Podcast: Discussing HIPAA with Shannon Hartsfield and Eddie Williams
In the fifth episode of our "Florida Capital Conversations" podcast series, healthcare attorneys Shannon Hartsfield and Eddie Williams dive deep on the Health Insurance Portability and Accountability Act (HIPAA). They provide a helpful overview of this healthcare privacy law, describe what entities fall under its discretion and explain how it is enforced. They also highlight the narrow nature of HIPAA, explaining that many use the term to broadly describe healthcare privacy when in fact the regulations are relatively stringent. Ms. Hartsfield and Mr. Williams also offer insight on how they help clients come into compliance with HIPAA and the consequences for not doing so. Most importantly, in this episode our attorneys make sure listeners know how to correctly spell HIPAA.
This Tallahassee-based podcast series takes a look at the many different aspects of state and local government through the lens of experienced legal professionals. Hosted by attorneys Nate Adams and Mia McKown, these candid conversations offer a seat at the table to everyone who listens.
Listen to more episodes of Florida Capital Conversations here.
Nate Adams: Welcome to our Florida Capital Conversations podcast series. Today, our subject is HIPAA and our guests are Shannon Hartsfield and Eddie Williams. My name is Nathan Adams. My co-host is Mia McKown. We are so pleased that you've joined us today to consider another important issue associated with government affecting the business community and our daily lives as Floridians. There are none better than Shannon and Eddie to kick off our discussion on HIPAA. Thank you for joining us today.
Shannon Hartsfield: Thanks, Nate. It's exciting to be here. Nothing more fun than talking about HIPAA, it's a much maligned and misunderstood set of regulations.
Eddie Williams: It'll be a fascinating discussion Nate.
What Is HIPAA and How Is It Spelled?
Nate Adams: All right, well, here's the most important question of the day that we're going discuss and that is: how do you spell HIPAA?
Shannon Hartsfield: I'll take that one. Nobody spells it right and that's the number one way I can tell if you know your HIPAA if you spell, it with one P and two As, that is the right answer. And the very old joke that I tell a lot is the way you remember it is - it stands for 'health industry paying all attorneys.'.
Mia McKown: I'm going to clarify what it really stands for. They may actually think that's what it stands for.
Shannon Hartsfield: All right. All right. Eddie can clarify and tell me if I'm wrong. Health Insurance Portability and Accountability Act of 1996. And it's actually more than that because it's actually regulation that have been published in various years and there have been some amendments to the law through the HITECH Act. The HITECH Act of 2009 was amended in January of 2021. So there is never a dull moment when it comes to keeping up with the regulations. And what are they? They're federal privacy and security regulations dealing with data, now HIPAA is much more than that. HIPAA, a lot of what HIPAA is, is what it's what is in the name health insurance portability. Before HIPAA was passed in 1996, if you had a preexisting health condition and you were covered under your employer sponsored health plan or some insurance product and you changed jobs, you were in big trouble because coverage for preexisting condition was not portable from one plan to another. So HIPAA, I like to think of HIPAA, as really the first big step toward healthcare reform in the United States, and it fixed that really big problem, that was a huge problem for a lot of people.
I like to think of HIPAA, as really the first big step toward healthcare reform in the United States.
Mia McKown: Well, Shannon for some people, that may not be as familiar with HIPAA, I know it's been the subject, as you just mentioned a lot of legislation, but why do you think we hear so much about it lately? I mean, how does it interact with the businesses we work for and who we are? How does it impact us?
Shannon Hartsfield: Well, HIPAA actually really affects us a lot less than people think. I mean, people use the term HIPAA like they do the term Kleenex or something like that. It's just sort of a generic term for something, and they use it generically to mean all sorts of health privacy. But HIPAA is pretty narrow. Eddie, do you want to talk just a little bit about how narrow HIPAA really is?
HIPAA actually really affects us a lot less than people think. I mean, people use the term HIPAA like they do the term Kleenex or something like that. It's just sort of a generic term for something, and they use it generically to mean all sorts of health privacy.
Eddie Williams: Yeah, that's correct. The term is often thrown around and used by individuals incorrectly. When they try to say that, 'Oh, this is subject to HIPAA' when HIPAA really doesn't apply. HIPAA really applies to covered entities and business associates. And within those categories, a covered entity, you have health plan, certain health plans and then you have a healthcare clearing house, which is basically an entity that receives certain data in a standard format or nonstandard format and helps facilitate and process that data either into a standard or nonstandard format - for again, those covered transactions that Shannon mentioned about earlier again, the portability of the information. And then also you have the big part, which we are more familiar with, are healthcare providers who actually transmit protected health information electronically in connection with HIPAA covered transactions. So if you fit into those categories, then you will be considered a covered entity. The other group is a business associate, and a business associate basically could be an individual or an entity that provides services on behalf of a covered entity, and they need access to the data and have access to the protected health information in order to perform those services. For instance, an example: Holland & Knight, we as attorneys when we have covered entity clients, either a health plan or a healthcare provider, that's subject to HIPAA and we are providing services on their behalf and we have to have access to the data to provide those legal services, then we are a business associate of that covered entity and we have to enter into under HIPAA what is called a business associate agreement. And so that is the narrow area where you know HIPAA applies to those type of entities. So it's not really a broad scope. I mean, you have a lot of entities or individuals in those particular categories, but it doesn't apply to all your health information and in all the circumstances relating to your health information.
Entities Subject to HIPAA
Mia McKown: So like when my dad called my primary care doctor and took it upon himself to switch my appointment because he didn't like the doctor that I was seeing. I told him that he created a HIPAA violation and he told me to take it up with Shannon that he didn't think it applied. Was he right that he's not subject to HIPAA?
Shannon Hartsfield: He personally is not subject to HIPAA. I will reserve judgment on whatever your doctor may or may not have done. I can think of some ways to defend a doctor who's in that unfortunate situation where family members are having personal issues because HIPAA does allow you to disclose protected health information to friends and family. State law might be a little more stringent in certain circumstances, but there's other ways to deal with those things as well. So the reason Eddie and I have a job, I guess, is that HIPAA is complicated and it's not always easy to tell when it applies, but it definitely doesn't apply to us as individual humans unless we're doctors or nurses or something like that.
HIPAA is complicated and it's not always easy to tell when it applies, but it definitely doesn't apply to us as individual humans unless we're doctors or nurses or something like that.
Nate Adams: When you use the word healthcare provider, Eddie, who are these healthcare providers, apparently one is a doctor, but who else do you mean by that?
Eddie Williams: It could be a hospital or healthcare clinic, nursing home. So other providers of healthcare. You know, they're in the day to day business of providing healthcare services. And you know, they're billing and doing those things, and they need the information and they're transmitting the information again electronically in order to carry out their, you know, their functions of operating as a healthcare provider.
Shannon Hartsfield: And it can also include things that we don't really think about, like a medical sales rep who needs to go into an operating room, they're selling medical devices on behalf of a manufacturer, and they need to help that doctor in the operating room know which medical device to use. So even if they don't even have any kind of medical license, they're just a sales rep. They could potentially fall under HIPAA's, very broad definition of a healthcare provider, and they may not even be subject to HIPAA if they're not transmitting protected health information electronically in connection with claims or other standard transactions. So there's a lot of situations where people can have legitimate access to our health data, but they're not subject to HIPAA at all.
Eddie Williams: It could be a college or university or a school if they have a healthcare clinic on site and they are providing services to the public as well as their students. And again, they're transmitting the information electronically. You can try to carve out and just isolate that healthcare clinic as the only covered entity and not the overall university as a whole on HIPAA. They call that a hybrid entity. So basically, you're only identifying that healthcare component as the covered entity where the university or the remainder of the school would not be subject to HIPAA. Now there are some limitations you would have to abide by, so the school can just freely share information back and forth with that particular clinic. So there are definitely some guidelines or restrictions that they would have to abide by when they established themselves as a hybrid entity.
How To Make Sure You're In Compliance With HIPAA
Mia McKown: I think it sounds like one of the hardest parts of HIPAA is trying to figure out if you have to comply with it, like if you're a covered entity or who it applies to. But let's say, once you know, let's say you get through that rigmarole and you determine that it does apply to you. What do you then have to do? What are your responsibilities? Is there something, a form or something I can just go on the internet and work out what? What are my steps? What do I need to do to make sure I'm in compliance?
Shannon Hartsfield: Well, Eddie and I always get calls about that, and they say something like, I need to come into compliance with HIPAA by next Wednesday, OK? And I just tell them, it's a job. It's a chore. It's a big job. It's much more than simply checking a box. You have to do a lot of things, including, first of all, figuring out what protected health information you get, where it's stored and how it flows throughout the organization. You have to do an analysis of the potential risks to that data and how you're going to protect it. You have to implement policies and procedures regarding privacy and security, you have to have a privacy official and a security official and maybe a notice of privacy practices and you have to train your workforce. So there's quite a lot to do to come to compliance with HIPAA, for sure, whether you're a covered entity or somebody that works for a covered entity as a business associate.
Eddie Williams: Yeah, Shannon and I in our past, we've definitely come across different clients who: 'so here's our policies and procedures,' and they're like 30 pages or there's a small little binder that they went out and purchased. And it still had the blanks where you're supposed to fill in the details about what exactly your particular policy is or protecting the information or your security measures and things of that nature. And so that's where we look at each other and we say, OK, we got a lot of work to do to try to get them to understand that it's more complex than just buying something off the shelf and putting your name on it and saying, 'OK, here is my policies and procedures.'
It's more complex than just buying something off the shelf and putting your name on it and saying, 'OK, here is my policies and procedures.'
Nate Adams: And in fact, in my experience, if you have a situation in general, whether it's in employment law or other areas of law where you have a manual that you buy from 1995 off the internet with a 10 percent discount and you put it on your, you know, you put it in your bookcase. But you don't really implement it. Typically, that's actually a worse scenario than had you not ever even attempted to comply, because now you've got a binder that says what you're supposed to be doing. And yet you're really not doing it. Is that is that true in the HIPAA context as well?
Shannon Hartsfield: That definitely happens more often than we'd like to see. And yeah, there's sometimes they've got 10 pages of policies, you know, and there are certain circumstances where something is better than nothing. You know, if you have a business associate agreement with a third party, it's better to have something in place, even if it doesn't have every single requirement of HIPAA than to have nothing. But it's complicated to do everything that HIPAA requires, and there's not a lot of auditing with respect to government audits of HIPAA, but where we're seeing HIPAA issues come up more and more are in transactions where one company wants to buy another or one company wants a big loan from another company. And that's where they're asking questions about the HIPAA compliance and finding that there are problems, potentially.
Consequences For Not Being In Compliance With HIPAA
Mia McKown: What happens if you don't comply? You said there's not a lot of governmental audits. Are there fines, though? I mean, is there a risk, obviously, based on what you just said, if you're trying to sell your company, it could prevent a sale from going through, or maybe they do a reduction in cost or something of that nature because you're not in compliance and they've got to take the effort to do that. So what are some of the risk if you're not in compliance?
Eddie Williams: Well, under the provisions of regulations, the Office for Civil Rights, which is the arm of the federal Department of Health and Human Services, which enforces HIPAA, they can impose civil as well as criminal penalties for violations of HIPAA. Now there are different standards that you would have to adhere to as far as when they impose those penalties. You know, whether something was a knowing violation or whether you corrected it in a, you know, 30 days or anything like that, which will weigh into how much of a penalty they maybe impose. Previously, there were significant penalties, and that's a relative term. Now they have it a little bit more discretion and are not imposing huge and high million dollar penalties, but are still significant. There are various penalties for different violations. More recently, the request for access and you're not timely permitting access to an individual to their information or disclosing that information, you know, at their direction. You know, OCR is imposing penalties for that failure to abide by your policies and the guidelines of providing that access. Then you have a major area where you may have a breach. And information has been improperly disclosed in violations of the HIPAA rules. And so you can have significant penalties where you have a lot of individuals information at state and so OCR can come in and they can perform an investigation. And Shannon knows a lot of those responses to those inquiries from OCR and assists clients with those. I let her speak about that.
Shannon Hartsfield: Yeah, I think a lot of the risks with respect to HIPAA aren't so much OCR, but more of the risks if you have a data breach and you're going to have to notify umpteen people that their information was compromised, provide them with credit monitoring. That's where the cost can get up fairly high. And you could also be subject to class-action litigation and things like that for people that feel that they were harmed. But when the Office for Civil Rights comes knocking, they're usually going to always ask for your documented HIPAA risk assessment or risk analysis and your risk mitigation plan, as well as your policies and procedures that were in place at the time of the incident and your training materials and things like that. And it's kind of sad sometimes when there is nothing to provide and all you can do is beg forgiveness and try to get things in place quickly. And that's where they call Eddie and me and say we need something in place right now. So when you're audited by the Office for Civil Rights, where there is a complaint investigation, it can go on for months and months sometimes. One of the new changes that I mentioned to the HITECH Act that was passed in January is that if you can demonstrate that you had recognized security practices in place for the past 12 months, it could affect your audit like it could reduce the scope of the audit or reduce penalties that could be assessed. Something I'm curious about is whether, let's say you're a tech company and you don't have your HIPAA compliance ducks in a row, but you have implemented a very robust security program that's modeled after NIST or High Trust or something like that - could you potentially reduce penalties by showing that you have done things with respect to data privacy and security, even if you haven't done all the magical things that HIPAA requires? So I don't know how that would work out, but at a minimum, I think it would probably be helpful if you could show that you've done that. So that's something that the Office for Civil Rights is starting to ask about in its complaint investigations is whether you have implemented recognized security practices.
Individual Vaccine Status and HIPAA
Nate Adams: So I hear that we're in the midst of a pandemic and, you know, maybe in that context, more often than not, we hear HIPAA arise. People saying online that they've been asking about their vaccination status, that's a violation of HIPAA or there's any number of sort of themes relating to vaccination where this comes out. Obviously, there's a lot of institutions that are involved in vaccination that maybe previously weren't really involved in healthcare. So just give us your sense on the interaction between HIPAA and you know, what's going on with respect to vaccinations and the questions associated with that.
Mia McKown: I think I've heard people say that as they're going into their local grocery store, which here in Florida would be Publix, Trader Joe's. Whether they're getting on the airport, you hear that vaccination status and whether they mask or not is a HIPAA violation.
Shannon Hartsfield: Yeah, we get a lot of questions about that. And as Eddie was talking about, HIPAA only applies to covered entities, business associates and subcontractors. So employers, as employers are not subject to HIPAA. They might have a health plan that is. But an employer just employing humans and asking about their vaccination status is not subject to HIPAA. There may be other privacy laws that apply, and Nate would know better than me about the Americans with Disabilities Act and various employment-related privacy laws and requirements. But HIPAA itself does not apply to grocery stores. HIPAA doesn't apply to airlines. HIPAA doesn't apply to schools asking about students or teachers vaccination status. Now, HIPAA would apply Mia if your dad called your doctor and asked if you were vaccinated and your doctor told him. HIPAA does apply to the doctor. So if you're asking a lab or a hospital or a doctor, whether someone's vaccinated, who's not their employees, then that could potentially implicate HIPAA because you're asking them to disclose patient data. But it doesn't stop you from asking as a citizen. And I can ask my dentist if he's been vaccinated or I can ask my doctor if the nurses have been vaccinated and none of that implicates HIPAA. Even if they tell us it doesn't implicate HIPAA because it doesn't apply to them and their role as employers, they may choose not to disclose for whatever other reasons. But it's not a HIPAA issue. It might be an issue under something else, but it's not HIPAA, nine times out of ten.
HIPAA only applies to covered entities, business associates and subcontractors. So employers, as employers are not subject to HIPAA... But an employer just employing humans and asking about their vaccination status is not subject to HIPAA.
Mia McKown: So in all seriousness, like with the grocery stores or the airlines with their consumers. HIPAA does not apply. Now to the extent, like you mentioned, Holland & Knight we may have our own health plan. If the airline or grocery store has their own health plan, they may have certain responsibilities under that, but not as it relates to their customers.
Shannon Hartsfield: Right.
Eddie Williams: And I will just add on the on the HIPAA side, the federal Department of Health and Human Services, they recognize in trying to deal with the pandemic, they relaxed the enforcement rules with respect to certain HIPAA violations because they're more concerned about making sure that physicians and other institutions are trying to do what they can do to help save lives, get the vaccine out. Say for instance, if you have a community vaccination clinic site set up, they have relaxed the rules as far as you know, providing notices of privacy practices, anything that you will be required to do generally under HIPAA they've relaxed the enforcement of the rules. Now, they still encourage you to try to do your best to comply if you have individuals coming there and they're providing you with their health information, they want you to protect it, but they're going to exercise discretion at those particular sites, as far as in trying to impose any penalties against you. Again, once we get to a certain stage, they'll probably pull that back and say, OK, now it's time for you to, you know, come back into compliance fully. And also their discretion only relates to the particular operations at the site and anything connected to operating that site. Say for instance if you have other people at your medical office doing everything else, seeing patients there, you still have to fully comply with HIPAA and the requirements at that medical office.
Variation Between Health Privacy Rules at the State and Federal Level
Nate Adams: All right. Well, and I appreciate your bringing up the difference between federal and state law. I suspect that sometimes when people use the word HIPAA, they're using it sort of in the sense of any and all confidentiality, or, you know, privacy kinds of rules that might apply to healthcare. And it sounds like what you're saying is that, you know, HIPAA is really this specific kind of protection in that area, but you have to look further, you know, potentially at state law or maybe even other federal laws in order to really gain a sense as to what your responsibilities are with respect to health information. Is that a fair statement?
Shannon Hartsfield: Definitely. And I like to tell people, half the battle is just not doing anything with information that somebody wouldn't expect and not doing anything that contradicts something you promised about that information because even if you're not subject to HIPAA you might be subject to the Federal Trade Commission requirements to abide by your online terms of use and privacy policy and things like that. So I think a good rule of thumb is don't do anything strange with data. Don't try to sell it or something unless you have permission, somehow. And that's going to be very helpful in terms of avoiding problems and keep it safe, keep it secure. Don't let unauthorized people get to it. Because even if you're not subject to HIPAA that could trigger the Florida Information Protection Act and other laws.
Half the battle is just not doing anything with information that somebody wouldn't expect and not doing anything that contradicts something you promised about that information because even if you're not subject to HIPAA you might be subject to the Federal Trade Commission requirements to abide by your online terms of use and privacy policy and things like that. So I think a good rule of thumb is don't do anything strange with data.
Eddie Williams: And I'll also add, as Shannon mentioned, about state law, HIPAA and state law again, you have to comply with both. And HIPAA only preempts state law if it's more stringent, it provides greater protection. If state law provides greater protection, then you have to comply with state law. But the goal is to actually comply with both at the same time and as Nate, as you may be aware, in litigation where health workers are involved and you have subpoenas and things of that nature HIPAA may allow for disclosure of those records in a tribunal arena. But state law may have certain procedures that you have to follow in order for those records to be disclosed. So you would have to follow the state law as well when you when you're operating in that particular arena and in courts.
Nate Adams: All right. Well, I want to thank Shannon and Eddie for this informative and interesting comments on HIPAA. And I want to thank my co-host Mia, thank you for your time today.
Mia McKown: Thanks, Nate. It's always a pleasure.
Eddie Williams: As we sign off, it is H-I-P-A-A.
Shannon Hartsfield: Yes, we didn't teach you anything else. Please know that.
Nate Adams: Please know the correct spelling. Most of all, we want to thank each of you for joining us today, and we hope you'll come back and join us for our next Florida Capital of Conversations podcast. Have a great day!