New Federal Privacy Requirements Coming Soon
On November 3, 1999, the Department of Health and Human Services (HHS) issued proposed rules that would create significant federal safeguards for confidential patient information. In 1996, Congress enacted, as part of the Health Insurance Portability and Accountability Act (HIPAA), a new section of the Social Security Act (the Act) entitled "Administrative Simplification." The purpose of this new section is to improve the efficiency and effectiveness of our nation's health care system by developing standards regarding the electronic maintenance and transmission of private health information. The Administrative Simplification provisions impose confidentiality and security requirements on health plans, clearinghouses, and certain providers that maintain or transmit patient data electronically. The Health Care Financing Administration (HCFA) has observed that federal and state agencies, private health plans, health care providers, and health care clearinghouses must assure that the privacy and confidentiality of health care information they electronically use, store or transmit is secure. Commentary to HCFA's security rules states that "[c]onfidentiality is threatened not only by the risk of improper access to electronically stored information, but also by the risk of interception during electronic transmission of the information."
In August of 1998, HCFA issued proposed rules ("security rules") setting forth administrative procedures, physical safeguards, and technical requirements to guard against unauthorized access to data that is transmitted over a communications network. The rules have been pushed back from their original publication target date of December 1999, and now HCFA is expected to issue final security rules in February or March of 2000.
The HHS proposed privacy rules published on November 3, 1999, ("privacy rules") dealt with standards for the use and disclosure of individually identifiable health information. HHS recently extended the comment period for these rules, and HHS may issue final rules by March of 2000. Health plans, clearinghouses and providers subject to the rules must comply within two years of the effective date of the final rules.
Any standard adopted under the Administrative Simplification Section of the Act applies to health plans, health care clearinghouses, and health care providers (sometimes referred to hereinafter as "covered entities") that transmit health care information in electronic form in connection with the following types of transactions:
- health claims or equivalent encounter information
- health claims attachments
- enrollment and disenrollment in a health plan
- eligibility for a health plan
- health care payment and remittance advice
- health plan premium payments
- first report of injury
- health claims status
- referral certification and authorization
The privacy rules apply to each health care provider electronically storing or transmitting any individually identifiable health information.
HIPAA defines "health care provider" to include a provider of services as defined in section 1861(u) of the Act, a provider of medical or health services as defined in section 1861(s) of the Act, and any other person furnishing health care services or supplies. Section 1861(u) of the Act defines "provider of services" to include various types of facilities including hospitals, skilled nursing facilities, and home health agencies. Section 1861(s) of the Act indicates that "medical and other health services" include physicians' services, supplies, hospital services, diagnostic services, outpatient occupational and physical therapy, and other specific types of health-related services. "Health care clearinghouse" is defined as "a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements." HHS, in the commentary to the privacy rules, stated that clearinghouses receive transactions from providers, plans, and other clearinghouses, or business partners of those entities, and translate the data into a format acceptable to the entity receiving the transaction, and then forward the processed transaction to the entity. A "health plan" is an individual or group plan that provides, or pays the cost of, medical care. "Health information" means any information, whether oral or recorded in any form, that:
- is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
The proposed security rules, published on August 12, 1998, set forth numerous specific standards for safeguarding individual health information. The security rules also include standards for the use of electronic signatures. The security rules would apply to any health plan, provider (engaged in certain transactions specified by HIPAA), or clearinghouse that maintains or transmits any health information relating to an individual. The security standards specified in the rule include administrative procedures, physical safeguards, technical security services to guard data and technical security services to guard against unauthorized access to data that is transmitted over a communications network.
One of the goals of the recently proposed privacy rules is to establish a "consistent foundation of privacy standards" as a remedy for our current "patchwork of State laws and regulations that are incomplete and, at times, inconsistent." HIPAA limits the application of the privacy rules to health plans, health care clearinghouses and the providers that engage in the types of transactions listed above. In its commentary to the proposed rules, HHS observed that it does not have the authority to directly regulate many of the persons hired by covered entities to perform administrative, legal, accounting, and similar services and who obtain health information in order to perform their duties. Additionally, providers who maintain a completely paper-based system are not subject to these privacy standards.
In order to allow businesses to tailor the privacy requirements to their specific needs depending on the size of the covered entity involved, HHS chose to set forth general privacy principles and standards rather than detailed policies and procedures. This allows covered entities to implement policies appropriate to their size, information practices and business requirements.
HHS designed proposed privacy rules to make the exchange and use of protected health information relatively easy if the information is to be used for health care purposes. The privacy rules would make it more difficult for information to be used or disclosed for purposes other than health care. A "central aspect" of the proposed rules is the requirement that a covered entity disclose the minimum amount of information necessary to accomplish the purpose for which the information is used or disclosed.
Unless information is disclosed for treatment consultation or referral, there must be contracts between covered entities and their business partners that contain provisions imposing security, reporting, and inspection requirements on the business partner.
The proposed privacy rules contain several key provisions. With the exception of uses and disclosures for certain purposes such as treatment, payment and health care operations, the privacy rules would require that entities obtain prior authorization from the patient. The privacy rules establish several patient rights, including the patient's right to obtain access to his or her own health information. Patients have the right to receive written notice of a covered entity's information practices. The privacy rules would also give the patient a right to request amendment or correction of inaccurate or incomplete health information.
The privacy rules would require covered entities to implement policies and procedures to ensure that individual health information is protected from unauthorized use or disclosure. Covered entities would be required to designate a privacy official, develop training programs for employees, develop safeguards to protect information from misuse, provide a system to handle complaints, and develop a system of sanctions for employees and business partners who violate the entity's policies and procedures.
HHS anticipates that the privacy rules will "entail substantial initial and ongoing administrative costs for entities subject to the rules." HHS believes, however, that the rules will also produce administrative and other cost savings. Furthermore, HHS asserts that "[t]he same technological advantages that make possible enormous administrative cost savings for the industry as a whole have also made it possible to breach the security and privacy of health information on a scale that was previously inconceivable."
HIPAA provides for both civil and criminal penalties for violating the privacy and security standards pertaining to health care information. The law provides for penalties of up to $100 per violation, up to a maximum of $25,000 in one calendar year. Penalties may not be imposed if the failure was due to reasonable cause and not willful neglect, and "the failure to comply is corrected during the 30-day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred." There are also provisions that allow the Secretary of HHS to avoid imposing the penalty as appropriate based on the nature and extent of the failure to comply.
HIPAA's criminal penalties apply to those who knowingly and in violation of HIPAA's rules use or cause to be used a unique health identifier; obtain individually identifiable health information relating to an individual; or disclose individually identifiable health information to another person. Violators will be subject to a fine of up to $50,000, imprisonment for up to one year, or both. Offenses committed under false pretenses may result in a fine of up to $100,000, imprisonment of not more than five years, or both. A person may be fined up to $250,000, imprisoned for up to 10 years, or both, if the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.
The privacy rules are designed to create a uniform federal "floor" of privacy regulations. State laws that do not conflict with the federal rules and that impose a stricter standard will still apply to covered entities in those states. The privacy rules and security rules will undoubtedly have a profound effect on future health care operations.