Q. What is HIPAA?

A. Congress, responding to the need for national standards to control the flow of sensitive patient information and to establish penalties for misuse or improper disclosure of this information, enacted the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, which President Clinton signed into law on August 21, 1996. HIPAA is composed of three distinct but interrelated components: comprehensive health privacy, security and standard data elements. The Department of Health and Human Services ("HHS") published proposed rules setting forth draft privacy standards on November 3, 1999. On December 20, 2000, HHS released the final regulations ("Regulations") implementing the privacy provisions of HIPAA. Healthcare providers must comply with the Regulations by April 15, 2003.

Q. What happens if I do not comply with HIPAA?

A. The penalties are severe. The civil penalties for violation of these standards include civil money penalties of $100 per incident, up to $25,000 per person, per year, per standard. There are also federal criminal penalties for health plans, providers and clearinghouses that knowingly and improperly disclose information under false pretenses. Penalties are higher for actions designed to generate monetary gain. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing PHI; up to $100,000 and up to five years in prison for obtaining health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. While HIPAA does not grant a private right to sue, it does establish a new standard upon which suits could be based.

Q. What do the new Regulations do?

A. The Regulations establish national minimum standards to protect the privacy of individually identifiable health information by health plans, healthcare providers and healthcare clearinghouses. The rule applies not only to the provider’s core healthcare activities such as treatment and reimbursement, but also to when individually identifiable health information should be available for research without authorization and to whether healthcare providers may release PHI about a patient for law enforcement purposes.

Q. Don’t many states have laws protecting the confidentiality of health information?

A. State laws are crucial means of protecting health information, but currently state laws vary dramatically. Some states provide general guidelines for privacy protection, and others provide detailed requirements relating to the protection of information relating to specific diseases or entire classes of information. Congress and HHS have determined that, in general, state statutes and case law addressing consent to the use of health information do not support the public’s strong expectations regarding the privacy of health information. For example, only about half of the states have a general law that prohibits disclosure of health information without patient authorization, and some of these are limited only to hospital medical records.

Even when a state has a law limiting the disclosure of health information, the law typically exempts many types of disclosure from patient authorization requirements. For example, a common exemption from patient consent is disclosure of health information for purposes of obtaining payment. Other common exemptions include disclosures for emergency care and disclosures to a government authority (such as a state Department of Public Health). Some states also exempt disclosure to law enforcement officials, coroners, and for such purposes as business operations, oversight, research and for directory information. Under these exceptions, providers can disclose health information without any consent or authorization from the patient. When states require specific, written patient authorization for disclosure for health information, the authorizations are usually only required for certain types of disclosure or certain types of information, and one authorization may suffice for multiple disclosures over time. In addition, states that do not have laws prohibiting disclosure of health information either impose no specific requirements for consent or authorization prior to release of health information.

The absence of strong national standards for medical privacy has had widespread consequences. For example, in order to protect their privacy and avoid embarrassment, stigma and discrimination, patients have withheld information from their healthcare providers, provided inaccurate information, paid out of pocket for care that is covered by insurance and, in some instances, avoided care all together. HIPAA, therefore, mandates the creation of uniform and strong national standards to allay the concerns of healthcare consumers.

Q. What happens if there is a conflict between state law and the Regulations?

A. The Regulations set a national "floor" of privacy standards protecting all Americans, but in some states individuals enjoy additional protection. State laws that provide more stringent protections than HIPAA (e.g., those covering mental health, HIV infection, and AIDS information) will continue to apply.

Q. How does this affect laws regarding access to healthcare for minors and confidentiality of their medical records?

A. The Regulations recognize and do not alter the current diversity of state law in this area. In other words, to the extent that it provides greater protection than HIPAA, State law regarding the confidentiality of minors’ medical records will remain applicable.

Q. How do I know if HIPAA applies to me?

A. The Regulations cover health plans, healthcare clearinghouses and healthcare providers. A "healthcare provider" is defined as a person who furnishes, bills or is paid for healthcare services or supplies in the normal course of business, but only if they transmit any health information in electronic form in connection with a "transaction." A "transaction" is the transmission of information between two parties to carry out financial or administrative activities relating to healthcare, including healthcare payment and remittance advice, coordination of benefits, health claims status, enrollment into and disenrollment from health plans, health plan premium payments, referral certification and authorization, first report of injury and health claims attachments.

It is important to note that healthcare providers who do not submit HIPAA transactions in standard form are still covered by the rule when other entities, such as a billing service or hospital, transmit standard electronic transactions on their behalf. Therefore, a provider cannot circumvent the HIPAA requirements by assigning the task to a Business Associate, since the Business Associate (defined below) would be considered to be acting on behalf of the provider. As individuals who furnish, bill or are paid for healthcare services or supplies in the normal course of business, HIPAA specifically applies to physicians.

Q. Even though I am a physician, I do not actively engage in the practice of medicine. However, I do provide consulting services to other physicians, such as reviewing medical records for quality assurance purposes, without actually treating the patients. Am I still covered by the Regulations?

A. The circumstances in which physicians are covered by the Regulations are dependent on the activities and functions undertaken by the provider, and not the mere fact that the provider is a physician. Functions that constitute “healthcare” under the Regulations concern the provision of "care, services, or supplies related to the health of an individual." Included may be the following: 1) preventative, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, and counseling, service, assessment or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and 2) sale or dispensing of a drug, device, equipment or other items in accordance with a prescription.

The consultation services described above are considered an "indirect treatment relationship," and providers of such services may use and disclose PHI as otherwise permitted under the Regulations and are not required to obtain the patient’s consent to use the PHI about the patient for the consultation. The "indirect treatment relationship" exception is covered in more detail in a question below. It is possible that in certain types of consulting relationships a physician may be acting as a "Business Associate," in which case the physician providing such services may be required to enter into a written contract with the healthcare provider regarding the use and disclosure of the protected healthcare information. The function of a "Business Associate" is addressed more thoroughly in another question.

Please note, however, that it would be incorrect to assume that every single health-related function is considered "healthcare" under HIPAA. For example, the procurement or banking of organ, blood (including autologous blood), sperm, eyes or any other tissue or human product is not considered to be healthcare under the rule and the organizations that perform such activities would not be considered healthcare providers when conducting these functions.

Q. What type of information is protected?

A. The Regulations protect all medical records or other individually identifiable health information held or disclosed by a Covered Entity in any form, whether communicated electronically, on paper, or orally. The protected "individually identifiable health information" is not limited to medical records; it is a subset of health information and includes demographic information collected from an individual with respect to which there is reasonable basis to believe that the information can be used to identify the individual. This information might typically include name, social security number, health plan beneficiary number and any other unique identifying information.

Q. How do the Regulations impact on my ability as a healthcare provider to acquire, maintain, use and disclose PHI?

A. It is important to distinguish between the "use" and the "disclosure" of PHI by a Covered Entity. "Use" is what a Covered Entity does with PHI within the entity, and "disclosure" is what the Covered Entity does with PHI outside of the entity. In general, a Covered Entity can only "use" and "disclose" PHI if it has a "consent" from the individual, and then only for treatment, payment, and healthcare operations, such as quality assessment, credentialing and customer service. A "consent" is written in general terms and refers the individual to the Covered Entity for further information about the Covered Entity’s privacy practices. It allows use and disclosure of PHI by the Covered Entity seeking the consent for purposes of treatment, payment and healthcare operations, not by other persons.

With a few exceptions, an "authorization" is required for the "use" and "disclosure" of PHI for purposes other than treatment, payment, and healthcare operations. In order to make "uses" and "disclosures" that are not covered by the consent requirements and not otherwise permitted or required under the Regulations, covered entities must obtain the individual’s "authorization." The required elements of an "authorization" are discussed in more detail below.

Q. What does an authorization look like, and when do I need to obtain one?

A. Uses and disclosures for which covered entities must have an individual’s authorization include, but are not limited to, the following activities: marketing, pre-enrollment underwriting, employment determinations, and fund-raising. There are certain core elements required for all authorizations.

First, the authorization must include a description of the information to be used or disclosed, with sufficient specificity to allow the Covered Entity to know which information the authorization references.

Second, the authorization must include the name or other specific identification of the person(s) or class of persons that are authorized to use or disclose the PHI. If an authorization permits a class of covered entities to disclose information to an authorized person, the class must be stated with sufficient specificity so that a Covered Entity presented with the authorization will know with reasonable certainty that the individual intended the Covered Entity to release PHI.

Third, the authorization must include the name or other specific identification of the person(s) or class of persons to whom the Covered Entity is authorized to make the use or disclosure.

Fourth, the authorization must state an expiration date or event.

Fifth, the authorization must state that the individual has the right to revoke an authorization in writing, except to the extent that action has been taken in reliance on the authorization or, if applicable, during contestability.

Sixth, the authorization must inform the individual that when the information is used or disclosed pursuant to the authorization, it may be subject to redisclosure by the recipient and may no longer be protected by the rule.

Seventh, the authorization must include the individual’s signature and the date of the signature.

Finally, if a personal representative of the individual signs the authorization, the representative must indicate his or her authority to act for the individual. Of course, the authorization must be written in plain language. Unfortunately, the final rule does not provide a model authorization.

Please note that in the event an authorization is requested by a Covered Entity for its own use and disclosure, the authorization must state that the Covered Entity will not condition treatment, payment, enrollment or eligibility on the individual’s authorization for the use or disclosure. Such authorizations must also identify each purpose for which the information is to be used or disclosed and advise individuals of certain rights available to them under the rule.

Q. What are the requirements regarding the use and disclosure of healthcare information that is not "Individually Identifiable?"

A. The Regulations explicitly state that information is not individually identifiable if it does not identify the individual or if the Covered Entity has no reasonable basis to believe it can be used to identify the individual.

The Regulations include a safe harbor method by which covered entities can demonstrate compliance with the standard. Under a safe harbor, a Covered Entity is considered to have met the standard if it has removed all of a list of enumerated identifiers and if the Covered Entity has no actual knowledge that the information could be used alone or in combination to identify a subject of the information.

A Covered Entity may also demonstrate that it has met the standard if a person with appropriate knowledge and experience applying generally accepted statistical and scientific principles and methods for rendering information not individually identifiable makes a determination that the risk is very small that the information could be used, either by itself or in combination with other available information, by anticipated recipients to identify a subject of the information. The Covered Entity must also document the analysis and results that justify the determination.

Q. What are the boundaries on medical record use and release?

A. The Regulations require any disclosure of information to be limited to the minimum necessary for the purpose of the disclosure. Covered entities are required to implement policies and procedures for "minimum necessary" uses and disclosures. Implementation of such policies and procedures is required in lieu of making the "minimum necessary" determination for each separate use or disclosure. This provision would not apply, however, to the transfer of medical records for purposes of treatment, since physicians, specialists and other healthcare providers need access to the full record to provide the best quality of care. As noted above, patient information cannot be disclosed by a Covered Entity for purposes that are not consistent with healthcare treatment, payment and operations.

Q. How do I handle routine requests for PHI?

A. For requests for PHI from other covered entities made on a routine, recurring basis, the covered entities’ policies and procedures may establish standard protocols describing what information is reasonably necessary for the purposes and limiting the releases to only that information in lieu of making the determination individually for each request. For all other requests, the policies and procedures must provide for review of the requests on an individualized basis. Disclosure of an entire medical record must not be made except pursuant to policies that specifically justify why the entire medical record is needed. In certain cases, such as referral from one physician to another, the entire record may be the "minimum necessary" for its purpose.

Q. How do I handle requests for PHI from third parties, such as my attorneys?

A. Carefully! Lawyers, as well as consultants, healthcare clearinghouses, claims processors, billing agents, practice management companies and certain other entities and individuals, are considered "Business Associates" for purposes of HIPAA. A "Business Associate" is a person or entity who performs, arranges or assists in the performance of a function or activity for the Covered Entity that involves the disclosure of PHI. The healthcare provider must enter into a written contract with the Business Associate that specifically includes: an assurance that the Business Associate will use the PHI properly; the specific purposes for which the Business Associate may use the information; a clause permitting the provider to terminate the contract if the terms of the contract are violated by the Business Associate; a requirement that the Business Associate report unauthorized use of the information; a clause that requires the Business Associate to make the information available to the individual to whom the information relates that it is required by law to disclose; a provision requiring the Business Associate to make its internal practices regarding the use and disclosure of this information available to the government upon request; and a clause that requires the return or destruction of the information upon termination of the contract. As a practical matter, the healthcare provider must identify every potential "Business Associate," and be prepared to either execute new agreements or modify existing ones to conform to these requirements.

Q. What steps do I have to take to verify the identity and authority of a person requesting PHI?

A. The Covered Entity must establish and use written policies and procedures (which may be standard protocols) that are reasonably designed to verify the identity and authority of the requestor where the covered entities do not know the person requesting the PHI. The knowledge of the person may take the form of a known place of business, address, phone or fax number, as well as a known human being. Where documentation, statements of representations, whether oral or written, from the person requesting the PHI is a condition of disclosure under the final rule, this verification must involve obtaining such documentation statement, or representation.

Q. Does the law require individuals to receive notice of how I intend to use and disclose PHI, and of their rights with respect to that information?

A. Yes, the Regulations provide individuals with the specific right to receive and the requirement for covered entities to produce a notice of privacy practices. Most covered entities are required to get a signed copy of the Acknowledgement of Receipt of the notice of Privacy Practices, prior to treatment. The notice must be written in plain language. The purpose of the notice is to inform the recipients about their rights and how PHI collected about them may be used or disclosed. The notice must contain a header that must read:

"THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."

Covered entities must describe all uses and disclosures of PHI that they are permitted or required to make under the Regulations without authorization, including those uses or disclosures subject to the consent requirements discussed above. Covered entities must also separately describe each purpose for which they are permitted to use or disclose protected information under the rule without authorization, and must do so in sufficient detail to place the individual on notice of those uses and disclosures. With respect to uses and disclosures to carry out treatment, payment, and healthcare operations, the description must include at least one example of the types of uses and disclosures that the Covered Entity is permitted to make. Individuals’ rights under the Regulations must be explicitly stated as follows: the right to request restrictions on certain uses and disclosures, including the statement that the Covered Entity is not required to agree to a requested restriction; the right to receive confidential communications on PHI; the right to inspect and copy PHI; the right to amend PHI; and the right to an accounting of disclosures of PHI. The notice must also describe the right of an individual, including an individual who has agreed to receive the notice electronically, to obtain a paper copy of the notice upon request. The notice must also state that covered entities are required by law to maintain the privacy of PHI, to provide a notice of their legal duties and privacy practices and to abide by the terms of the notice currently in effect. The Covered Entity’s notice must also inform individuals about how they can lodge complaints with the Covered Entity if they believe their privacy rights have been violated.

Q. What sort of access do individuals have to their own PHI?

A. Individuals have the right of access to any PHI that is used, in whole or in part, to make decisions about those individuals. This information includes, for example, information used to make healthcare decisions or information used to determine whether an insurance claim will be paid. There are only three types of information to which individuals do not have the right to access, even if the provider maintains the information in the designated record set. They are: psychotherapy notes, information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding, and certain Protected Health Information (PHI) maintained by a Covered Entity that is subject to or exempted from the Clinical Laboratory Improvements Amendments of 1988 ("CLIA"). Access may also be denied if the provider reasonably believes that access is likely to endanger the life or physical safety of the individual or a third party, or if the information makes reference to another person and access is likely to cause substantial harm to the person. Generally speaking, requests must be acted upon within 30 days of receipt.