Darren T. Binder, JD

Darren T. Binder, JD

The privacy rule that was required by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 established important standards and protections for the transmission of health information. For the first time, a set of national privacy standards was created to provide "all Americans with a basic level of protection and peace of mind that is essential to their full participation in health care."

Despite some controversy, the privacy rule took effect on April 14, 2001, and businesses have between two and three years to comply. Because there are significant penalties associated with noncompliance, business leaders must determine whether their operations put them at risk of violating the regulations.

The privacy rule is an extensive and complex set of regulations that is designed to prevent covered entities from using or disclosing protected health information, except in specified circumstances. Protected health information includes all individually identifiable information in any form, electronic or not. The privacy rule also spells out rights with respect to privacy-protection requests, access to health information, amendment of protected health information, and accounting for information disclosures. The rule spells out procedures that covered entities must follow to ensure the confidentiality of protected health information.

Who is covered?

The first issue is determining the definition of a "covered entity." The privacy rule defines a covered entity as a health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a HIPAA-standard transaction. Here is how each is defined.

A health plan is an individual plan or group-health plan that provides, or pays the cost of, medical care. The definition includes 15 types of plans, such as group-health plans, health insurance issuers, health maintenance organizations, and certain government health programs (i.e., Medicare, Medicaid, Tricare, and the Federal Employees Health Benefits program). The privacy rule specifically excludes workers' compensation and automobile insurance carriers, other property and casualty insurers, certain forms of limited benefits coverage, and plans or programs that pay for certain benefits under the Public Health Service Act.

A health care clearinghouse is defined as a public or private billing service, repricing company, or community-health-management information system. It also includes networks that process nonstandard-formatted health information into a standard format, or vice versa. Telephone companies and Internet service providers are not considered health care clearinghouses unless they specifically carry out functions outlined in the definition. To fall within the definition of a clearinghouse, the entity must perform these functions on information received from another covered entity.

The definition of a health care provider used by the U.S. Department of Health and Human Services includes a "provider of services" or "provider of medical or health services," as both are defined under government health care programs. It also encompasses any other person or organization that furnishes, bills, or is paid for health care services or supplies in the normal course of business. Providers of services include hospitals, skilled nursing facilities, comprehensive outpatient rehabilitation facilities, home health agencies, and hospices. Under the Social Security Act, providers of medical or health services include physicians, hospitals, and those who offer certain diagnostic services, durable medical equipment, certain ambulance services, and prosthetic devices.

Collateral responsibility

Importantly, under the privacy rule, even if a business does not meet the definition of a covered entity, it may still need to meet certain privacy safeguards as a result of doing business with a covered entity. A business-associate relationship can be created in one of two ways. First, a business that performs a service or function for or on behalf of a covered entity that involves protected health information is considered a business associate under the privacy rule. Second, a provider that performs specified services — legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services — to a covered entity has a business association when those services involve the disclosure of protected health information to the provider.

With certain exceptions, a covered entity may disclose protected information to business associates as long as the covered entity is assured that the associate will safeguard that information. A contract between a covered entity and a business associate must establish the permitted uses and disclosures. In addition, the contract must provide that the business associate will comply with a number of requirements. For example, the business associate must use safeguards to prevent the improper use and disclosure of protected information, report any known uses or disclosures, ensure that anyone who provides assistance to the business associate agrees to abide by the business associate contract, provide access to protected health information when appropriate, and make compliance records available for government review.

The privacy rule also requires that the business associate agree to return or destroy, at the end of the contract, all protected information received on behalf of the covered entity. Certain exceptions, however, allow a covered entity to bypass these requirements, such as when information is disclosed to a health care provider regarding the treatment of a patient.

Health and Human Services Secretary Tommy Thompson may seek changes during the next year "to clarify the requirements and correct potential problems that could threaten access to or quality of care." For now, most covered entities have until April 14, 2003 to comply with the privacy rule; small health plans have until April 14, 2004.

Prison for violators?

There are substantial civil and criminal penalties for noncompliance: up to $250,000 in fines and 10 years in prison. Individuals and companies in the business of health care delivery should review their operations to determine whether they are subject to the privacy rule. Many will be surprised to discover that the rules apply directly or indirectly to them.

Darren T. Binder is a health law lawyer at Arent Fox Kintner Plotkin & Kahn in Washington. He may be contacted at (202) 775-5751 or binderd@arentfox.com.

Managed Care’s Top Ten Articles of 2016

There’s a lot more going on in health care than mergers (Aetna-Humana, Anthem-Cigna) creating huge players. Hundreds of insurers operate in 50 different states. Self-insured employers, ACA public exchanges, Medicare Advantage, and Medicaid managed care plans crowd an increasingly complex market.

Major health care players are determined to make health information exchanges (HIEs) work. The push toward value-based payment alone almost guarantees that HIEs will be tweaked, poked, prodded, and overhauled until they deliver on their promise. The goal: straight talk from and among tech systems.

They bring a different mindset. They’re willing to work in teams and focus on the sort of evidence-based medicine that can guide health care’s transformation into a system based on value. One question: How well will this new generation of data-driven MDs deal with patients?

The surge of new MS treatments have been for the relapsing-remitting form of the disease. There’s hope for sufferers of a different form of MS. By homing in on CD20-positive B cells, ocrelizumab is able to knock them out and other aberrant B cells circulating in the bloodstream.

A flood of tests have insurers ramping up prior authorization and utilization review. Information overload is a problem. As doctors struggle to keep up, health plans need to get ahead of the development of the technology in order to successfully manage genetic testing appropriately.

Having the data is one thing. Knowing how to use it is another. Applying its computational power to the data, a company called RowdMap puts providers into high-, medium-, and low-value buckets compared with peers in their markets, using specific benchmarks to show why outliers differ from the norm.
Competition among manufacturers, industry consolidation, and capitalization on me-too drugs are cranking up generic and branded drug prices. This increase has compelled PBMs, health plan sponsors, and retail pharmacies to find novel ways to turn a profit, often at the expense of the consumer.
The development of recombinant DNA and other technologies has added a new dimension to care. These medications have revolutionized the treatment of rheumatoid arthritis and many of the other 80 or so autoimmune diseases. But they can be budget busters and have a tricky side effect profile.

Shelley Slade
Vogel, Slade & Goldstein

Hub programs have emerged as a profitable new line of business in the sales and distribution side of the pharmaceutical industry that has got more than its fair share of wheeling and dealing. But they spell trouble if they spark collusion, threaten patients, or waste federal dollars.

More companies are self-insuring—and it’s not just large employers that are striking out on their own. The percentage of employers who fully self-insure increased by 44% in 1999 to 63% in 2015. Self-insurance may give employers more control over benefit packages, and stop-loss protects them against uncapped liability.