HIPAA regs
HIPAA dvisory
HIPAAdvisory > HIPAAregs > Proposed Privacy Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

 

This proposed rule is no longer the most current information. It will continue to be available for reference, but the final rule has been published. View the final rule.

 

Detailed Summary:
The Proposed Privacy Rule

On October 29, 1999, the Department of Health and Human Services (HHS) released a proposed rule that establishes complex requirements to protect the privacy of electronic health information. The proposed rule imposes extensive operational requirements on the handling of health information by heath care providers, health plans, health care clearinghouses and other entities. Some of the key issues in our review of the proposed rule include:

  • The proposed rule covers almost all entities in the health care industry that retain or transmit electronic health information and attempts to cover their "business partners" by imposing contractual requirements.
  • Covered entities must make all reasonable efforts not to use or disclose more than the 'minimum amount' of health information necessary to accomplish the intended purpose of the use or disclosure. Industry experts expect that the 'minimum amount' standard will be difficult to define and administer.
  • Complex and costly administrative safeguards are required.
  • Individuals whose information is being used or disclosed will have the right to sue as third-party beneficiaries of contracts between covered entities and their service providers that are exchanging health information.
  • State confidentiality laws that are more stringent than the proposed rule would remain in place, thereby largely retaining the existing patchwork of state confidentiality laws.
  • Requirements for covered entities to discipline other entities in the event that such other entities improperly use or disclose health information provided by the covered entity.

Background
The proposed rule was promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA required Congress to enact privacy legislation by August 21, 1999. If legislation was not enacted by this deadline, HHS was required to promulgate regulations. Congress failed to enact such legislation, resulting in HHS issuing the proposed rule. HHS published the proposed rule on November 3, 1999 in the Federal Register (available for download at http://aspe.os.dhhs.gov/admnsimp).

The proposed rule is subject to a 60-day comment period and is expected to become final some time in February 2000. Given the scope and potential impact of the proposed rule, HHS is expecting thousands of comments.

Scope
The proposed rule has an expansive scope, governing the retention, use and disclosure of "protected health information" by "covered entities":

"Covered entities" is broadly defined as health plans, health care clearinghouses, health care providers and any person or organization who furnishes, bills or is paid for health care services or supplies in the normal course of business.

"Protected health information" (PHI) is defined as information that:

· is received or created by a covered entity that relates to an individual's physical or mental health condition, or provision of care;

· identifies the individual (or creates a reasonable basis to believe that the information can be used to identify the individual); and

· is electronically transmitted or maintained at some point during the period of its retention.

Basic Requirements
The proposed rule requires covered entities to use and disclose PHI only as stated in the proposed rule. However, as a major departure from current practice, under the proposed rule covered entities do not need to obtain an individual's consent to disclose PHI for treatment, payment or health care operations. For all other uses or disclosures, covered entities must obtain an authorization from the individual whose PHI is being used or disclosed.

Covered entities are required to implement numerous administrative policies and procedures to protect PHI, including:

  • designating a privacy official;
  • training all personnel having contact with PHI about the rule;
  • meeting certain security requirements, currently stated in draft form in the earlier notice of proposed rulemaking entitled "Security and Electronic Signature Standard";
  • establishing an internal complaint process for individuals regarding their PHI; and
  • documenting all required policies and procedures.

Further, as a major break with current practice, under the proposed rule individuals will have the right to request amendment or correction of their PHI as if such records were a credit report. The proposed rule, however, allows covered entities to evaluate such requests and even to deny them on certain grounds.

Business Partners
One central aspect of the proposed rule is its treatment of "business partners." A "business partner" is broadly defined as a person or entity that receives PHI in order to perform a function or activity for a covered entity. The definition of business partner would include lawyers, auditors, consultants, third-party administrators, technology providers and other "covered entities" provided with PHI from a covered entity.

Covered entities are required to have a written agreement containing numerous contractual provisions with each business partner, such as requiring the business partner to use and disclose PHI only in accordance with the requirements of the proposed rule. Further, the proposed rule requires that such agreements include a provision stating that the individual whose PHI is being used or disclosed is a third-party beneficiary to the agreement, thereby creating a right of action for the individual to sue under such agreement.

Enforcement
The proposed rule provides that HHS will have the right to bring enforcement actions against covered entities. Under HIPAA, HHS may impose civil fines of up to $100 per person per violation and up to $25,000 per person for violations of a single standard within a calendar year. Further, HHS may refer an alleged violation to the Justice Department for criminal prosecution, with criminal penalties not to exceed $50,000 and/or imprisonment of not more than one year. However, if the alleged criminal violation was made under false pretenses, the government may seek a fine or not more than $100,000 and/or imprisonment of not more than five years. An entity's potential liability under the proposed rule for a "flaw" in its system which violates the proposed rule is significant given that there is the possibility of thousands of violations due to the large volumes of PHI used and transmitted on information systems.

Compliance
Covered entities must be in compliance with the rule no later than 24 months following the effective date of the rule, with the exception that small health plans (defined as a health plan with annual receipts of $5 million or less) must be in compliance no later than 36 months following the effective date of the rule.

What to Do Next?
The proposed rule, if finalized in its current form, would have an enormous impact on health care providers, health plans and other entities covered or affected by the rule. Some possible courses of action are:

  • Conducting a detailed review and analysis of the proposed rule.
  • Submitting comments / objections to HHS on the impact of the proposed rule on your organization.
  • Developing and documenting policies and procedures to comply with the proposed rule.
  • Reviewing agreements with "business partners" to address potential liability issues.

©1999 McDermott, Will & Emery. All rights reserved
Reproduction with attribution permitted.