; and (3) explain how protected health information can be disclosed.

HIPAA REGULATIONS

1. Effective Date

   The HIPAA Privacy Regulations go into effect two years after they become final, or on April 14, 2003. (1) Yet, because the mandates of the Privacy Regulations are complex and perhaps costly, health care entities and others governed by the regulations should start planning compliance now.

2. Key Definitions

   The Privacy Regulations apply to a "covered entity," a term that includes: "a health plan," "a health care clearinghouse" and "a health care provider who transmits any health information in electronic form in connection with a transaction covered by this chapter." A "transaction" means

   the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions: (1) Health care claims ... (2) Health care payment and remittance advice ... [and] (4) Health care claim status." (2) For our purposes, the key term is "health care provider." The regulations give this definition:

   Health care provider means a provider of services (as defined in ... 42 U.S.C. 1395x(u)), a provider of medical or health care services (as defined in ... 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business." (3) A second crucial definition is that for "individually identifiable health information," because this information is protected under the Privacy Regulations. The term means:

   [A]ny information, whether oral or recorded in any form or medium, that:

   (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

   (2) Relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and

   (i) That identifies the individual.... (4)

   The final key definition is that for "business associate," which is said to mean

   with respect to a covered entity, a person who:

   (i) On behalf of such covered entity ... performs, or assists in the performance of:

   (A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration ... or

   (ii) Provides ... legal, actuarial, accounting, consulting, data aggregation ... management, administrative, accreditation, or financial services to or for such covered entity.... (5)

3. Implications of Definitions

   In analyzing the language of the Privacy Regulations, including the definitions, courts will rely on rules of statutory construction. The prevailing view, particularly within the U.S. Supreme Court, is to construe statutes and administrative regulations literally--that is, according to their plain language. If the statute or regulation is clear, courts cannot change that plain meaning. Courts will consider legislative history only when the law or regulation is ambiguous. (6)

   Taking the literal approach, one realizes how broad the Privacy Regulations can be. Take the definition of a "health care provider," for instance. When the term is construed literally, any person or entity that provides medical treatment or health care service is a "health care provider." The definition can include physicians, nurses, hospitals, medical clinics or, for that matter, any other health care professionals. If an employer has a nurse or doctor on staff to care for injured workers, that employer becomes a "health care provider." A workers' compensation insurer that provides rehabilitation services also is a "health care provider."

   The definition of "health information" is equally broad. It includes data and information that mention or concern an individual's physical, mental or emotional condition. It also encompasses data and information relating to payments for health care services.

   Finally, the definition of "business associate" extends to any entity that provides legal or claims services for a health care provider. The definition speaks of "claims processing or administration ... or legal ... management, administrative" and other services. (Emphasis added.) An insurer for a health care provider is a "business associate" because it provides "claims processing" services, "management" services, or "administrative" services. That conclusion also is true of a third-party administrator the health care provider hires to adjust its liability claims. Law firms, along with individual lawyers, provide "legal" services within the definition of "business associate." Any law firm, for example, that defends a health care provider in a medical malpractice action becomes a "business associate."

4. Obligations of Health Care Providers

   The Privacy Regulations impose substantial duties on health care providers. They must keep records of their privacy protection actions and allow the HHS Secretary an opportunity to audit its compliance. (7)

   Far more important, a health care provider "may not use or disclose protected health care information," with limited exceptions. (8) Violation of this regulation can lead to fines, penalties and possible imprisonment. (9)

   A health care provider cannot disclose protected health information without the consent of the person who is the subject of the information and a "covered health care provider must obtain the individual's consent ... prior to using or disclosing protected health care information to carry out treatment, payment, or health care operations." (10) The regulations repeat the warning in another section: "[A] covered entity may not use or disclose protected health information without an authorization that is valid under this section." (11)

   When the health care provider seeks the individual's consent, it must take certain steps. It must inform the person that the information "may be used and disclosed to carry out treatment, payment, or health care operations." (12) It also must give notice that the individual has the right to...