S e c t i o n s

MPM Publications

Privacy of Patient Information

Introduction. In his State of the Union address, January 27, 2000, President Clinton assured the American public that his administration would finalize medical privacy standards this year. That promise is consistent with the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires the establishment of privacy and security protections for individually identifiable health information.(1) The Department of Health and Human Services (HHS) has issued a Notice of Proposed Rulemaking (NPRM), has received public comments and is in the process of finalizing regulations governing the disclosure of health information.(2) The NPRM sets forth many specific requirements that must be followed by healthcare providers, including anesthesiologists and radiologists.

State Versus Federal Law. Although many states already have a number of statutes and regulations pertaining to the non-disclosure of medical information, the regulations proposed by the HHS also will be applicable to those states' healthcare providers.(3) The NPRM has created a federal floor of privacy protection that will supercede state law, unless the state law provides greater protection to the confidentiality of health information. Because the state statutes and regulations do not mandate the specific procedures required by the NPRM, practitioners must comply with the federal mandates.

Who Is Affected by the NPRM? HIPAA provides statutory authority for the privacy standard to be applied to a health plan, to a healthcare clearinghouse and to a healthcare provider who transmits health information in electronic form(4) (each a "Covered Entity"). The term "healthcare provider" includes anesthesiologists and radiologists among almost every other healthcare professional.(5) In addition to the "Covered Entities" identified above, the NPRM reaches entities not expressly covered by the proposed regulations. For example, healthcare providers who do not directly submit electronic transactions, nonetheless, would be subject to the rule if another entity (such as a practice management company, billing service or hospital) transmits information in electronic form on their behalf.(6)

Moreover, third parties that receive protected information from a "Covered Entity" also are subject to the rule. According to the NPRM, the disclosure of protected information by a "Covered Entity" to a noncovered business partner, such as a management company or billing service, is conditional on the acceptance of certain contractual provisions by the noncovered business partner. If a healthcare provider entered into an arrangement with a billing service, a management company, a marketing firm, an accountant or an outside attorney (who would be privy to certain protected information), those business partners would have to be bound by certain contractual provisions set forth by the NPRM before the protected information could be disclosed by the healthcare provider.(7)

What Is Covered? The privacy standard applies to individually identifiable healthcare information that is electronically maintained or transferred by a "Covered Entity." The privacy standard also applies to paper records that are the source of the electronically maintained or transmitted data and to any paper record generated from the electronic record.(8) Recently, the National Committee on Vital and Health Statistics has recommended that all paper containing individually identifiable healthcare information also should be subject to the standard.(9) In all likelihood, most (if not all) patient information maintained by a healthcare provider will be subject to the privacy standard.

The general rule protecting a patient's healthcare information is that a "Covered Entity” may not use or disclose an individual's health information, except as otherwise indicated by the NPRM.(10) Although this general rule is not very instructive on its face, it does provide that all patient information shall not be disclosed by a "Covered Entity" unless an exception is applicable. The broadest exception allows for disclosure without patient authorization in three circumstances: If the patient information is held by a health plan, a healthcare provider or a healthcare clearinghouse, then these organizations are permitted to disclose the minimum necessary information without advance authorization for purposes of (1) treatment, (2) payment or (3) healthcare operations.(11) Although the exception is broad, it only permits the disclosure of the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure.

Complying With the Regulations. The fundamental principle of the NPRM is that an individual has a right to adequate notice of the "Covered Entity's" policies and procedures with respect to the protected information.(12) As a result, healthcare providers must provide a written notice to their patients that, among other things: (i) discloses the uses of the individual's information if disclosure is authorized; (ii) advises the individual of his or her ability to restrict disclosure; (iii) notifies the individual of his or her right to inspect and copy the information; and (iv) gives notice of the "Covered Entity's" policies and procedures to protect the covered information.(13)

The "Covered Entity" must provide an accounting to the individual of all disclosures made of his or her protected information except for those permitted disclosures (i.e., treatment, payment and healthcare operations). A procedure must be implemented by the "Covered Entity" to provide the individual with the date of the disclosure, the name and address of the organization or person to whom the protected information was disclosed, a brief description of the information disclosed for purposes other than those made at the request of the individual, the purpose for which the in formation was disclosed, and copies of all requests for disclosure.(14)

Additionally, all "Covered Entities" must:

Designate a privacy official who is responsible for the development and implementation of the privacy policies and procedures at the entity; Designate a contact person or office responsible for receiving complaints that may arise from the NPRM and an individual who is able to provide further information about an individual's privacy rights and the entity's compliance with NPRM; Train employees in the workforce, who are likely to have access to protected health information, about its privacy policies and procedures; Implement safeguards to protect health information from intentional or accidental misuse; Provide a means for individuals to lodge complaints about the entity's information practices and maintain a record of any complaints; and Develop a system of sanctions for members of the workforce and business partners who violate the entity's policies.(15)

Business partner agreements are required between the "Covered Entity" and any entity that provides administrative and support services to the "Covered Entity." Each agreement between a "Covered Entity" and a business partner must contain a number of detailed provisions that are beyond the scope of this article. Business partner agreements containing these provisions must be entered into between a “Covered Entity" and its business partner as a prerequisite to disclosing protected information. This requirement is designed to impose the restrictions of the NPRM on a broad segment of the healthcare industry not covered by HIPAA. The requirements listed in this section are just a few of the requirements a healthcare provider must satisfy to comply with the NPRM.

What Happens If I Do Not Comply With the Regulations? HIPAA grants the secretary of HHS the authority to impose civil monetary penalties against "Covered Entities" who fail to comply with the requirements and standards set forth by HHS. The civil fines for violating a single requirement are capped at $25,000 per year. Considering the number of requirements a healthcare provider could potentially violate, the penalties could be extremely significant. Moreover, a knowing violation of the privacy requirements could result in fines as high as $250,000 and 10 years imprisonment.(16) In addition to the fines levied by HHS, several state courts have granted individuals a private cause of action to bring a claim against a healthcare provider for disclosing sensitive medical information. In its current permutation, the NPRM does not provide a private cause of action for individuals.

Conclusion. This article is merely a brief overview of the impact of the NPRM, and addresses only a few of the statutory requirements soon to be mandated. If you fall within the definition of a "Covered Entity," we recommend that you consult with a competent attorney for guidance through the morass of regulatory requirements set forth by HHS.