HIPAA Regulations on Privacy

HIPAA Regulations on Privacy, Electronic Transactions, and Security

By John M. Letizia, Atty.
Ms. Kate Casagrande
November 15, 2002

Congress established several legislative mandates as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) related to health insurance reform and consumer protections. The Act is separated into four sections, covering the following: Title I – health care access, portability, and renewability; Title II – preventing health care fraud and abuse, administrative simplification, and medical liability reform; Title III – tax-related health provisions; and Title IV – application and enforcement of group health plan requirements.

Because of the far-reaching impact on health care providers, much of the focus of HIPAA is on the administrative simplification section of HIPAA, which has resulted in two sets of Final Regulations related to protecting the Privacy of personal health information and standardizing the use of Electronic Transactions that involve health information. The Department of Health and Human Services (HHS) recently approved modifications to the privacy rules in response to voluminous comments from the industry and privacy advocacy groups and is scheduled to finalize its proposed rule on Security of health information by the end of this year.

In addition to the three main standard sets relating to privacy, security and electronic transactions and code sets, there are also standards relating to National Identifiers. This would require all payors to use the same provider number for each provider; as it stands now, it is all too common for one provider to have more than 30 payor-assigned provider identifiers. The final regulations on this standard have not yet been released.

The Administrative Simplification provisions will change how health care providers practice, and has been referenced as the most complex federal legislation since the creation of Medicare. While many of the provisions of this section will make things easier and more efficient for providers in the long run, the privacy and security regulations promoting patients’ rights regarding their personal health information place a much greater responsibility on providers, which will require a considerable amount of time, effort and resources to accomplish.

1. To improve the efficiency of health care delivery by standardizing the electronic data interchange (EDI) of certain administrative and financial transactions (billing, admissions, discharge, etc.) between provider and payors and by specifying the medical and administrative code sets to be used uniformly with the standard transactions;

2. To protect the privacy of health care information by setting standards for privacy and security of individually identifiable information; and

3. To empower patients with new rights related to their individually identifiable health information^{. [1]}

Not only have there been original rules, proposed changes and final modifications to many of the regulations, but also a generous number of comments and concerns that have resulted in various interpretations of the law. The Department of Health and Human Services has continuously issued press releases regarding HIPAA, in addition to providing updated answers to frequently asked questions regarding interpretation and implementation of the regulations. Overall, there has been a recognized indication that the HIPAA regulations, as they were originally introduced, created many problems in the implementation stage. While in theory and on paper these regulations provided ideal rights to patients and efficient exchange of electronic information for providers, in reality the regulations have required excessive resources (both in time and money) and have created impossible requirements. As a result, it is clear that HIPAA will continue to change to address the practical concerns that were not contemplated when the law was passed. Because these overall goals have resulted in rules that are both complex and extensive, it is important to break down the Administrative Simplification provisions into the three main areas of Privacy, Electronic Transactions, and Security.

Privacy Regulations

The Privacy Regulations apply to "covered entities" and, to a limited extent, to their "business associates". Covered entities include all health plans, including Medicare and state Medicaid programs, all healthcare clearinghouses, and all health care providers that choose to submit transactions electronically. Self-insured health plans are included within the definition of a health plan. In addition, portions of the Privacy Regulations may also extend to individuals and businesses that may receive protected health information from a covered entity. While these individuals and businesses may not be covered entities, they will be required to comply with many provisions of the Privacy Regulations as "business associates".

The key phrase in the Privacy Regulations is “protected health information,” which any information that is individually identifiable and that is maintained or transmitted by a covered entity in any form, whether in oral, written or electronic form. The Privacy Regulations pertain to all protected health information and will require covered entities to change their policies, procedures and practices with regard to this information is handled. Compliance with all the changes required by the Privacy Regulations must be done by April 14, 2003 , although there is a provision extending the deadline to 2004 for small health plans. However, with all the changes that must be in place by this deadline, it is strongly suggested that covered entities begin to implement the new requirements of HIPAA over the next few months.

This transformation will include education to patients about their rights in respect to their protected health information in the form of a privacy notice, as well as making such health information available to patients for viewing, releasing, and even amending. Changes to existing policies and procedures, as well as the incorporation of new policies and procedures will need to be made in order to comply with HIPAA. The Privacy Notice is one of the key provisions of the Privacy Regulations as it will be given to every patient and must include information regarding the patient’s rights, as well as the provider’s uses, disclosures and legal responsibilities with respect to protected health information (PHI).

As mentioned previously, the business associates is another key provision of the Privacy Regulations, as it creates one of the most far-reaching pieces of legislation with regard to a patient’s PHI. This provision requires non-medical, non-covered entities to abide by the same set of standards as covered providers, just because they may receive protected health information from a covered entity. HIPAA specific language will need to be added to every contract that providers have if protected health information may be disclosed. In some cases where the business relationship does not have an existing contract, one will need to be implemented. This provision extends to attorneys, transcriptionists, accountants, answering services and more.

The Privacy Regulations also include making physical changes to protect the security of personal health information. Policies and procedures may need to be created regarding how protected health information is kept, from how and where files are kept to who has access to what information. Some of this, however, is covered under the Security regulation described below.

HIPAA requires that all providers designate a privacy official who will be responsible for implementing the privacy policies and procedures. In many cases, this person may be responsible for all of HIPAA implementation. In addition, this person will continue to monitor adherence to the rules once they are in place and will be the contact for when complaints and concerns regarding HIPAA violations occur.

The Department of Health and Human Services has designed the Office of Civil Rights to enforce the provisions of the Privacy Rule. Penalties for violations of HIPAA’s requirements have been established, although there is no plan in place at this time for how enforcement will be monitored.

Electronic Transactions

You should also be aware of another regulation released on August 17, 2000 to comply with the HIPAA legislation, which covers Standards for Electronic Transactions. The regulation is meant to standardize the format for electronic transmission of health care information by providers and health plans, and those that handle information on their behalf, in order to make government and private health programs more efficient. In addition, the regulation provides that uniform code sets will be used in these transactions.

The Transaction regulation became effective October 16, 2002 (2003 for small health plans); however, covered entities were also invited to submit a model compliance plan for an extension to October 16, 2003 . Those who submitted a compliance plan for an extension should be in the process of evaluating payors and vendors to determine when they will be compliant in order to make a timeline for the covered entity’s own compliance.

The Transaction regulations are the portion of HIPAA that truly relates to Administrative Simplification. These regulations have received support throughout the industry in creating a more efficient process for processing information in the following areas: health care claims and equivalent encounter information; health care payment and remittance advice; coordination of benefits; health claim status request and response; health plan enrollments and disenrollments; health care eligibility benefit inquiries and responses; health plan premium payments, payment order and remittance advice; and referral certification and authorization.

These standards apply only when these transactions are transmitted electronically, not when the same transactions are completed using paper. However, Medicare will be requiring all providers to submit claims electronically as of October 16, 2003 . The only exceptions will be through waivers granted to small providers that may submit by paper.

Security Regulation

The Security regulations apply to those same entities covered by the privacy rules. The Security regulations require covered entities to develop policies, procedures, and systems, with same goal as the Privacy regulations, to protect the patient’s individually identifiable health information. These measures refer only to electronic maintenance of protected health information and will need to include policies for preventing staff without a need to access patient information from viewing this information on computers or installing appropriate firewalls to prevent outsiders from accessing protected information.

The Security regulations require the appointment of a security official. This person should be someone with at least minimal IT experience. Covered entities will also be required to undergo a gap analysis of their security systems currently in place to determine where the current standards fall short of HIPAA’s requirements.

The Security regulations are scalable. This means that the Department of Health and Human Services would not expect a small home health agency to spend $150,000 on a computer software program like a hospital might. The programs and systems put into place must be reasonable and provide particular assurances that the protected information is safe.

These regulations are still in proposed form, but agencies should start developing policies and procedures as well as looking at computer systems. We do not anticipate that the final rules will be promulgated and a compliance date set before the end of this year.

^[1] Taken from Field Guide to HIPAA Implementation, written by Jan Root, et al., and published by the American Medical Association.