New Federal Privacy and Security Rules on the Horizon for Electronically Transmitted Patient Information
Some time this year, the Department of Health and Human Services (HHS) and the Health Care Financing Administration (HCFA) are expected to issue final rules providing significant federal safeguards for confidential patient information. The Clinton Administration is aiming for a release date in early November. In light of the thousands of comments HHS received from the public regarding the latest set of proposed rules, that estimate may be overly optimistic.
In August of 1998, HCFA issued proposed “security rules” setting forth administrative procedures, physical safeguards, and technical requirements to guard against unauthorized access to data transmitted over a communications network. On November 3, 1999, HHS published proposed “privacy rules” dealing with standards for the use and disclosure of individually identifiable health information. Health plans, clearinghouses and providers subject to the rules must comply within two years.
In 1996, Congress enacted, as part of the Health Insurance Portability and Accountability Act (HIPAA), a new section of the Social Security Act (the Act) titled “Administrative Simplification.” Its purpose is to improve the efficiency and effectiveness of the nation’s health care system by developing standards regarding the electronic maintenance and transmission of patients’ medical information. The Administrative Simplification provisions impose confidentiality and security requirements on health plans, clearinghouses and certain providers that maintain or transmit patient data electronically. HCFA takes the position that federal and state agencies, private health plans, health care providers, and health care clearinghouses must assure that the privacy and confidentiality of health care information is secure when the information is electronically transmitted.
Any standard adopted under the Administration Simplification Section of the Act applies to health plans, health care clearinghouses and health care providers that transmit health care information in electronic form in connection with certain types of transactions, including health claims, health plan enrollment, health care payment and remittance advice. The privacy rules apply to each health care provider electronically storing or transmitting any individually identifiable health information.
HIPAA defines “health care provider” to include a provider of services as defined in section 1861(u) of the Act, a provider of medical or health services as defined in section 1861(s) of the Act, and any other person furnishing health care services or supplies. Section 1861(u) of the Act defines “provider of services” to include various types of facilities including hospitals, skilled nursing facilities, and home health agencies. Section 1861(s) of the Act indicates that “medical and other health services” include physicians’ services, supplies, hospital services, diagnostic services, outpatient occupational and physical therapy, and other specific types of health-related services.
A “health plan” is an individual or group plan that provides or pays the cost of medical care. The term includes group health plans (as defined in section 2791(a) of the Public Health Service Act), but only if the plan has 50 or more participants, or is administered by an entity other than the employer who established and maintains the plan. Health insurance issuers, health maintenance organizations, employee welfare benefit plans, and other programs specified in 42 U.S.C. section 1320d(5) also fall within the definition of “health plan.”
“Health care clearinghouse” is defined as “a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.” HHS, in the commentary to the privacy rules, described clearinghouses as entities that receive transactions from providers, plans, and other clearinghouses, or business partners of those entities, and translate the data into a format acceptable to the entity receiving the transaction, and then forward the processed transaction to the entity. “Health information” means any information, whether oral or recorded in any form, that:
- is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
The 1998 proposed security rules set forth numerous specific standards for safeguarding individual health information and also include standards for the use of electronic signatures. The security rules would apply to any health plan, provider (engaged in certain transactions specified by HIPAA), or clearinghouse that maintains or transmits any health information relating to an individual. The rule specifies various security standards including administrative procedures, physical safeguards, technical security services to guard data, and technical security services to guard against unauthorized access to data that is transmitted over a communications network. HHS planned to issue a final security rule by the end of 1999, but the rule has been delayed.
The proposed privacy rules are designed to establish a “floor” of privacy standards as a remedy for our current patchwork of state laws and regulations. The various state laws are not always comprehensive, and the laws often vary significantly from state to state. State laws that do not conflict with the federal rules and that impose a stricter standard will still apply to covered entities in those states.
HIPAA limits the application of the privacy rules to health plans, health care clearinghouses, and providers that engage in the types of transactions specified by HIPAA. In its commentary to the propose rules, HHS observed that it does not have the authority to regulate directly many of the persons hired by covered entities to perform administrative, legal, accounting and similar services and who obtain health information in order to perform their duties. Additionally, providers who maintain a completely paper-based system are not subject to these privacy standards.
In order to allow covered entities to tailor the privacy requirements to their specific needs, HHS elected to set forth general privacy principles and standards rather than detailed policies and procedures. This allows covered entities to implement policies appropriate to their size, information practices, and business requirements.
HHS designed the privacy rules to make the exchange and use of protected health information relatively easy if the information is to be used for health care purposes. The privacy rules would make it more difficult for a covered entity to use or disclose information for purposes other than health care. One of the primary aspects of the proposed rules is the requirement that a covered entity disclose the minimum amount of information necessary to accomplish the purpose for which the information is used or disclosed.
The proposed privacy rules contain additional key provisions. With the exception of uses and disclosures for certain purposes such as payment, treatment, and health care operations, the privacy rules would require that entities obtain prior authorization from the patient before individually identifiable health information is used or disclosed. The privacy rules establish several patient rights, including a patient’s right to obtain access to his or her own health information. Patients also have the right to receive written notice of a covered entity’s information practices. The privacy rules would give the patient a right to request amendment or correction of inaccurate or incomplete health information.
The privacy rules would require covered entities to implement policies and procedures to ensure that individual health information is protected from unauthorized use or disclosure. Covered entities would be required to designate a privacy official, develop training programs for employees, develop safeguards to protect information from misuse, provide a system to handle complaints, and develop a system of sanctions for employees and business partners who violate the entity’s policies and procedures.
HHS officials anticipate that the privacy rules will involve substantial initial and ongoing administrative costs for entities subject to the rules. In the commentary preceding its final rules, HHS took the position that “[t]he same technological advantages that make possible enormous administrative cost savings for the industry as a whole have also made it possible to breach the security and privacy of health information on a scale that was previously inconceivable.” HHS believes that, ultimately, the rules will produce administrative and other cost savings.
If the final rules are substantially similar to the proposed rules, the security rules and privacy rules will have a direct impact on entities doing business with organizations covered by HIPAA. Unless information is disclosed for treatment consultation or referral, the privacy rules require contracts between covered entities and their business partners to contain provisions imposing security, reporting and inspection requirements on the business partner. The security rules require third parties to enter into “chain of custody” agreements with covered entities that require the parties to protect the confidentiality and integrity of transmitted data using the same level of security that the covered entity must use. Under the current version of the privacy rules, business partners, in order to examine individually identifiable health records belonging to their clients, may have to enter into written contracts with their clients containing various specific terms. For example, the privacy rules specify that there must be a contract requiring the business partner to make its internal practices and records relating to the use or disclosure of the protected health information available to the Secretary of HHS for purposes of verifying the covered entity’s compliance. Also, at the termination of the contract, the business partner must return or destroy all protected health information and retain no copies of such information.
HIPAA provides for both civil and criminal penalties for violating the privacy and security standards pertaining to health care information. Covered entities may not be subject to penalties if the failure was due to reasonable cause and not willful neglect, and is corrected within a short time frame. There are also provisions that allow the Secretary of HHS to avoid imposing the penalty, as appropriate, based on the nature and extent of the failure to comply. HIPAA’s criminal penalties apply to those who knowingly and in violation of HIPAA’s rules use or cause to be used a unique health identifier; obtain individually identifiable health information relating to an individual; or disclose individually identifiable health information to another person.
The final versions of the privacy and security rules may vary substantially from the current versions. HCFA has been flooded with comments from the general public regarding the privacy rules, and those comments will impact the final version. Also, Congress may decide to revise HIPAA or enact new privacy legislation. If promulgated largely in their current form, the privacy rules and security rules will undoubtedly have a profound effect on future health care operations.