GPSolo Magazine - April/May 2004

HIPAA: A Primer

The Healthcare Portability and Accountability Act of 1996 (HIPAA) significantly regulates the way healthcare providers and health plans deal with patient information. Many attorneys, whether or not they represent healthcare providers, will encounter the patient information provisions of HIPAA at some point in their practices, although the impact may vary greatly depending upon the type of law and nature of the clients. This article explains various provisions of HIPAA, addresses in some depth the privacy standards the general practitioner is likely to encounter, and compares HIPAA patient privacy provisions to the confidentiality provisions of the Americans with Disabilities Act (ADA) and other employment laws.


Although much attention has focused on the privacy standards of HIPAA, the law addresses a variety of health-related issues that can be confusing to those with only limited exposure to it. The portability provisions of the act significantly limit how and whether healthcare plans may impose preexisting condition limitations and waiting periods before healthcare coverage takes effect and make it possible for a person’s health insurance coverage to be “portable” as the employee moves from one employer to another, without creating gaps in coverage.

HIPAA’s privacy and security regulations, promulgated by the law’s administrative simplification rules, provide standards for how healthcare providers and health plans (covered entities) must maintain the confidentiality of patient information. The compliance date for implementing the privacy standards was April 14, 2003, and the compliance date for security standards, which relate primarily to computer measures, is April 21, 2005.


Compliance requirements cover healthcare providers (physicians, dentists, social workers, hospitals, nursing homes, pharmacies, and other facilities providing healthcare services) and health plans offering healthcare coverage to enrollees. Providers and plans must comply with detailed rules that cover how medical information is maintained and released. Although the regulations apply directly only to healthcare providers and health plans, anyone dealing with the covered entities may be impacted by the regulations. For example, attorneys seeking medical records will be affected by HIPAA limitations regarding authorizations and subpoenas; vendors who contract with healthcare organizations may need to enter “business associate agreements” that require them to comply with the entity’s patient information protections.

Particularly confusing is how the HIPAA privacy and security standards apply to law firms or practitioners who provide healthcare coverage (health plans). If an employer’s (or other group’s) health plan is fully insured (i.e., benefits are offered solely by the employer’s purchase of coverage), the insurance plan or HMO must assume the burden of HIPAA compliance. If the health plan or any component of it is self-insured, however, the plan itself must comply with the privacy and security regulations. Employers who maintain health plans but do not know the plan’s requirements for HIPAA compliance should consult an employee benefits attorney.

Many private employers, churches, or social organizations that receive medical information about employees, parishioners, or members have the mistaken notion that they become subject to the HIPAA regulations once they receive such information. They do not. The privacy standards are applicable only if the individual or entity is a healthcare provider, health plan, or health clearinghouse (not addressed in this article) or has a business associate agreement with such a covered entity.

Security Measures

Transaction standards and code sets regulations standardize the electronic transfers for financial and administrative transactions between providers and payers, such as insurance companies and HMOs. The compliance date for these provisions was October 16, 2003.

The law requires that the secretary of the Department of Health and Human Services (DHHS) set standards for unique health identifiers for every individual, employer, and health plan in the United States. Final regulations for the national employer identifier published in May 2002 adopt the employer’s IRS identification number as its unique health identifier. Proposed regulations for the unique health identifiers for individuals and health plans have not yet been published. In addition, the secretary must establish standards for electronic signatures and for transmission of data elements needed for coordination of benefits and sequential processing of claims. Proposed regulations for these areas have not yet been published.

Privacy Standards

Health plans and healthcare providers that file claims or perform eligibility checks or other administrative functions electronically are subject to HIPAA privacy standards. As a practical matter, therefore, most individual healthcare providers and all healthcare facilities must comply with HIPAA privacy standards; however, it may be possible for certain small healthcare providers to avoid HIPAA compliance by adopting an entirely paper system for claims processing.

Healthcare providers that are operationally intertwined (such as doctors and hospitals) usually enter into organized healthcare arrangements (OHCAs). Most hospitals have OHCAs with medical staff for services rendered at the hospital; generally, a hospital is responsible for developing and implementing policies, and physicians and other professionals must follow them. If a physician or healthcare professional has an independent practice outside the hospital, he or she—as a provider—is responsible for compliance plans for the practice. Most nurses and other healthcare professionals who do not separately bill for their services do not need to individually comply with the privacy standards but are bound by their employers’ compliance plans.

HIPAA Requirements

HIPAA specifically does notpreempt state laws that are more stringent than HIPAA requirements. The HIPAA privacy standards can be organized into four major areas:

Regulations regarding disclosure of information. Patient information is to be shared within the healthcare organization only as needed to treat the patient, to bill for services rendered, or to operate the healthcare organization. Thus information may be shared with attorneys representing the organization, and with accrediting organizations and the like. Information may be shared with those outside the organization only if the disclosure is permitted under HIPAA or the patient has specifically authorized the disclosure. The primary broad exclusion from the need for patient authorization is that covered entities may release patient information to providers who are treating the patient, to other covered entities for payment purposes (such as an insurance company or health plan), or to assist the covered entity in its own operations.

The privacy standards in addition have myriad specific rules addressing the release of information to the patient’s family, friends, and clergy; upon government request; to police and other law enforcement officials; and pursuant to mandatory laws and subpoenas. With regard to subpoenas, HIPAA is clear that a request for patient information that is not also a court order may not be honored unless specific protections are offered to the patient. Attorneys thus cannot issue standard subpoenas to gain access to records. The safest way to obtain information quickly is to produce a HIPAA-compliant authorization signed by the patientwith the record request. (See sidebar, “HIPAA-Compliant Authorizations,” page 42.)

Each covered entity must publish a “notice of privacy practices” detailing all disclosure practices. An attorney desiring such information should start by obtaining a copy of this notice.

Patient access to personal information. Each patient is permitted to access his or her own patient information, request changes to such information, and upon request obtain the names of other parties who have received the patient’s information (except parties to whom the information was released for purposes of treatment, payment, or healthcare operations).

Business associate agreements and policies. All covered entities must have business associates and vendors sign business associate agreements, which are contracts dictated by HIPAA standards that require such associates to maintain the confidentiality of the information by adhering to the same protections required of the initial entity.

Only those who provide services for the covered entity—certain vendors and consultants, for example—are business associates. Attorneys who represent covered entities must arrange business associate agreements with their clients if the attorney receives patient information of any kind. An independent party that receives patient information for its own purposes is not considered a business associate.

Administrative and training requirements. Each covered entity is required to appoint a privacy officer to implement its HIPAA compliance program, to train all members of its workforce, and to distribute its notice of privacy practices to all patients and in response to requests. Attorneys needing information regarding a HIPAA compliance program should start with the entity’s privacy officer for effective resolution of the issue.

Sanctions and Enforcement

Enforcement of HIPAA privacy standards is under the Office for Civil Rights of the DHHS. Both criminal penalties and civil monetary penalties exist for violations, although the emphasis in enforcement is on compliance, not penalties. Penalties generally are not levied if the failure to comply is due to reasonable cause, not willful neglect, and if action is taken to correct the failure once the noncompliance is known. Significant penalties do exist for intentional violations; and criminal penalties apply for obtaining information under false pretenses or with the intent to sell, transfer, or use the information.

HIPAA’s Relation to Other Regulations

Federal employment laws that permit employersto collect employee medical information require the employers to keep such information confidential. The ADA, the Rehabilitation Act of 1973, and the Family and Medical Leave Act (FMLA) address how employers may obtain medical information.

Employers generally may ask for medical information or certifications and may create medical information through a variety of tests, including pre-employment/post-offer physicals, fitness-for-duty and return-to-work exams, requests for reasonable accommodations, requests for leaves of absence, and examinations triggered by specific events. Employers must keep medical information separate from employment files, maintain confidentiality, and disclose covered information only as necessary for the safety of the employee or to assist supervisors in making necessary job accommodations.

Simply maintaining and creating such information does not make employers into covered entities under HIPAA. Even healthcare providers that are subject to the HIPAA privacy standards as to medical information maintained regarding their patients are not similarly subject regarding their own employees; instead, they are only subject to the more general confidentiality provisions of the employment law (unless, of course, the employees were also patients, in which case their patient information receives HIPAA protection).

Although the ADA and FMLApermit an employer to obtain medical information about employees, HIPAA may make it harder to do this. Release of an employee’s medical information to an employer by a healthcare provider generally is prohibited under HIPAA without the patient/employee’s authorization. Employers must provide HIPAA-compliant authorizations to healthcare providers. Employers may require employees to sign authorizations as a condition of employment or a return to work—employers should review their policies to make sure they may require the employee to sign such an authorization. Information received by the employer is then subject to the confidentiality requirements of the ADA and FMLA, but the employer is not subject to the privacy requirements of HIPAA.

Susan Scheutzow is General Counsel to Southwest General Health Center in Cleveland, Ohio. She can be reached at

HIPAA-Compliant Authorizations

Given that HIPAA authorizations are specific to each request for records, lawyers seeking healthcare-related information may want to use the healthcare provider’s existing request form. Attorneys who prefer to create their own authorization should be aware that it may not be combined with other authorizations in the same document and must contain the following information:

• Description of the information to be released, with specific identification

• Name or class of persons releasing the information

• Name or class of persons receiving the information

• Purpose for which the information will be used (“at patient’s request” is sufficient)

• Expiration date, expiration event, or statement that there is no expiration date

• Signature of patient; if patient is not qualified to consent, signature of patient’s representative with explanation of his or her relationship to the patient

• Statement that the patient may revoke the authorization at any time and how such revocation may occur

• Statement whether the covered entity may condition treatment, payment, enrollment for benefits, or eligibility on the patient’s signing the authorization. In general a covered entity may condition treatment, payment, enrollment for benefits, or eligibility on whether the patient signs the authorization only in the following instances: (i) for certain research-related treatment; (ii) a health plan may condition enrollment or eligibility if the authorization sought is for underwriting or risk determination; and (iii) a healthcare provider performing services solely for disclosure to a third party, e.g., back-to-work physicals, may condition the services on the authorization.

Authorization for receipt of general medical information should contain the following statement (or a similar one): “Neither treatment, payment, enrollment for benefits, or eligibility may be conditioned on whether this authorization is signed or revoked.” If the authorization is specifically for services provided for disclosure to another, such as return-to-work physicals, the following or similar statement should be included: “Treatment, payment, enrollment for benefits, or eligibility may be conditioned on whether this authorization is signed and not revoked.”

• Statement that the person signing acknowledges that the information disclosed is subject to redisclosure and no longer will be protected by HIPAA privacy regulations once it has been released.

See 42 U.S.C. § 164.508 for additional information.

Back to Top