For more information contact:
Randall Weill
rweill@preti.com

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA).  This law incorporated three ideas:  (1) health insurance portability, (2) national standards for electronic health care transactions, and (3) federal privacy protections.  Health insurance portability was the first to be implemented.  Electronic health care transaction standards (called “Administrative Sim-plification”) became effective in October 2002, unless a special one-year extension was requested by covered entities.  The federal privacy protections (perhaps the most complex and difficult of the three) will take effect on April 14, 2003.  Under these rules, covered entities will be required to take specific measures to protect and guard against the misuse of individually identifiable health information.

Health care providers who conduct certain financial and administrative transactions electronically, health care clearinghouses, and health plans are required, as “covered entities,” to meet the new privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions. 
Health care providers are any persons or organizations that furnish, bill, or pay for health care in the normal course of business.  Health care clearinghouses convert non-standardized health care data into standardized form.  Health plans include group health plans of 50 or more participants (small health plans—plans with annual receipts not exceeding $5 million—do not have to comply until April 14, 2004), plans that are administered by other entities, health insurance issuers, HMOs, employee welfare plans that offer health benefits to two or more employers, and any other individual or group plan that pays the cost of medical care.

Under HIPAA, all individually identifiable health information that is maintained, used or disclosed by a covered entity whether in written, oral, or electronic form is protected health information. Covered entities may use or disclose protected health information without an individual’s consent for treatment, health care operations, and payment functions. Except as authorized by the individual who is the subject of the information or as explicitly required or permitted by regulation, protected health care information may not be disclosed to plan sponsors, employers, and life, disability, and workers’ compensation insurers.
Except for treatment purposes, only the “minimum necessary” information to accomplish the permitted function may be provided. Also, policies and procedures must be prepared that limit those within the entity who have access to protected health information, and under what conditions, based on job responsibilities and the nature of the business.  This aspect of the privacy rules will be among the most difficult to implement because of the wide range of circumstances in which protected health care information is used or disclosed.  It will require covered entities to balance the need to limit unnecessary or inappropriate access to and disclosure of protected health care information against the need to provide effective and prompt health care treatment. 

Because many customary health care communications and practices take place in an environment in which there is potential for the unintended disclosure of individual health care information to non-authorized persons, HIPAA privacy rules permit certain incidental uses and disclosures. Incidental uses and disclosures will not violate the rules so long as they are limited in nature, cannot reasonably be prevented, occur as a by-product of a permitted use or disclosure, and the covered entity has implemented the minimum necessary standard and applied reasonable safeguards.

Reasonable safeguards will vary from covered entity to covered entity depending on factors such as size and the nature of its business.  In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, the nature of the protected information it holds, and the risks to patient privacy.  Potential effects on patient care and the financial and administrative burden of implementing particular safeguards may also be considered.

Compliance with HIPAA privacy rules starts with determining whether you are a covered entity or otherwise have access to protected information. For the average health care provider or health plan, the privacy rules require:

· Notifying patients about their privacy rights and how their information can be used.

· Adopting and implementing privacy procedures for its practice, hospital, or plan.

· Training employees so that they understand the privacy procedures.

· Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.

· Securing patient records containing individually identifiable health information
so that they are not readily available to those who do not need them.

The implementation of these privacy rules is sufficiently flexible for providers and plans to create their own procedures suitable to their size and needs.
While covered entities have the greatest obligations, there are some strategies to lessen the burden.  For example, a fully insured health plan will generally have fewer responsibilities because most protected health care information will be handled by the insurer.  Covered entities can use “business associates” to carry out plan administration functions.  Even so, these privacy rules may give rise to confusing situations.  For example, although an employer is not permitted to receive protected health care information, some of its employees will have access to this information because they perform administrative duties for the employer’s health plan.  If these same employees also perform other, non-plan related services for the employer, reasonable safeguards must be put into place to ensure that information that is properly received in one capacity is not used improperly when acting in another role.

HIPAA privacy rules set a federally mandated minimum. They do not supercede other federal or state laws that grant individuals greater privacy protections. Failure to abide by HIPAA requirements can result in the imposition of civil or criminal penalties.  Nevertheless, although HIPAA privacy rules are detailed and complex, careful planning, adequate training, and reasonable safeguards can ensure that protected health care information is not improperly used or disclosed.