Issue: June, 2005
Author: Angela Stewart
Printable Version (PDF)
HIPAA - An Attempt to Protect Individually Identifiable Health Information
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress to address major problems in health care, including excessively easy access to individuals’ health information. Congress enacted the Administrative Simplification section of HIPAA to lay the groundwork for protecting personal health information. This article will address the Administrative Simplification section of Title II, and the related regulations promulgated by the Department of Health and Human Services (HHS). While this article is expository, this author feels Administrative Simplification and the rules promulgated thereunder create the illusion of protecting health information but add no substance to protecting health information or improving the health care system.
Congress mandated that HHS develop privacy standards for individually identifiable health information (IIHI), including: (1) individual rights; (2) procedures for the exercise of such rights; and (3) authorized or required uses and disclosures of such information. With this mandate, HHS promulgated the Standards for Privacy of Individually Identifiable Health Information (SPIIHI) (a.k.a. the privacy rule).
Acknowledging the effect that advanced technology has on the health care industry, and the ease with which personal health information can be transferred between entities, Congress enacted Recommendations with Respect to Privacy of Certain Health Information and delegated the authority to HHS to work out the details. HHS struggled to balance the efficiency and benefits of advancing health care technology with the privacy concerns of individuals receiving health care.
Standards for Privacy of Individually Identifiable Health Information (SPIIHI)
From public input, HHS learned stakeholders in the system have very different ideas about the extent and nature of current privacy protections and appropriate uses of health information. HHS attempted to balance the various individuals’ privacy interests with social goals of allowing the health care industry to advance.
After proposing the November 1999, privacy standards, HHS received more than 52,000 public comments. The large response indicates the importance of these regulations and the great public interest in protecting personal health information. Some interest can be explained by SPIIHI’s estimated cost to be $17.6 billion over 10 years. This regulation will obviously be expensive to implement, which is all the more reason to make it effective.
The December 2000, regulations stated three major purposes:
(1) to protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information;
(2) to improve the quality of health care in the U.S. by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care; and
(3) to improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.
HHS amended parts of SPIIHI on August 14, 2002, and stated:
The purpose of these modifications is to maintain strong protections for the privacy of individually identifiable health information while clarifying some of the Privacy Rule’s provisions, addressing the unintended negative effects of the Privacy Rule on health care quality or access to health care, and relieving unintended administrative burdens created by the Privacy Rule.
This author would argue that these goals were not achieved as SPIIHI does not provide adequate protections of health information and it certainly does not “restore trust in the health care system.”
SPIIHI created four individual rights: (1) written notice of information practices; (2) accounting of how an individual’s IIHI has been disclosed; (3) access to [one’s] own IIHI; and (4) requests for amendment and correction of PHI.
Covered Information – All health information is subject to Administrative Simplification rules, but only individually identifiable health information that is or has been electronically transmitted or maintained by a covered entity invokes these privacy regulations. This information, referred to as “protected health information” (PHI), is protected no matter what form it may change into. This regulation applies to all health information when considering the widespread use of computers in today’s world. For example, a doctor’s handwritten notes in a patient’s file that are later entered into a computer and added to that patient’s file is PHI because the health information has been electronically maintained by a covered entity. Even if those electronic notes are forwarded to a specialty doctor who copies some of those notes in his own handwriting for his office file, the new handwritten notes are still PHI because they have been electronically maintained.
Covered Entities – These standards are “applicable to (1) all health plans, (2) all health care clearinghouses, and (3) any health care provider who transmits any health information in electronic form in connection with transactions.” These three categories of entities are commonly (and hereinafter) called “covered entities.”
The definitions of the covered entities are not very clear. HHS has not attempted to further clarify those definitions under the regulations, as they are to be functional and continue to be functional with the evolution of the health care industry. The definitions “describe functions, not specific types of persons or entities.”
HHS’s approach to covered entities is also impacted by the limited jurisdiction conferred by HIPAA. HHS cannot regulate non-covered entities, even if they deal with PHI. In some instances HHS requires covered entities to obtain a representation or documentation of purpose from those requesting PHI.
Stemming from this attempt to articulate the required purpose, HHS requires covered entities pull business associates under the realm of these regulations. Business associates are not covered entities, but people or organizations that do business with covered entities and are “based on the nature of the person’s business” are not necessarily the given label or title. A covered entity must require all people or entities outside the covered entity that may receive PHI to sign a contract that brings the business associate under these regulations.
A covered entity may disclose PHI to a business associate and allow a business associate to create or receive PHI on its behalf, if the covered entity obtains “satisfactory assurance that the business associate will appropriately safeguard the information.” If a covered entity “violates the satisfactory assurances it provided as a business associate,” it violates this regulation. Additionally, a covered entity is non-compliant with this regulation if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful: (A) Terminated the contract or arrangement, if feasible; or (B) If termination is not feasible, reported the problem to the Secretary.
Covered entities must occasionally disclose PHI. SPIIHI rules for disclosure are as follows. First, “[d]isclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.” When there is disclosure, the minimum necessary standard applies. When a covered entity uses or discloses PHI, it “must make reasonable efforts to limit [PHI] to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
A potential problem is the fact that HHS allows a covered entity to trust that the information sought by a requesting party is the minimum amount of information needed. “Similarly, a covered entity is permitted reasonably to rely on the judgment of another covered entity.” Unfortunately, the requesting party may not be aware of the minimum necessary standard and/or be regulated by SPIIHI.
Administrative Requirements – HHS requires covered entities to have a HIPAA compliance person responsible for the development and implementation of the policies and procedures of the entity and internal procedures to ensure compliance. A covered entity must also designate a contact person or office responsible for receiving HIPAA complaints.” These requirements are expensive for covered entities but are beneficial for individuals with concerns and for entity accountability.
A covered entity must train its workforce on the policies and procedures concerning PHI as necessary for them to do their job, and employees must be sanctioned if they fail to comply with this regulation.
Covered entities “may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against” individuals and others for filing complaints with the Secretary, “[t]estifying, assisting, or participating in an investigation, compliance review, proceeding or hearing” or “[o]pposing any act or practice made unlawful by this subpart, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of protected health information in violation of this subpart.”
Individual Authorization and Permitted Disclosures – As much of the public has experienced, many providers now require patients or clients to sign HIPAA release forms, which essentially give the provider the individual’s authorization to release that person’s PHI for specified reasons. The problem with these authorizations is many individuals are required to sign before service is provided, the impression being that signing the authorization is a condition of service, much like providing proof of insurance. Many individuals also do not understand their rights under HIPAA, despite the privacy statements and additional forms provided by covered entities.
“To ensure that authorizations are informed and voluntary, the Rule prohibits, with limited exceptions, covered entities from conditioning treatment, payment, or eligibility for benefits or enrollment in a health plan, on obtaining an authorization.” This provision is a bright spot of SPIIHI; yet, it is unlikely these regulations empower the individual.
The general rule is that a covered entity must get authorization from the individual before disclosure. A valid authorization must contain certain elements, including a description of the information to be disclosed; the individual’s name who is authorized to make the disclosure; the person to whom the information will be disclosed; the purposes for which the information will be used; expiration date or event for the authorization; signature of the individual and the date.
In addition to the required core elements, the authorization must also provide notice to the individual of his or her right to revoke the authorization, “[t]he ability or inability to condition treatment, payment, enrollment or eligibility of benefits on the authorization,” and the potential that information provided could possibly be redisclosed by the recipient and no longer be protected under this regulation. The authorization must be written in plain language, and a copy of the signed authorization must be provided to the individual.
A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure . . . . The covered entity may orally inform the individual of and obtain the individual’s oral agreement or objection to a use or disclosure permitted by this section.
This provision allows covered entities to make disclosures if they simply give advance notice. While knowing who is disclosing what information to whom gives the individual some power, it is foreseeable that entities will send out notices with a requirement to respond if the individual objects. A problem will be created if the individual never receives the notice or does not respond in time. This provision likely places the burden on the individual to object instead of on the covered entity to get authorization.
HHS requires individual authorization for any disclosure of PHI unless an expressed exception applies. One expressed exception is for appropriate purposes: treatment, payment and health care operations. Many patients want and expect their information used for these purposes. HHS worried about blanket authorizations because they were not truly voluntary, when signing is a condition of treatment or payment. This author suggests that general or blanket authorizations may still be required as a condition of service despite the HHS exceptions since covered entities are not prohibited from utilizing or mandating such authorizations.
The non-authorization loopholes seem to get bigger with further analysis of the regulations. HHS will “construe the terms ‘treatment’ and ‘payment’ broadly.” So, covered entities get more leeway when disclosing PHI, without getting the individual’s consent.
A covered entity may use or disclose PHI without individual authorization or the opportunity to object when the uses or disclosures are: required by law; for public health activities; about victims of abuse; neglect or domestic violence; for health oversight activities; for judicial and administrative proceedings; for law enforcement purposes; about decedents; for research purposes; to avert a serious threat to health or safety; for specialized government functions; or for workers’ compensation. Most of these exceptions are for government purposes; the government is often exempt from SPIIHI.
Enforcement – “The HHS Office for Civil Rights (OCR) will enforce the HIPAA privacy standards and has the authority to impose penalties on entities that violate these regulations. The Department of Justice will enforce any criminal penalties. There is no private right of action for individuals. HHS is “concerned that the penalty structure does not reflect the importance of these privacy protections and the need to maintain individuals’ trust in the system.” However, HHS created “a complaint system to permit individuals to make complaints to the Secretary about potential violations of this rule.” Covered entities are also to have a compliance officer to whom complaints may be reported. The Secretary then has the option of investigating the complaint, or alternatively, doing nothing. [HHS wants] to work with covered entities to achieve voluntary compliance with the proposed standards. The penalties that HIPAA authorizes are:
civil monetary penalties for violation of the provisions in [this] part . . . subject to several limitations. Penalties may not be more than $100 per person per violation of a provision, and not more than $25,000 per person per violation of an identical requirement or prohibition for a calendar year.
HIPAA also authorized the imposition of:
penalties for any person that knowingly misuses a unique health identifier, or obtains or discloses individually identifiable health information . . . . The penalties include: (1) A fine of not more than $50,000 and/or imprisonment of not more than 1 year; (2) if the offense is ‘under false pretenses,’ a fine of not more than $100,000 and/or imprisonment of not more than 5 years; and (3) if the offense is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years.”
“[T]hese penalties do not affect any other penalties that may be imposed by other federal programs.” While these penalties seem to have some teeth, there is no personal cause of action for individuals who are actually harmed by rules violations. Individuals do have state remedies available to them, including tort actions and breach of contract claims, inadequate though some may be.
As the regulations promulgated thus far do not set the federal standards very high, it would be necessary for Congress to pass more comprehensive legislation to truly protect individually identifiable health information. However, Congress should wait until states have the opportunity to work out the details of an appropriate and beneficial program before Congress does further experiments on a national scale.
As a general rule, HIPAA supersedes any contrary state laws. The Secretary may make exceptions “to prevent fraud and abuse, ensure appropriate State regulation of insurance and health plans, or for State reporting on health care delivery or costs, among other things.” Also, “contrary State laws relating to the privacy of individually identifiable health information are not preempted if more stringent than the related federal requirements.” HHS noted:
It is important to understand this regulation as a new federal floor of privacy protections that does not disturb more protective rules or practices. Nor do we intend this regulation to describe a set of a ‘best practices.’ Rather, this regulation describes a set of basic consumer protections and a series of regulatory permissions for use and disclosure of health information.
All covered entities should currently be in compliance since the compliance deadlines have all passed for covered entities. Small health plans were the last entity required to be in compliance, and that deadline was April 14, 2004.
HHS tried to balance the interests of the health care industry and individuals, but the regulations only seem to split the baby. Entities will have to expend considerable resources to comply with these regulations and individuals, in fact, do not receive any more control over or protection of their PHI. The result is a lose/lose situation.
While the goals and purposes of these regulations have great intentions behind them and great possible benefits to individuals, they do not have enough strength and bite to make a real difference. The industry is simply incurring more cost and administrative headache. At this point in time, the Administrative Simplification section and SPIIHI have created more rules and regulations and required health care entities to institute changes that may change rapidly while these regulations try to catch up with the industry. Congress and HHS need to step aside and let the states work out health care issues for themselves before they institute a national experiment that is detrimental to all involved. Nonetheless, until Congressional action is taken, HIPAA is the law. The health care industry must comply and individuals need to be aware of the purpose and authorizations for release of their protected health information.
Angela M. Stewart is originally from Fulda, Minnesota. She received her Bachelor’s at Southwest Minnesota State University; her J.D. from the University of Wyoming School of Law; and will practice law in South Dakota after taking the Bar Exam in July.
Copyright © 2005 – Wyoming State Bar