- ABA Groups
- Resources for Lawyers
- Career Center
- About Us
The first time that new lawyers encounter the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the incredibly vast framework of privacy and security regulations may very well appear completely overwhelming. This is especially true when the question at issue – whether it is from a litigation or compliance perspective – is particularly narrow in scope. For the initiated and uninitiated alike, it is fairly easy to get lost in the morass of cross-referenced sub-parts that any given legal question implicates.
Through its privacy and security requirements, HIPAA impacts not only the medical community, but all individuals and industries that come into contact with the medical community. The implementation of HIPAA requires the development of new policies and procedures addressing the use and disclosure of medical information, as well as the appropriate utilization of available technology. Equally as important, as HIPAA has become more and more pervasive, compliance with the privacy and security regulations have necessarily involved attitudinal changes by everyone associated with the health care industry. HIPAA directly impacts the manner in which patients, providers, and payors interact with each other.
What Information is Protected by HIPAA?
The HIPAA Privacy Rule covers all uses or disclosures of "Protected Health Information" ("PHI") whether in paper, electronic, or oral form. PHI has many characteristics that make it somewhat easy to spot. Whether a malpractice attorney is attempting to acquire the medical records of a plaintiff, or a transactional attorney is assisting with due diligence in connection to the sale of a clinic, it is imperative that PHI is treated appropriately. Being able to recognize PH I is the first step. PHI has the following characteristics:
The following are illustrative examples of information that are considered "patient identifiers":
Generally speaking, PHI may be used or disclosed without first acquiring the patient's consent in very limited circumstances. Other than allowing disclosure to the individual about whom the PHI describes, the Privacy Rule generally allows disclosure of PHI without the patient's consent for the purposes of treatment, payment, or health care operations. Additionally, there are certain situations, such as in response to an order of court, or subpoenas (so long as certain additional requirements are met), where PHI may be disclosed without the patient's consent. In most other situations, a patient must provide consent before his PHI can be used or disclosed.
To that end, each individual maintains six basic privacy rights. An individual has the right to:
Additionally, a Covered Entity's use or disclosure (not including "treatment, payment, or operations," or with consent) of PHI must be only to the "minimum necessary" extent. This minimum necessary standard essentially requires a provider to consider what minimum amount of PHI will meet the purpose of the disclosure. Furthermore, once a Covered Entity agrees to a restriction regarding the use or disclosure of an individual's PHI, this restriction must be honored. Likewise, use and disclosure of PHI must be consistent with a Covered Entity's Notice of Privacy Practices. When the exchange of health information is deemed necessary, but the value of the information is not the personally identifiable aspect of the information, PHI is often "de-identified." PHI can be freely used to create de-identified data, and no restrictions are placed on its use and disclosure.
To Whom does HIPAA Apply?
Although HIPAA appears to be extremely pervasive, it maintains authority over only certain types of entities. HIPAA specifically applies only to "Covered Entities." Generally, a Covered Entity is one of the following:
Most of the time, HIPAA questions will involve the activities of or information held by either a provider or plan. Because providers and plans must utilize the services of many different entities, it was necessary to find a way to extend the protections afforded by HIPAA when these essential non-Covered Entities are handling or creating PHI.
These non-Covered Entities that play such a critical role in the health care arena are termed "Business Associates." Examples of common Business Associates are billing firms, accreditation organizations, document destruction contractors, lawyers, and third-party administrators. Importantly, a Business Associate relationship is formed contractually. When a Covered Entity engages another person or entity to perform a function on behalf of the Covered Entity that requires the disclosure of PHI or the creation of new PHI by that person or entity, it is imperative that the Covered Entity requires that person or entity to sign a contract called a "Business Associates Agreement" (often referred to as a BAA). The BAA extends the requirements of HIPAA to the Business Associate and requires the Business Associate to be aware of its responsibilities under HIPAA.. Furthermore, a Covered Entity that does not require Business Associates to sign a BAA is in violation of HIPAA itself.
Federal vs. State Law
Although the term "preemption" is typically thought of in terms of an ERISA analysis, many HIPAA issues require a preemption analysis. As a general rule, HIPAA should be thought of as a regulatory "floor" of provisions. In other words, HIPAA provides a baseline of privacy requirements that state law cannot abrogate. This is not to say, however, that state law will not provide the answer to a given privacy concern.
State privacy laws are preempted by HIPAA if the state law is contrary to HIPAA. In order to determine whether the state law is contrary, two questions should be asked:
Generally, if the answer to either of these questions is "yes," then the state law requirement will be preempted by HIPAA. It is important to keep in mind, however, that stronger state laws that are not contrary to HIPAA will apply. Such laws typically further limit the use or disclosure of PHI, create greater rights of access to PHI to the individual, strengthen authorization protection, or impose greater record-keeping requirements. For example, many states have more stringent state laws regarding the use and disclosure of HIV/AIDS records, drug and alcohol treatment records, DNA records, and sexual assault victim records. Additionally, some states (with California being a prime example) have extremely intricate and detailed bodies of law that provide more stringent requirements that parallel much of the Privacy Rule.
Privacy vs. Security
Although the HIPAA statute and regulations address much more than privacy and security (i.e. health care transaction standards fraud and abuse provisions, provisions regarding medical savings accounts), HIPAA has become synonymous with patient privacy. Furthermore, as electronic medical records have become more prevalent (i.e., the recently passed Stark law exception and Anti-kickback statute safe harbor dealing with e-prescribing), the security regulations will become implicated on a more regular basis.
To a large extent, the privacy and security requirements are distinct regulatory provisions. A quick review of the security regulations, however, reveals many provisions that appears to be equally related to privacy. Generally, the following distinction between HIPAA privacy and HIPAA security hold true: Privacy generally refers to the rights of an individual to limit the use and disclosure of PHI; Security generally refers to the obligations of Covered Entities to safeguard health information from improper use or disclosure. In other words, the Privacy Rule addresses the "what," and the Security Rule addresses the "how."
Importantly, and to further complicate matters, the Security Rule essentially provides Covered Entities with a list of security issues that must be addressed. At no point does the Security Rule instruct Covered Entities how to implement these security standards. Although what appears to be a lack of direction in the Security Rule may seem frustrating to a provider (or an attorney advising the provider), the various administrative, technical, and physical safeguards described in the Security Rule are specifically designed to be both flexible and scalable. Security "solutions" should be proportionate to an organization's risks, and be based on organizational circumstances such as size, complexity, and capabilities
Violating HIPAA can be very costly. Civil penalties range from $100 per incident to $25,000 per person per year per standard violated. On the criminal side of enforcement, illegally obtaining or disclosing PHI can result in a fine of up to $50,000 and one year in prison. Obtaining PHI under "false pretenses" can be punished with fines up to $100,000 and five years in prison. Obtaining or disclosing PHI with the intent to sell, transfer, or use the PHI for commercial gain, personal gain, or malicious harm can result in even stiffer penalties - up to $250,000 and ten years in prison.
Civil enforcement of HIPAA is handled by the Department of Health and Human Services' Office of Civil Rights ("OCR"), while criminal enforcement is overseen by the Department of Justice. The final Enforcement Rule was issued in February of 2006, and makes the HIPAA enforcement provisions applicable to all aspects of the Administrative Simplification Standards (not only the Privacy Rule). Importantly, the Enforcement Rule affirms that the OCR's enforcement philosophy is one of voluntary compliance. That being said, and although enforcement measures have not been traditionally onerous, it seems that the tide is changing with regard to enforcement and the mindset of those investigating reported HIPAA violations.
Do Not be Fooled by the Myths
When discussing privacy and security issues with clients, fellow attorneys, or friends, one of the first obstacles to overcome is their preconceived assumptions about what HIPAA does or does not permit. The following are a few of the many common myths regarding the Privacy Rule:
In addition to addressing the many commonly circulated myths regarding the Privacy Rule, there are many provisions within the regulations to which attorneys should pay special attention. The Privacy Rule specifically addresses the manner in which records should be released in response to a court order or subpoena. Additionally, there are provisions that address how Covered Entities should interact with a patient's personal representative. Although these provisions can appear somewhat intricate, a careful reading of the regulatory language, along with the published comments within the federal register, and diligent cross-referencing throughout the Privacy Rule will enable a thorough understanding of the concerns at issue.
The following resources are but a few of the many available to assist with a HIPAA analysis:
About the Author
Brad M. Rostolsky is an associate in the health care group of the law firm of Reed Smith LLP. Brad is resident in the firm's Philadelphia office, and focuses his practices in the area of health care transactional and regulatory law.