Featured Publications

Holland & Knight's Real Estate Section Adds David Allswang in Chicago

CHICAGO – David B. Allswang has joined Holland & Knight's Chicago office as a partner in the firm's Real Estate Section. Allswang concentrates his practice in the area of real estate law, with an emphasis on commercial leasing on behalf of landlords and tenants.

More

Tiffani Lee Named Diversity Partner for Holland & Knight

MIAMI – Tiffani Lee, a litigation partner in the firm's Miami office, has been appointed Diversity Partner for the firm. Lee previously served as Chair of the firm's African-American Affinity Group and led its external diversity marketing efforts. In her new role, she will work closely with the firm's senior management and Chief Diversity Officer to advance Holland & Knight's diversity initiatives, internally and externally.

More

Search Our Library

Search

  • Printer friendly
  • Email this page to a friend
  • Generate a PDF version of this page
Health Law & Life Sciences
Newsletter - January 2001
 
In this Issue...
The Federal Government Announces First-ever National Standards To Protect Patients' Personal Medical Records
 
 January 30, 2001
 

Overview

On December 20, 2000, Health and Human Services (HHS) Secretary Donna E. Shalala released the nation’s first-ever Federal standards for protecting the privacy of Americans’ personal health records. The government believes these new regulations will better protect medical records and other personal health information maintained by health care providers, hospitals, health plans and health insurers, and health care clearinghouses.

The new standards limit the nonconsensual use and release of private health information, give patients new rights to access their medical records and to know who else has accessed them, and restrict most disclosures of health information to the minimum amount needed for the inquiring entity’s intended purpose. These standards also establish new criminal and civil sanctions for improper use or disclosure and establish new requirements for access to records by researchers and others.

This summary is designed to answer some of the most likely questions health care providers will have in response to these new regulations.

What Do The New Regulations Cover?

The new regulations grant consumers new federal rights to control the release of their medical information, including the right to the protection of mandatory written consents or authorizations for most disclosures of health information, the right to copy individual health records, and the right to request a correction to individual health records. Consumers also gain the right to obtain documentation of disclosures of individual health information; and the right to an explanation of their privacy rights and how their information may be used or disclosed.

Who Is Covered By The New Regulations?

The new regulations place restrictions upon health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., electronic billing and funds transfers) electronically. These are now all referred to under the new regulations as “covered entities.”

What Type Of Information Is Covered?

All medical records and other individually identifiable health information held, used or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally, are covered by the new regulations.

What Will Be Required In The New Authorizations For Release?

Under the new regulations, a valid authorization for use or release of medical information must be written in plain language and contain all of the following:

  • a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion

  • the name and/or specific identification of the person authorized to make the requested use or disclosure

  • the name and/or specific identification of the person to whom the covered entity may make the requested use or disclosure

  • an expiration date or expiration event that relates to the individual or the purpose of the use or disclosure

  • a statement of the individual’s right to revoke the authorization in writing and the exceptions to the right to revoke, together with a description of how the individual may revoke the authorization

  • a statement that the information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and is no longer protected

  • the signature of the patient and the date

If the authorization is requested by a covered entity for its own use and disclosure, or for disclosure to another covered entity, then, in addition to the requirements listed immediately above, the individual must be provided with a copy of the signed authorization, and the authorization must contain all of the following:

  • a statement that the covered entity, under certain circumstances, will not condition treatment, payment or enrollment in the health plan, or eligibility for benefits on the individual’s providing authorization for the requested use or disclosure

  • a description of each purpose of the requested use or disclosure

  • a statement that the individual may inspect or copy the information to be used or disclosed

  • a statement that the individual may refuse to sign the authorization

  • if the use or disclosure of the requested information will result in direct or indirect remuneration to the covered entity from a third party, a statement must be included that such remuneration will occur

What About Existing State Privacy Laws?

With three exceptions, the new regulations preempt any existing contrary state law concerning matters addressed in the federal regulations. Those exceptions are:

  • the state law provides more protection for the patient

  • the state law requires specific reporting of health care information for health surveillance, investigation, or intervention

  • the Secretary of the Department of Health and Human Services finds that the state law is necessary

Health care providers who operate in multiple states will now have to meet the new national guidelines as well as any state laws or regulations that meet these exceptions.

What Will Health Care Providers Have To Do?

Health care providers should begin considering how to implement the following to comply with the new regulations.

  • Adopt written privacy procedures. These must include language specifying who has access to protected health information, how it will be used within the organization, and when the information will or will not be disclosed to others. Health care providers must also takes steps to ensure that their business associates also protect the privacy of health information.

  • Develop systems to maintain compliance. The new regulations require that records be kept and compliance reports be submitted as the Secretary may determine to be necessary to ascertain whether the organization has complied or is complying with the new regulations.

  • Train employees and designate a privacy officer. Health care providers must provide sufficient training so that their employees understand the new privacy protections and procedures. Health care providers are also responsible for ensuring that the new policies and procedures are not only introduced to their employees, but that they are also implemented. In order to do this, health care providers should designate an individual to be responsible for ensuring that the policies and procedures are followed.

  • Establish grievance processes. Health care providers must provide a means for patients to make inquiries or complaints regarding the privacy of their records.

What Are The Penalties For Not Complying?

  • Civil penalties. Health plans, providers and clearinghouses that violate these standards would be subject to civil liability. Civil money penalties are $100 per incident and can add up to $25,000 per person, per year, per standard.

  • Federal criminal penalties. There are also federal criminal penalties for health plans, providers and clearinghouses that knowingly and improperly disclose information or obtain information under false pretenses. Penalties would be higher for actions designed to generate monetary gain. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under “false pretenses”; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

How Will Patients Know About Their Rights?

The new regulations place a specific obligation on health care providers to give patients adequate notice in plain language of their rights and the covered entity’s legal duty to protect health information. The new regulations are very specific in what must be in the notice. For example the notice to patients must prominently display the following statement: THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

What Can Patients Do To Enforce Compliance?

The new regulations permit a patient or any person who believes a health care provider is not complying with the federal regulations to file a complaint with the Secretary of HHS. The Secretary is authorized to investigate the complaint including reviewing the pertinent policies, procedures and practices of the health care provider. The new regulations require that health care providers permit the Secretary during normal business hours to access its facilities, books, records, accounts and other sources of information including patient health information that are pertinent to ascertaining compliance with the new regulations.

Will Changes Have To Be Made To Our Information Systems?

In many cases, changes will have to be made to information systems. Current systems will have to be reviewed to determine if the way health information is stored and accessed in the system is compliant with the new regulations. In addition, most systems will have to be modified or revised to add certain patient notices of privacy rights.

Will The New Regulations Affect Our Relationship With Outside Vendors?

All health care providers will have to review their relationship with any outside vendor with whom they share health information. These include billing companies, transcription companies, auditors, consultants and independent contractors. The new regulations refer to these third parties as “business associates.” The new regulations generally provide that a covered entity can share the minimum necessary amount of health information with a business associate if the covered entity has sufficient assurances through a written agreement that the business associate will protect the health information and not disclose it without complying with the new regulations.

When Will The New Regulations Be In Effect?

The final regulations will come into full effect in two years. The enforcing agency for these new regulations will be the Department of Health and Human Services Office for Civil Rights.

What Should Health Care Providers Do Now?

Health care providers should begin to examine how to commence implementing the requirements of the new regulations. Health care providers should also begin to inventory their existing relationships with business associates to identify the agreements that will have to be amended.

How Can I Obtain More Information Or A Copy Of The Regulations?

Contact Morris H. Miller at 850-425-5655 or via email.