The Final HIPAA Rules: New Federal Rules on Patient Privacy Could Mean Big Changes for Health Care Providers and Employers

By T. Mills Fleming, as published in the August 2003 issue of The Practical Lawyer.

The U.S. Department of Health and Human Services recently finalized rules regarding the privacy of personal health information. 67 Fed. Reg. 53182 et seq. (Aug. 14, 2002). These rules implement portions of the Health Insurance Portability Affordability and Accountability Act of 1996 (“HIPAA”), and follow almost six years after its enactment.

HIPAA requires health plans, healthcare clearinghouses, and certain health care providers to guard against misuse of an individual’s identifiable health information. They also must limit the sharing of health information. HIPAA also provides consumers significant new rights, enabling them to understand and control how their health information is used and disclosed.

Individuals and health care industry professionals are still reviewing HIPAA’s regulations to determine how to comply with its broad provisions. While nearly everyone acknowledges the confidentiality of the physician-patient relationship, HIPAA reaches far beyond the scope of not disclosing a person’s medical information to third parties. For example, the new law regulates the information contained in a health care provider’s marketing materials. 67 Fed. Reg. at 53183-90. In addition, the rules may require authorization from each individual patient whose medical diagnosis or condition is used in a published statistical report, even if the patient’s name is not used. Id.

As with most federal laws involving healthcare, HIPAAis a complicated regulation and encompasses a broad range of health-related areas. To better understand the scope of HIPAA and the new rules, it is helpful to understand the law’s history.

HIPAA BACKGROUND

After President Clinton’s initial health care reforms failed in 1994, Congress recognized the importance of protecting the privacy of health information given the rapid evolution of health technology and information systems. For example, technology exists, and may soon be available, to allow a person’s entire medical history to be stored on a card (like a credit card). Use of this technology would make personal medical information easily transportable and create a real convenience for patients and medical providers. However, it also could create more opportunities for misuse of private health information.

Privacy

Additionally, Congress sought to maintain strong protections for the privacy of individually identifiable health information (such as a person’s medical condition or treatment plan). The concern is that information about a person’s health could be misused for purposes like employment decisions or health insurance coverage.

Appropriate Information-Sharing

In passing HIPAA, Congress also wanted to create efficient and effective procedures to allow sharing protected information for appropriate purposes. In addition, HIPAA’s most significant provision is the creation of a minimum level of protection for the privacy of what many individuals consider their most sensitive personal information—health information. These rules are intended to provide patients with assurances that their health information, including genetic information, will be properly protected. For example, the rules for protecting the information should not result in a delay in diagnosis or treatment of a patient. 67 Fed. Reg. at 53183. In addition, Congress wanted to adopt a uniform national standard for transactions involving personal health information, and, for the first time, create a floor of national protections for safeguarding confidential medical information. 67 Fed. Reg. at 53182.

Striking a Balance

HIPAA attempts to balance all of these concerns. While the success of the new law and the regulations remain to be measured, the process for developing the rules included in-depth feedback from a diverse group of health providers, insurance companies, and individuals. Additionally, the complete impact of HIPAA on the health care community and employers who offer health insurance may not be fully understood for some time. However, anyone who handles personal medical information should become familiar with the regulations and determine whether changes in their policies or procedures comply.

THE REGULATIONS

From this broad definition, just about every industry will be affected by HIPAA and, therefore, should take note of its broad applicability.

Which Entities Are Covered?

The recently enacted HIPAAregulations protect patients from the disclosure of their personal health information (“PHI”) by health plans, health care providers and health care clearinghouses, otherwise known as “covered entities.” 45 C.F.R. §160.103.

What Constitutes “Health Information”?

Health information is defined to include any information, whether oral or recorded in any form or medium that:

  • Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of the individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual. Id.

Are Disclosures Ever Mandatory?

There are two circumstances in which a covered entity must disclose protected health information. The first involves disclosure to the individual, pursuant to a proper request, and the second involves disclosure to the Secretary of Health and Human Services when required to investigate the covered entity’s compliance with HIPAA. 45 C.F.R. §164.502. What Are Permissible Uses of PHI? HIPAApermits covered entities to use or disclose the PHI for treatment, payment, and health care operations and for other specified purposes. Besides treatment, payment, and health care operations, there are other circumstances in which a covered entity may use or disclose protected health information, generally without consent or authorization. These instances cover a variety of purposes, and each of them has its own requirements and limitations.