Health Insurance Portability & Accountability Act (HIPAA) drives the standards for privacy of individual health information “Privacy Rule” along with the addition of the Health Information Technology for Economic & Clinical Health (HITECH) “Security Rule”. The Privacy & Security Rule standards address the security, use, & disclosure of individuals’ health info personal health information (PHI) by organizations subject to the privacy rules. The HIPAA Security Standards consist of five major sections: Administrative safeguards, physical safeguards, technical safeguards, organizational requirements, & policy & document requirements.
A good HIPAA policy will address, develop, & put steps in place which deal with each of these areas of risk.
HIPAA also governs the requirement to allow employees to transfer from one medical plan to another, without being subject to pre-existing conditions if they had creditable coverage, which will no longer be relevant for plans starting 1/1/2014 or upon renewing in 2014 with the pre-existing conditions being eliminated under the Patient Protection & Affordable Care Act (PPACA).
Who is Covered by the Privacy Rule?
The Privacy Rule, as well as all the Administrative Simplification rules, applies to business associates, health plans, healthcare clearinghouses, & to any healthcare providers “covered entities” who transmit health info in electronic form as defined by Health & Human Services (HHS). A “business associate” is a person or entity which performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity.
Employers offering group health plans such as medical, dental, vision, Flexible Spending Account (FSA), Health Reimbursement Account (HRA) & Employee Assistance Plan (EAP) become a covered entity by virtue of their roles as plan sponsors & administrators, thus must take precautions in the handling of PHI & interactions with business associates. There is an exception for a health plan having less than 50 participants, which is administered & funded solely by the employer. However, the vast majority of employer-sponsored health plans are governed by HIPAA.
What is Required?
In general, the Privacy Rule requires covered entities to take reasonable steps to limit the use or disclosure of, & requests for, PHI to the minimum necessary to accomplish the intended purpose. Each organization should perform a risk analysis to
assess vulnerabilities in practices & procedures. The minimum necessary standard risk analysis should include:
- a review of the type & level of PHI received & or transmitted;
- a review of employee tasks that may include use, disclosure, or transmission of PHI;
- review IT & security practices & procedures for transition of e-PHI & Breach Notification;
- review written & oral disclosure practices &
What Information is Protected?
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or business associate in any form or media, whether electronic, paper, or oral. Individually identifiable health information includes demographic data relating to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of healthcare to the individual,
- or the past, present, or future payment for the provision of healthcare to the individual, & identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual, such as name, address, birth date, Social Security
Limit Use & Disclosure to Minimum
When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical record for a particular purpose unless it can specifically justify the whole record as the amount reasonably needed for the purpose. A covered entity may also reasonably rely on a public official’s determination that the info requested is the minimum necessary for the public health purpose.
Use & Disclosure
Covered entity may not use or disclose PHI, except as permitted or required by the Privacy & Administrative Rule or as the individual who is the subject of the information (or their personal representative) authorizes in writing.
A covered entity must disclose PHI in only two situations:
- to individuals (or personal representatives) specifically when they request access to, or an accounting of disclosures of their PHI; and
- to HHS when it is undertaking a compliance investigation or review or enforcement
Written authorization may allow use & disclosure of PHI by the covered entity seeking the authorization, or by a third party. The content by a consent form, & the process for obtaining consent, are at the discretion of the covered entity electing to seek consent. However, all authorizations must be in plain language & contain specific info regarding:
- the info to be disclosed or used,
- the person(s) disclosing & receiving the info,
- expiration, their right to refuse to sign the authorization without negative consequences to treatment, payment, or health plan enrollment or benefit eligibility, except under specific circumstances,
- right to revoke at any time, in writing, & how to exercise that right, & any applicable exceptions,
- other data such as explaining the potential for the info to be subject to redisclosure by recipient & no longer protected by the Privacy
Business Associate Agreements
HIPAA requires employers offering group health plans to enter into agreements with business associates governing the associate’s obligations to protect plan PHI, the distribution of a plan HIPAA notice of privacy practices, & safeguards protecting group health plan PHI. Anyone outside of an employer’s workforce who performs functions or activities that involves the use or disclosure of PHI, such as claims processing; data analysis; utilization review & billing is considered a business associate (e.g., insurance brokers, legal counsel, etc.). The HITECH Act imposes direct liability on business associates & business associate subcontractors for a specific set of obligations under HIPAA’s Privacy, Security & Breach Reporting Rules.
Notice & Other Individual Rights
The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use & disclose PHI about the individual, as well as his/her rights & the covered entity’s obligations with respect to that info. Most covered entities must develop & provide individuals with a notice of their privacy practices.
Providing the Notice: A covered entity must make its notice available to any person who requests it, & must prominently post & make available its notice on any website it maintains that provides info about its services or benefits. A covered entity may email the notice to an individual if the individual agrees to receive an electronic notice.
What is appropriate for one covered entity verses another will depend on the nature of the covered entity’s business, size, & resources. Each covered entity must analyze their own needs, compare those to the administrative requirements indicated
here, & implement a solution appropriate for their own environment.
- Privacy Policies & Procedures: Develop & implement written privacy policies & procedures that are consistent with the Privacy
- Privacy Personnel: Designate a privacy official responsible for developing & implementing privacy policies & procedures, as well as a contact person or department responsible for receiving complaints & providing individuals with info about privacy
- Workforce Training & Management: Train all workforce members on its privacy policies & procedures, as necessary & appropriate for them to carry out their functions; have & apply appropriate sanctions against workforce members who violate its privacy policies & procedures or the Privacy
- Mitigation: Mitigate, to the extent practicable, any harmful effect learned, caused by use or disclosure of PHI by its workforce or business associates in
- Data Safeguards: Maintain reasonable & appropriate administrative, technical, & physical safeguards to prevent intentional or unintentional use or disclosure of PHI & to limit its incidental use & disclosure pursuant to otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing PHI to dispose of them, securing medical records with lock & key or pass code, & limiting access; secure or encrypt all data stored or transferred electronically; maintain a separate section marked “confidential” in employee files for PHI, & secure all files; restrict access to confidential section of employee files to HR & those who have a legitimate need to
- Complaints: Have procedures for individuals with complaint about compliance of privacy policies & procedures, explain procedures in privacy practices notice, identify who to submit complaints to at the covered entity & inform that complaints may be submitted to the Secretary of
- Retaliation & Waiver: Retaliation against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice the person believes in good faith violates the Privacy Rule, or to require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, & enrollment or benefits eligibility, is not permitted under any
- Documentation & Record Retention: Retain documents & records until six years after the latter of the date of creation or last effective date, its privacy policies & procedures, its privacy practices notices, disposition of complaints, & other actions, activities, & designations that the Privacy Rule requires to be documented.
- Fully-Insured Group Health Plan Exception: The only administrative obligations with which a fully- insured group health plan with no more than enrollment data & summary health info is required to comply are:
1) ban on retaliatory acts & waiver of individual rights, and 2) documentation requirements with respect to plan documents, if such documents are amended to provide for the disclosure of PHI to the plan sponsor by a health insurance issuer or HMO that services the group health plan.
Notification of Breach
Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the Secretary of HHS, & in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
Individual Notice: Covered entities must provide individual notice in written form by first-class mail, or alternatively, by email, if the affected individual has agreed to receive notices electronically.
- If there is insufficient or out-of-date contact info for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside, & must include a toll-free phone number that remains active for at least 90
- If there is insufficient or out-of-date contact info for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other
Individual notifications must be provided without unreasonable delay & in no case later than 60 days following the discovery of a breach & must include, to the extent possible, a brief description of breach, the type of info involved, steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, & prevent further breaches, as well as contact info for the covered entity (or business associate, as applicable).
Media Notice: Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are required to provide notice to prominent media outlets serving the state or jurisdiction. This notification must be provided without unreasonable delay & in no case later than 60 days following the discovery of a breach, & must include the same info required for the individual notice.
Notice to the Secretary of HHS: In addition to notifying affected individuals & the media (if applicable), covered entities must notify the Secretary of breaches of unsecured PHI. Covered entities will notify the Secretary by visiting the HHS website & filling out & electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay & in no case later than 60 days following a breach. For a breach affecting fewer than 500 individuals, the
covered entity may notify the Secretary of such breaches on an annual basis, no later than 60 days after the end of the calendar year in which the breach is discovered.
Notification by a Business Associate: If a breach of unsecured PHI occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay & no later than 60 days from the discovery of the breach.
Administrative Requirements & Burden of Proof: Covered entities & business associates, as applicable, have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured PHI did not constitute a breach. Maintain documentation stating all required notifications were made, or alternatively, documentation demonstrating that notification was not required, risk assessment demonstrating a low probability that PHI has been compromised by impermissible use or disclosure or application of any other exceptions to the definition of “breach.”
Civil & Criminal Penalties
Civil penalties will vary significantly depending upon the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was willful. Persons who knowingly obtain or disclose individually identifiable health info in violation of the Privacy Rule may face criminal penalties of up to $50,000 & up to one-year imprisonment. Criminal penalties increase to $100,000 & up to a five-year imprisonment if the conduct involves false pretenses, & $250,000 & up to a 10- year imprisonment if conduct involves intent to sell, transfer, or use identifiable health info for commercial advantage, personal gain, or malicious harm.
In general, state laws contrary to the Privacy Rule are preempted by the federal requirement, which means the federal requirement will apply.
Covered entities, including employers who sponsor a group health plan should take action to ensure compliance with HIPAA Rule. Key steps include review & amendment of Business Associate Agreements, existing group health plan HIPAA policies & procedures, assigning a compliance officer, training those handling PHI, & other actions covered within this article.