ABA Health eSource
 August 2006 Volume 2 Number 12

HIPAA Security Rules Frequently Overlooked
by Frank Palmieri, Palmieri & Eisenberg, Princeton, NJ

Frank PalmieriEffective as of April 14, 2003, the HIPAA Privacy Rules 1 began to apply to healthcare providers, insurance carriers, and medical plans with over $5,000,000 in annual receipts (i.e., large health plans). All of these entities are generally referred to as “covered entities.” A delayed effective date of April 14, 2004, applied to small health plans with less than $5,000,000 in annual receipts. These rules required covered entities to restrict the use and disclosure of protected health information (“PHI”) to the minimum amount necessary for any disclosure purposes.

Commencing as of April 20, 2004, healthcare providers and large health plans became further subject to the HIPAA Security Rules 2 with a delayed effective date of April 20, 2005 for small health plans. 3 The Security Rules are much more narrow than the Privacy Rules, since they only apply to electronic PHI (“ePHI”), which generally involves the transmission of health information via email or retained on systems.

Significant attention was originally given to the HIPAA Privacy Rules that required healthcare providers and employers “involved” in the administration of their health plans to establish policies and procedures to ensure the protection of PHI. For instance, an employer’s policies must distinguish between information that is an employment record and information which is PHI. For example, an employee may request family leave and provide a request for leave form with detailed health information. The health information may disclose that the individual wishes to leave work at the close of business on Wednesday, obtain chemotherapy on Thursday, and return to work on the following Monday. Obviously, this is detailed health information regarding an employee. However, it is not PHI since it is only data collected by the employer necessary to administer its Federal and Medical Leave Act (“FMLA”) 4 and other leave of absence policies. Conversely, if an employer has a list of participants in a health plan, which is faxed from an insurance carrier to the employer for confirmation of enrollment, such information is PHI, since it contains employee elections for single, parent/child, family or other coverage that should be protected.

Although most covered entities conscientiously complied with the Privacy Rules and have continued to monitor their HIPAA compliance, many healthcare providers and employers sponsoring health plans have not yet fully evaluated the implications of the new Security Rules. As noted above, the new Security Rules apply solely to ePHI, as opposed to all PHI. Accordingly, if an employer initially established procedures that protect all PHI, including ePHI, no further action is required. Nevertheless, it is common for employers to transmit health related information associated with a health plan, or for a healthcare provider to still respond to employer questions via email. Such emails and other electronic transmissions can also be saved on systems for which access is not always limited to authorized individuals with the need to have access to such information. Even though many insurance carriers have established elaborate procedures, maintain password protected emails and utilize various encryption methods, some ePHI is still subject to disclosure. Based upon these fundamental observations, it continues to be important for employers and health providers to continue to:

  1. Evaluate the internal procedures utilized to limit the use and disclosure of PHI and ePHI to the minimum amount necessary based upon the circumstances.
  2. Update Privacy Policies, as necessary. This is the Notice all individuals sign when they visit their doctors and which was mailed by all insurance carriers and employers prior to April 14, 2003. A new Privacy Notice should be issued every three years and/or an individual should be notified where they can obtain such a Policy. Although many employers provided this information during the 2006 open enrollment period for the 2005 health plan years, some providers have not yet issued or updated Privacy Notices that should have been updated for the Security Rules by April 14, 2006. For small health plans, employers are encouraged to include a statement in the open enrollment materials for the 2007 health plan years that a Notice of Privacy Policy is available in the Human Resources Department upon request, or via the employer’s intranet, if applicable.
  3. Evaluate ePHI procedures, such as using PHI in the header of emails in order to ensure that proper security exists. It is common for many health plans or healthcare providers to establish special ePHI rules, such as a prohibition from opening emails from home or other unsecure work places, unless an email says “Urgent ePHI.” For example, an employer with a self-insured health plan may be requested to approve a specific treatment that may not be covered by a health plan or is outside the health plan’s network. An employer must frequently make this decision quickly, since healthcare services are required to be rendered. However, for non-urgent PHI matters, the email should wait until the employee returns to the office to minimize any unnecessary disclosures.
  4. Update their records for changes in procedures, new payroll systems, and new vendors, and ensure the existence of proper Business Associate Agreements 5 with all vendors, including amendments or new agreements to address the Security Rules. For example, many hospitals have established sophisticated procedures to comply with HIPAA Privacy and Security Rules. However, they also maintain self-insured medical plans for which the same level of security is not maintained. If an employee in the Human Resources or other department can obtain access to critical healthcare records maintained on the hospital’s network for hospital employees or patients, the HIPAA Privacy and Security Rules would be violated. Thus, even healthcare providers who have expended tremendous energy in complying with the HIPAA Privacy and Security Rules must nevertheless re-evaluate the existence of Business Associate Agreements, amendments for the Security Rules, changes in vendors, and internal procedures to protect PHI or ePHI.

This article is not intended to be a summary of all the HIPAA Privacy and Security rules that must be addressed by covered entities. It is intended solely to remind employers and healthcare providers of some practical actions they should undertake to ensure compliance with the HIPAA Privacy and Security Rules.

1 45 CFR Parts 160 and 164.
2 45 CFR Part 142.
3 CFR § 164.318(a)(1).
4 Family & Medical Leave Act of 1993, Pub. L. No. 103-3, 107 Stat. 6 (1993).
5 Business Associate ("BA") Agreements are executed between health plans and third parties, such as insurance brokers and third party administrators to ensure that the use of PHI and ePHI is restricted, and subcontractors and others will be subject to the same rules. For example, BA Agreements must be executed even with waste disposal companies if records are destroyed "off-site", as opposed to conducting such activity on an employer's premises.