SMS • VOICE • ON-DEMAND            

What is SMS?
What is HIPPA Privacy?

Introduction
The HIPAA Privacy Rule is the first national regulation on medical privacy and the most encompassing federal legislation ever enacted involving health information management. It establishes national standards to protect the privacy of an individual’s personal health information and it provides individuals with increased rights of access to personal health information maintained by health care providers. Primarily designed to protect patient privacy and maintain the integrity of medical records, the underlying objectives of the HIPAA Privacy Rule are no different from the tenets to which most physician practices already adhere. The Privacy Rule serves to make these procedures more uniform. Unfortunately, for many physician practices, even if current procedures adequately meet the goals, they may not be enough. Many providers will be forced to make significant changes to their existing practices. Also be aware that HIPAA establishes a minimum level of federal protections. To the extent state law provides greater privacy rights than HIPAA, physicians must continue to follow state law requirements.

It is also important to be aware of the Privacy Rule’s sister regulation – the HIPAA Security Rule. While the federal government has not yet finalized the Security Rule, the Security Rule goes hand in hand with the Privacy Rule because privacy of health information is dependent to a large degree upon the security of health information.

The HIPAA Security Rule requires physicians to adopt appropriate administrative, physical and technical safeguards to protect the security and privacy of health information.

Who Does the HIPAA Privacy Rule Apply To?

The HIPAA Privacy Rule applies to:

• Health care providers who transmit any health information in electronic form;
• Health plans (e.g., health insurers, HMOs, group health plans, employee welfare benefit plans); and
• Health care clearinghouses (e.g., billing services, repricing services, claims processors, etc.).

Interestingly, HIPAA does not apply to health information that is transmitted by fax or by voicemail because faxes and voicemails are not considered electronic form under HIPAA. However, HIPAA will apply to most physicians because most of their billing is done in electronic form.

What Does the HIPAA Privacy Rule Apply To?
The HIPAA Privacy Rule applies to the use and disclosure of “Protected Health Information.” Protected Health Information or “PHI” is defined as individually identifiable health information transmitted by electronic media, maintained in any electronic medium, or transmitted or maintained in any other form or medium. It includes demographic information such as name, address, date of birth, and social security number. It also includes any information regarding the health care services provided to a patient. Common examples of PHI are a patient’s medical records or payment/insurance information.

What Does the HIPAA Privacy Rule
Require Physicians to Do?

For the “average physician,” the HIPAA Privacy Rule requires the physician to:

• Provide patients with information about their privacy rights and how their PHI may be used/disclosed.
• Obtain authorizations from patients for uses or disclosures of PHI other than for payment, treatment, or operations.
• Adopt written privacy policies and procedures for their practice.
• Designate a privacy officer responsible for adoption/compliance with privacy policies and procedures.
• Train employees so that they understand the practice’s privacy policies and procedures.
• Put confidentiality agreements in place with “business associates.

Patient Privacy Rights
Under HIPAA, patients have the right to access and amend their personal medical records. Patients also have the right to receive an accounting of all uses and disclosures of their medical records made by a physician within the preceding 6-year period. As a result, a physician must establish procedures for patients to review or receive a copy of their medical records.

A procedure should also be developed for patients to add to or amend their records. HIPAA allows physicians to charge for copies of medical records so long as the charge is reasonable and based on cost. Physicians are also required to provide each patient with a “Notice of Privacy Practices.” The notice must describe how a patient’s PHI is used and/or disclosed by the practice. The notice must also describe the patient’s right to access his/her PHI. The notice must be written in plain language and it must be provided on the first date of service, or if that is not possible due to emergency circumstances, as soon as reasonably practical. Physicians are also required to make a good faith effort to have a patient acknowledge, in writing, receipt of the notice. Significantly, a physician may not require patients to waive any rights granted by HIPAA as a condition of the provision of treatment.

Authorizations
HIPAA requires a physician to obtain written authorization from a patient if the physician intends to use or disclose a patient’s PHI for purposes other than treatment, payment, or health care operations. For example, a patient’s PHI cannot be disclosed to a spouse or in support of an application for life insurance unless the patient authorizes the disclosure beforehand.

The authorization to use or disclose PHI must be written in plain language and must describe in specific terms the nature of the use or disclosure authorized. Physicians are required to document and retain signed authorizations.
Copies of the authorizations also must be provided to patients. HIPAA prohibits a physician from conditioning treatment of a patient on the receipt of an authorization.

Policies and Procedures
Probably the most burdensome aspect of HIPAA is the requirement that physicians implement written privacy policies and procedures. These policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to PHI undertaken by the physician. This means that a small physician group is not required to put in place the same types of policies and procedures that a large multi-specialty group practice or a hospital must implement.

It will, however, still have to go through the effort of adopting written policies and procedures, although such policies and procedures should be fewer in number and simpler than those required by larger organizations.

Designation of Privacy Officer/Contact Person for Complaints
Each physician practice must designate a privacy officer who is responsible for the development and implementation of the practice’s privacy policies and procedures. A person must also be designated to receive complaints about the provider’s privacy practices (the privacy officer and the person designated to handle complaints can be the same person). The designation of the privacy officer and the complaint person must be documented by the practice.

Staff Training
The HIPAA Privacy Rule requires a physician practice to train all workforce members on its privacy policies and procedures as necessary and appropriate for the members to carry out their functions for the practice. The nature of the training differs based on a staff member’s position. Following April 14, 2003, each new member of the workforce must receive training within a reasonable period of time after the person joins the physician’s workforce.

Business Associates
HIPAA requires that physician practices obtain adequate assurances that its “business associates” comply with certain confidentiality standards. HIPAA defines “business associates” to include billing companies, utilization review agents, attorneys, accountants, and anyone else to whom the practice discloses PHI for the purpose of providing services to the practice. Under HIPAA, a physician practice must put in place confidentiality agreements with all business associates. In terms of the timing for compliance with the business associates requirements, HIPAA has provided some flexibility.

Penalties for Violations of the HIPAA Privacy Rule
Failure by a health care provider to comply with the Privacy Rule could result in civil and criminal penalties (The U.S. Department of Health and Human Services Office for Civil Rights is the government agency responsible for enforcing the HIPAA Privacy Rule.) In terms of civil penalties, the failure to comply with a requirement of the Privacy Rule could subject a physician to a penalty of a $100 per violation with a maximum penalty of $25,000 per year for each provision of the HIPAA Privacy Rule that is violated. To be subject to a criminal penalty for violating HIPAA, a wrongful disclosure of PHI must be made and such disclosure must be committed “knowingly.” A person commits an act “knowingly” when it is done purposefully; that is, the act is a product of a conscious design, intent or plan that it be done. The penalty for a wrongful disclosure is a $50,000 fine, one-year imprisonment, or both. A more severe criminal penalty can be incurred for a wrongful disclosure committed under false pretenses (e.g., claiming you are another person in order to access that person’s PHI). Violators may be subject to a $100,000 fine, five years imprisonment, or both. However, the most severe penalty under HIPAA involves a wrongful disclosure committed with the intent to sell PHI. The penalty for a wrongful disclosure of PHI committed with the intent to sell PHI for commercial advantage, personal gain, or malicious harm is a $500,000 fine, 10 years imprisonment, or both. Some potential bases for criminal violations of the HIPAA are employee liability for his/her own conduct, liability of privacy officers, corporate liability for acts of employees, concurrent liability of employees and corporation, and business associate liability. •••
 

About the author: Richard A. Wright is counsel to the law firm of Kalison, McBride, Jackson & Murphy, P.A. located in Liberty Corner, New Jersey. His practice concentrates on the representation of physicians, hospitals, and health plans in New York and New Jersey. He can be reached by email at rawright@comcast.net.