Privacy Rules Offer Little Guidance for Employers

Employment law specialists are fretting over federal guidance recently offered on medical records privacy. They say it skimps on practical advice for employers, whose health plans must comply with the privacy regulations of the Health Insurance Portability and Accountability Act (HIPAA) by April 14, 2003.

The question-and-answer style guidance can be found at the Department of Health and Human Services (HHS) Web page at www.hhs.gov/ocr/hippa/. Its 34 pages are "somewhat helpful for health care providers, but not a great deal of help for employers," observes John Hickman, partner in the Employee Benefits Practice Group with Atlanta-based Alston & Bird.

Issued July 6, the guidance relieves hospitals, for example, of the mistaken notion that they would have to build soundproof rooms to prevent eavesdropping on doctor-patient conversations.

HHS Secretary Tommy Thompson also pledges in the guidance to propose rule amendments to ensure "patients' access to quality health care," such as allowing pharmacists to fill phoned-in prescriptions for new patients without having the patient's signed consent on file.

Count 'em on one hand

Health plan issues clarified in the guidance can be summarized in a few bullet points, according to Hickman's analysis for the July 12 issue of the weekly e-mail newsletter from the Employee Benefits Institute of America (EBIA). Among these:

• Health plans are not required to obtain patient consent to use or disclose protected health information in order to carry out treatment, payment, or related health care operations.
  
  
• Plans may need a specific patient authorization to obtain medical information from treating physicians for plan coordination of benefits (COB) activities.
  
  
• Health providers may disclose protected health information to health plans to obtain payment even if patient consent has been revoked.

And while health plans are mentioned sporadically in the guidance, employers themselves are never directly addressed except in a brief aside. In answering the question "Who must comply with these new privacy standards?" the guidance curtly responds that "HHS does not have the authority to regulate employers."

Yet because the HIPAA privacy rule regulates health plans, employers who sponsor these plans - particularly those who self-insure - are, in effect, still on the compliance hook.

"Strange fiction"

"It's sort of a strange fiction that HHS created here," says Linda Abdel-Malek, attorney with the eHealth Law Practice of New York-based Moses & Singer.

"Since HHS was not allowed to implement rules that would affect employers directly," says Abdel-Malek, "what they did was say that group health plans would be considered health plans under the rule unless they had fewer than 50 participants and were self-administered."

Liability, and the obligation to comply with the privacy rule, would legally rest with the group health plan and not the employer, Abdel-Malek explains.

But "plans are typically not legal entities; they're pieces of paper," comments Tom Evans, president and CEO of healthcare IT consulting firm KMK Systems Technology.

"Mind you, HHS is not attempting to regulate the employer," says Evans. "But they back into it."

One exception in which an employer might be considered a "covered entity" under the HIPAA privacy rule, he notes, is if it runs an onsite medical clinic and performs one of 10 functions listed in the rule as a "standard transaction."

Who pays?

The practical fallout of a successful lawsuit against an employer-sponsored health plan under the HIPAA privacy rule remains to be seen.

"It would seem that if HHS imposed a penalty against the plan, you're kind of in a gray area as to whether or not the employer must pay that on behalf of the plan, since it was probably employer personnel acting on behalf of the plan," says Hickman. "I think that's an open issue."

Complicating the scenario, says Abdel-Malek, is the simple fact that "in the vast majority of cases, the plan has no assets."

"So the employer would practically be the one that would be most likely dealing with liability issues," she continues. "That's something that the rule has not specifically addressed, and I think it needs clarification."

"I think right now these regulations are to some extent fluid," adds Hickman. Indeed, HHS has emphasized that more guidance on the privacy rules is on the way, although it hasn't specifically said when employers can expect to receive clarification.

Various legislation is being introduced that may affect the HIPAA rules, sources say. Gaining momentum is a call to extend the deadline for compliance with the electronic data interchange and privacy rules to match that of the security regulations.

The security rule is widely expected to be issued by early fall. Under current law, each of the three rules entails a compliance deadline of two years after its final release.

Prepare now

"Covered entities can and should begin the process of implementing the privacy standards in order to meet their compliance dates," states the HHS in its guidance.

Don't expect the HIPAA privacy rule to just go away just because it's controversial. The recent lawsuit by the South Carolina Medical Association to overturn the privacy regulations, for example, may be a red herring.

Central to that lawsuit is the idea that the rules are "unconstitutional" because Congress had little to do in drawing them up. In fact, Congress missed its self-imposed deadline to issue the rules; by its own mandate, the responsibility for issuing the privacy regulations fell on HHS.

Hickman advises employers to begin tracing all of the protected health information exchanges they conduct both internally and externally, "because the first step in establishing compliance is to determine which of those are permissible and which will require an authorization once the regulations come into play."

Look at your plan documents, suggests Abdel-Malek, to see how they would need to be amended. Figure out who handles employee health information; eventually, you'll have to establish firewalls between personnel who handle protected health information to administer the group health plan and personnel who handle such information for different purposes, such as workers' compensation.

"The HHS wants to make sure there's no discrimination in the workplace where people have access to this information and use it for purposes other than administering the group health plan."

Other actions a self-insured employer may consider taking: Appoint a chief privacy officer, develop training materials on the new rules, and set up sanctions for when the rules are violated.

Go to TOP