Determining Who Is Covered By HIPAA Privacy Regulation
MANAGED CARE November 2001. ©MediMedia USA
The privacy rule that was required by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 established important standards and protections for the transmission of health information. For the first time, a set of national privacy standards was created to provide "all Americans with a basic level of protection and peace of mind that is essential to their full participation in health care."
Despite some controversy, the privacy rule took effect on April 14, 2001, and businesses have between two and three years to comply. Because there are significant penalties associated with noncompliance, business leaders must determine whether their operations put them at risk of violating the regulations.
The privacy rule is an extensive and complex set of regulations that is designed to prevent covered entities from using or disclosing protected health information, except in specified circumstances. Protected health information includes all individually identifiable information in any form, electronic or not. The privacy rule also spells out rights with respect to privacy-protection requests, access to health information, amendment of protected health information, and accounting for information disclosures. The rule spells out procedures that covered entities must follow to ensure the confidentiality of protected health information.
Who is covered?
The first issue is determining the definition of a "covered entity." The privacy rule defines a covered entity as a health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a HIPAA-standard transaction. Here is how each is defined.
A health plan is an individual plan or group-health plan that provides, or pays the cost of, medical care. The definition includes 15 types of plans, such as group-health plans, health insurance issuers, health maintenance organizations, and certain government health programs (i.e., Medicare, Medicaid, Tricare, and the Federal Employees Health Benefits program). The privacy rule specifically excludes workers' compensation and automobile insurance carriers, other property and casualty insurers, certain forms of limited benefits coverage, and plans or programs that pay for certain benefits under the Public Health Service Act.
A health care clearinghouse is defined as a public or private billing service, repricing company, or community-health-management information system. It also includes networks that process nonstandard-formatted health information into a standard format, or vice versa. Telephone companies and Internet service providers are not considered health care clearinghouses unless they specifically carry out functions outlined in the definition. To fall within the definition of a clearinghouse, the entity must perform these functions on information received from another covered entity.
The definition of a health care provider used by the U.S. Department of Health and Human Services includes a "provider of services" or "provider of medical or health services," as both are defined under government health care programs. It also encompasses any other person or organization that furnishes, bills, or is paid for health care services or supplies in the normal course of business. Providers of services include hospitals, skilled nursing facilities, comprehensive outpatient rehabilitation facilities, home health agencies, and hospices. Under the Social Security Act, providers of medical or health services include physicians, hospitals, and those who offer certain diagnostic services, durable medical equipment, certain ambulance services, and prosthetic devices.
Importantly, under the privacy rule, even if a business does not meet the definition of a covered entity, it may still need to meet certain privacy safeguards as a result of doing business with a covered entity. A business-associate relationship can be created in one of two ways. First, a business that performs a service or function for or on behalf of a covered entity that involves protected health information is considered a business associate under the privacy rule. Second, a provider that performs specified services — legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services — to a covered entity has a business association when those services involve the disclosure of protected health information to the provider.
With certain exceptions, a covered entity may disclose protected information to business associates as long as the covered entity is assured that the associate will safeguard that information. A contract between a covered entity and a business associate must establish the permitted uses and disclosures. In addition, the contract must provide that the business associate will comply with a number of requirements. For example, the business associate must use safeguards to prevent the improper use and disclosure of protected information, report any known uses or disclosures, ensure that anyone who provides assistance to the business associate agrees to abide by the business associate contract, provide access to protected health information when appropriate, and make compliance records available for government review.
The privacy rule also requires that the business associate agree to return or destroy, at the end of the contract, all protected information received on behalf of the covered entity. Certain exceptions, however, allow a covered entity to bypass these requirements, such as when information is disclosed to a health care provider regarding the treatment of a patient.
Health and Human Services Secretary Tommy Thompson may seek changes during the next year "to clarify the requirements and correct potential problems that could threaten access to or quality of care." For now, most covered entities have until April 14, 2003 to comply with the privacy rule; small health plans have until April 14, 2004.
Prison for violators?
There are substantial civil and criminal penalties for noncompliance: up to $250,000 in fines and 10 years in prison. Individuals and companies in the business of health care delivery should review their operations to determine whether they are subject to the privacy rule. Many will be surprised to discover that the rules apply directly or indirectly to them.