|
HEALTH
CARE AND MEDICAL PRACTICE UPDATE- MARCH 2003
SPECIAL HIPAA COMPLIANCE EDITION
OVERVIEW OF THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
(“HIPAA”) PRIVACY RULE
The
stated purpose of the Privacy Rule is to set forth Federal protections for “Protected Health
Information,” (“PHI”) which is defined as individually identifiable health
information that is: (1) transmitted by electronic media; (2) maintained in
electronic media; or (3) transmitted or maintained in any other form or medium,
including oral or written communications.
APPLICABILITY OF THE PRIVACY RULE
The Privacy Rule is applicable to “Covered Entities”,
which encompass:
(1) Health
Plans (individual or group plans that provide or pay the cost of medical care,
with specific inclusions and exclusions),
(2) Health
Care Clearinghouses (public or private entities that process or facilitate the
processing of health information), and
(3) Health
Care Providers (providers of medical or health or other services, and any
person or organization who furnishes, bills, or is paid for health care in the
normal course of business).
COMPLIANCE DEADLINES
v All
health care-related entities covered by the Privacy Rule that do not qualify as
“small health plans” must comply with its mandates by April 14, 2003.
v Small
health plans with annual receipts of $5,000,000 or less must comply by April 14, 2004.
NECESSARY EFFORTS FOR PRIVACY RULE COMPLIANCE
Compliance with the essential provisions of the
Privacy Rule requires various efforts on the part of Covered Entities,
including:
(1) Developing
policies and procedures for handling PHI;
(2) Developing
and distributing a Notice of Privacy Practices to all patients;
(3) Using
and disclosing PHI only as authorized, limited to the minimum necessary
information;
(4) Appointing
a privacy official;
(5) Educating
employees as to HIPAA requirements and encouraging employees to report
instances of unauthorized uses or disclosures of PHI; and
(6) Entering
Business Associate Agreements with all Business Associates.
NOTICE OF PRIVACY PRACTICES
At the time of first service to a patient after the
Compliance Deadline, each Covered Entity must distribute to the patient and make
readily available at its facility a notice that clearly explains the rights and
practices outlined in the Privacy Rule and followed by the Covered Entity. The notice must explain: (1) how the Covered
Entity may use and disclose Protected Health Information; (2) the individual’s
rights in connection with Protected Health Information and how to exercise
these rights; (3) the Covered Entity’s legal duties in connection with
Protected Health Information; and (4) information regarding the appropriate
person to contact concerning the entity’s privacy policies.
MINIMUM NECESSARY
STANDARD
Compliance also requires a Covered Entity to limit
the use, disclosure of, and requests for Protected Health Information to the
smallest amount of information necessary to accomplish the intended
purpose. In doing so, the entity must
identify the people or classes of people who need and are allowed access to
Protected Health Information to perform their jobs, set forth a protocol for
routine disclosures, and also implement standards of review for non-routine
disclosures.
PERMITTED USES AND
DISCLOSURES OF PROTECTED HEALTH INFORMATION
While there are many limitations on a Covered
Entity’s use or disclosure of Protected Health Information, the Privacy Rule
generally permits a Covered Entity to use and disclose such information for
treatment, payment, and health care operations without first obtaining patient
consent. This exception includes uses
for the provision, coordination, or management of health care and related
services; all activities involving a provider’s payment or reimbursement for
services; and administrative, financial and legal activities that a Covered
Entity performs to keep its business running successfully.
INCIDENTAL USES
AND DISCLOSURES
The
Privacy Rule permits certain Incidental Uses and Disclosures of Protected
Health Information when these disclosures occur as a by-product of a permitted
or required use of information that has been reasonably safeguarded. In order to qualify for such treatment, a
disclosure must be one that cannot reasonably be prevented, is limited in
nature and occurs as a result of a permitted
use or disclosure.
BUSINESS ASSOCIATE
AGREEMENTS
Under the Privacy Rule, a Covered Entity must enter
a Business Associate Agreement with each Business Associate to protect their
use of any Protected Health Information. Business Associates include any
outside entities or individuals who arrange, perform, or assist in a function
involving the use or disclosure of individually identifiable health information. Those who provide legal, actuarial,
accounting, consulting, data aggregation, management, administrative,
accreditation, or financial services that involve the use or disclosure of
Protected Health Information fall within this definition. Typical Business Associates include
attorneys, accounting firms, consultants, pharmacies and third party
administrators.
A
Business Associate Agreement must include: (1) a description of the permitted
and required uses of Protected Health Information by the Business Associate;
(2) representations by the Business Associate that it will not use or further
disclose Protected Health Information in violation of the agreement or any
other law, and will report any known unauthorized disclosures; and (3) a
requirement that the Business Associate will use appropriate safeguards to
protect all Protected Health Information.
For drafting assistance, the Department of Health and Human Services
(“HHS”) has provided sample agreements at http://www.hhs.gov/ocr/hipaa/contractprov.html.
HELPFUL INTERNET LINKS
As discussed in detail in our December 2002 Update,
further guidance on HIPAA issues is available on the Department of Health and
Human Services’ list of Frequently Asked Questions, which may be accessed at
http://www.hhs.gov/ocr/faqs1001.doc. In
addition, general HIPAA information may also be found on the Department of
Health and Human Services’ website at http://www.hhs.gov.
HIPAA SECURITY REGULATIONS
The HHS recently issued its final rule adopting
standards for the security of electronic Protected Health Information that must
be implemented by all Covered Entities (the “Security Rule”). The purpose of the Security Rule is to
protect the confidentiality, integrity, and availability of all electronic
protected health information. All
Covered Entities that do not qualify as “small health plans” must comply with
these regulations by April 21, 2005. Small health plans must comply by April 21, 2006. The Security Rule becomes effective on April 21, 2003 and is published at 68
Fed. Reg. 8333, 2/20/03.
Generally,
Covered Entities must evaluate proscribed safeguards, including: security
management, assigned security responsibility, workforce security, information
access management, security awareness and training, security incident
procedures, a contingency plan, evaluations, facility access controls, policies
for workstation use and security, device and media controls, access controls,
audit controls, integrity policies, person or entity authentication,
transmission security, and business associate agreements. If these procedures are reasonable and
appropriate in the entity’s business environment, the safeguards must be
instituted. If they are not, the Covered
Entity must document why such measure is not reasonable and appropriate and
implement an equivalent alternative measure if that measure is reasonable and
appropriate.
More specific information on the new Security Rule
and its provisions may be found at
http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/pdf/03-3877.pdf. Additional information is also available at
the Centers for Medicare and Medicaid Services website at
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp. 
|
