Saturday, August 29, 2009

Intro To HIPAA For Health Care Providers: Frequently Asked Questions

The first time that health care providers encounter the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the incredibly vast framework of privacy and security regulations may very well appear completely overwhelming. This is especially true when the question at issue – whether it is from a litigation or compliance perspective – is particularly narrow in scope. For the initiated and uninitiated alike, it is fairly easy to get lost in the morass of cross-referenced sub-parts that any given legal question implicates.

Through its privacy and security requirements, HIPAA impacts not only the medical community, but all individuals and industries that come into contact with the medical community. The implementation of HIPAA requires the development of new policies and procedures addressing the use and disclosure of medical information, as well as the appropriate utilization of available technology. Equally as important, as HIPAA has become more and more pervasive, compliance with the privacy and security regulations have necessarily involved attitudinal changes by everyone associated with the health care industry. HIPAA directly impacts the manner in which patients, providers, and payors interact with each other.

What Information is Protected by HIPAA?

The HIPAA Privacy Rule covers all uses or disclosures of "Protected Health Information" ("PHI") whether in paper, electronic, or oral form. PHI has many characteristics that make it somewhat easy to spot. Whether a malpractice attorney is attempting to acquire the medical records of a plaintiff, or a transactional attorney is assisting with due diligence in connection to the sale of a clinic, it is imperative that PHI is treated appropriately. Being able to recognize PHI is the first step. PHI has the following characteristics:

•It is created or received by a Covered Entity (as defined below);
•It relates to an individual's past, present, or future physical or mental health, or condition, or payment for health care. This includes "payment" information; and
•It identifies or can be used to identify a specific individual.
The following are illustrative examples of information that are considered "patient identifiers":

•Name, name of employer, names of relatives;
•Social security number, plan beneficiary number;
•Fax number, telephone number;
•Address, email address;
•Birth date, fingerprint, picture;
•Internet Protocol (IP) address, web site URL; and
•Vehicle license number.

Generally speaking, PHI may be used or disclosed without first acquiring the patient's consent in very limited circumstances. Other than allowing disclosure to the individual about whom the PHI describes, the Privacy Rule generally allows disclosure of PHI without the patient's consent for the purposes of treatment, payment, or health care operations. Additionally, there are certain situations, such as in response to an order of court, or subpoenas (so long as certain additional requirements are met), where PHI may be disclosed without the patient's consent. In most other situations, a patient must provide consent before his PHI can be used or disclosed.

To that end, each individual maintains six basic privacy rights. An individual has the right to:

•Receive a Covered Entity's Notice of Privacy Practices;
•Request restrictions of certain uses of PHI (although Covered Entities are not required to grant such restrictions);
•Be given access to the individual's own PHI;
•Request that an amendment or correction be made to his PHI;
•Request an accounting of PHI disclosures; and
•File complaints regarding PHI use or disclosure.

Additionally, a Covered Entity's use or disclosure (not including "treatment, payment, or operations," or with consent) of PHI must be only to the "minimum necessary" extent. This minimum necessary standard essentially requires a provider to consider what minimum amount of PHI will meet the purpose of the disclosure. Furthermore, once a Covered Entity agrees to a restriction regarding the use or disclosure of an individual's PHI, this restriction must be honored.

Likewise, use and disclosure of PHI must be consistent with a Covered Entity's Notice of Privacy Practices. When the exchange of health information is deemed necessary, but the value of the information is not the personally identifiable aspect of the information, PHI is often "de-identified." PHI can be freely used to create de-identified data, and no restrictions are placed on its use and disclosure.

To Whom does HIPAA Apply?

Although HIPAA appears to be extremely pervasive, it maintains authority over only certain types of entities. HIPAA specifically applies only to "Covered Entities." Generally, a Covered Entity is one of the following:

•Health care provider. This includes any person or entity that (a) furnishes, bills, or is paid for health care; (b) uses electronic means to transmit any of the following: health claims, remittance or payment advice, or any of the other electronic transactions included in HIPAA.

•Health plan. This includes any organization or entity that provides or pays the cost of medical care, including Medicare and Medicaid, HMOs, or PPOs.

•Health care clearinghouse. These are organizations that process data elements or transactions.

Most of the time, HIPAA questions will involve the activities of or information held by either a provider or plan. Because providers and plans must utilize the services of many different entities, it was necessary to find a way to extend the protections afforded by HIPAA when these essential non-Covered Entities are handling or creating PHI.

These non-Covered Entities that play such a critical role in the health care arena are termed "Business Associates." Examples of common Business Associates are billing firms, accreditation organizations, document destruction contractors, lawyers, and third-party administrators.

Importantly, a Business Associate relationship is formed contractually. When a Covered Entity engages another person or entity to perform a function on behalf of the Covered Entity that requires the disclosure of PHI or the creation of new PHI by that person or entity, it is imperative that the Covered Entity requires that person or entity to sign a contract called a "Business Associates Agreement" (often referred to as a BAA). The BAA extends the requirements of HIPAA to the Business Associate and requires the Business Associate to be aware of its responsibilities under HIPAA.. Furthermore, a Covered Entity that does not require Business Associates to sign a BAA is in violation of HIPAA itself.

Federal vs. State Law

Although the term "preemption" is typically thought of in terms of an ERISA analysis, many HIPAA issues require a preemption analysis. As a general rule, HIPAA should be thought of as a regulatory "floor" of provisions. In other words, HIPAA provides a baseline of privacy requirements that state law cannot abrogate. This is not to say, however, that state law will not provide the answer to a given privacy concern.

State privacy laws are preempted by HIPAA if the state law is contrary to HIPAA. In order to determine whether the state law is contrary, two questions should be asked:

1.Would a Covered Entity find it impossible to comply with both the state and federal requirements?

2.Does the state law stand as an obstacle to the accomplishment and execution of the full purposes and objectives of the Privacy Rule?

Generally, if the answer to either of these questions is "yes," then the state law requirement will be preempted by HIPAA. It is important to keep in mind, however, that stronger state laws that are not contrary to HIPAA will apply. Such laws typically further limit the use or disclosure of PHI, create greater rights of access to PHI to the individual, strengthen authorization protection, or impose greater record-keeping requirements.

For example, many states have more stringent state laws regarding the use and disclosure of HIV/AIDS records, drug and alcohol treatment records, DNA records, and sexual assault victim records. Additionally, some states (with California being a prime example) have extremely intricate and detailed bodies of law that provide more stringent requirements that parallel much of the Privacy Rule.

Privacy vs. Security

Although the HIPAA statute and regulations address much more than privacy and security (i.e. health care transaction standards fraud and abuse provisions, provisions regarding medical savings accounts), HIPAA has become synonymous with patient privacy. Furthermore, as electronic medical records have become more prevalent (i.e., the recently passed Stark law exception and Anti-kickback statute safe harbor dealing with e-prescribing), the security regulations will become implicated on a more regular basis.

To a large extent, the privacy and security requirements are distinct regulatory provisions. A quick review of the security regulations, however, reveals many provisions that appears to be equally related to privacy. Generally, the following distinction between HIPAA privacy and HIPAA security hold true: Privacy generally refers to the rights of an individual to limit the use and disclosure of PHI; Security generally refers to the obligations of Covered Entities to safeguard health information from improper use or disclosure. In other words, the Privacy Rule addresses the "what," and the Security Rule addresses the "how."

Importantly, and to further complicate matters, the Security Rule essentially provides Covered Entities with a list of security issues that must be addressed. At no point does the Security Rule instruct Covered Entities how to implement these security standards. Although what appears to be a lack of direction in the Security Rule may seem frustrating to a provider (or an attorney advising the provider), the various administrative, technical, and physical safeguards described in the Security Rule are specifically designed to be both flexible and scalable. Security "solutions" should be proportionate to an organization's risks, and be based on organizational circumstances such as size, complexity, and capabilities


Violating HIPAA can be very costly. Civil penalties range from $100 per incident to $25,000 per person per year per standard violated. On the criminal side of enforcement, illegally obtaining or disclosing PHI can result in a fine of up to $50,000 and one year in prison. Obtaining PHI under "false pretenses" can be punished with fines up to $100,000 and five years in prison. Obtaining or disclosing PHI with the intent to sell, transfer, or use the PHI for commercial gain, personal gain, or malicious harm can result in even stiffer penalties - up to $250,000 and ten years in prison.

Civil enforcement of HIPAA is handled by the Department of Health and Human Services' Office of Civil Rights ("OCR"), while criminal enforcement is overseen by the Department of Justice. The final Enforcement Rule was issued in February of 2006, and makes the HIPAA enforcement provisions applicable to all aspects of the Administrative Simplification Standards (not only the Privacy Rule). Importantly, the Enforcement Rule affirms that the OCR's enforcement philosophy is one of voluntary compliance.

That being said, and although enforcement measures have not been traditionally onerous, it seems that the tide is changing with regard to enforcement and the mindset of those investigating reported HIPAA violations.

Do Not be Fooled by the Myths

When discussing privacy and security issues with fellow health care providers, patients or friends, one of the first obstacles to overcome is their preconceived assumptions about what HIPAA does or does not permit. The following are a few of the many common myths regarding the Privacy Rule:

Myth - A hospital is prohibited from sharing information with the patient's family without the patient's express consent.
■ Fact - The Privacy Rule permits the disclosure to a patient's family members (not just immediate family) or close friends of medical information that is directly relevant to that person's involvement with the patient's care. If the patient is in the room when a provider is about to disclose such information and the patient does not object to such disclosure, the provider may freely disclose the information. On the other hand, if the patient is unable to provide consent (if, for example, the patient is unconscious or due to an emergency situation), the provider must determine whether such disclosure is in the best interest of the patient.

■ Myth -HIPAA does not permit providers to communicate with patients via email.
■ Fact - So long as the communication is made with reasonable and appropriate safeguards (such as encryption) to protect against any reasonably anticipated threats to the security of the information, email communication is permitted.

■ Myth - A patient's family member can no longer pick up prescriptions for the patient from a pharmacy.
■ Fact - This is simply not true. If a pharmacy does not allow this practice, the prohibition is one set forth in the pharmacy's policies and not one mandated by HIPAA.

In addition to addressing the many commonly circulated myths regarding the Privacy Rule, there are many provisions within the regulations to which health care providers and their attorneys should pay special attention.

The Privacy Rule specifically addresses the manner in which records should be released in response to a court order or subpoena. Additionally, there are provisions that address how Covered Entities should interact with a patient's personal representative. Although these provisions can appear somewhat intricate, a careful reading of the regulatory language, along with the published comments within the federal register, and diligent cross-referencing throughout the Privacy Rule will enable a thorough understanding of the concerns at issue.

Any questions or comments should be directed to: Tracy Green is a principal at Green and Associates. They focus their practice on the representation of professionals, particularly health care professionals including individual physicians, corporate providers and group practices.
Their website is:


DISCLAIMER: Green & Associates' articles and blog postings are prepared as a service to the public and are not intended to grant rights or impose obligations. Nothing in this website should be construed as legal advice. Green & Associates' articles and blog postings may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage readers to review the specific statutes, regulations, and other interpretive materials for a full and accurate statement of their contents and contact their attorney for legal advice. The primary purpose of this website is not the commercial advertisement or promotion of a commercial product or service and this website is not an advertisement or solicitation. Anyone viewing this web site in a state where the web site fails to comply with all laws and ethical rules of that state, should disregard this web site.

The information provided on this website is for informational purposes only. It is not intended to create, and does not create, a lawyer-client relationship with Green & Associates, Attorneys at Law. Sending an e-mail to Tracy Green does not contractually obligate them to represent you as your lawyer, or create any type of client relationship. No attorney-client relationship will be formed absent a written engagement or retainer letter agreement signed by both Green & Associates and client and which specifies the scope of the engagement.

Please note that e-mail transmission is not secure unless it is encrypted. E-mail messages sent to Ms. Green should not include confidential or sensitive information.