Electronic health record proposal addresses privacy protection
Electronic health record proposal addresses privacy protection
There is no question that there is concern regarding the security of electronic medical records. There is also no question, in my opinion at least, that the use of electronic medical records will increase. This increase in the use of electronic records will be driven by several factors, not the least of which is their usefulness in the prevention of human error. Consider the example of computerized emergency department records in which every record is required to have an allergy field completed (and the allergy data is entered properly), and all discharge prescriptions must be entered in the record. With this system, you can avoid the all-too-common error of sending patients home with prescriptions for medications to which they are allergic. This is just one simple example. There are many other ways the use of computerized records can help us to reduce the incidence of medical error.
However, if we are to realize the benefits of computerized records, we must also address the potential problems. One of the major potential problems, and the focus of this month’s issue, is the security of electronic medical records. The proposed rule creates new potential liability for those who use and maintain electronic medical records and might open the door to a whole new area of liability for health care providers and health plans, in addition to potentially impeding their business relationships. This is particularly problematic for emergency physicians who must frequently make decisions regarding the use or release of medical record information under considerable time pressure.
Keep in mind that reducing 147 pages of the Federal Register to 12 pages of readable text involves the elimination of considerable detail. The purpose of this article, therefore, is to provide an introduction to this interesting and important topic and highlight its implications for emergency departments and personnel. Electronic record privacy policies and procedures should always be drafted with the assistance of competent counsel. If you don’t think you need to worry about these regulations, as you read this article, you will find that the potential civil and criminal penalties for violation range up to $250,000 and imprisonment for up to 10 years!
Introduction
In recent years, there has been growing public concern as to the security of private information that is transmitted electronically. One of the most prominent factors contributing to this concern has undoubtedly been the explosive growth of communication via the Internet and the advent of the "information superhighway." Although much of the media focus has been on "hackers" and other unintended third parties obtaining access to financial records (such as credit card numbers and checking accounts), some surveys have shown that the public is also quite concerned with maintaining the confidentiality of their health and medical information.1 This growing and widespread concern has not escaped the attention of the White House. On Jan. 27, President Clinton delivered his first State of the Union address of the new millennium. As part of this speech, he referred to the fact that, in 1999, the federal government "proposed to protect every citizen’s medical record" and that in the year 2000, the government intends to finalize those protective rules.2 The "rules" to which President Clinton referred are the Standards for Privacy of Individually Identifiable Health Information (hereafter, "the regulations"), proposed by the Department of Health and Human Services (HHS) on Nov. 3, 1999.3 Reading through the regulations makes one realize, among other things, that HHS has taken upon itself the role of acting as the guide for initiating privacy and patient confidentiality reform within the health care industry. Indeed, HHS claims that the regulations will "address growing public concerns that advances in electronic technology in the health care industry are resulting, or may result, in a substantial erosion of the privacy surrounding individually identifiable health information . . ."4
Although the regulations firmly establish the federal government’s intent to jump into the health care privacy arena, the government was, by no means, the first to recognize the importance of this issue. Undoubtedly, most health care providers are aware that they can already be sued (not to mention be subject to possible professional discipline) for the unauthorized disclosure to a third party of nonpublic medical information that they learned within the confines of the confidential physician-patient relationship. Common law theories supporting this liability include invasion of privacy and breach of physician-patient confidentiality. Additionally, some courts have held that such unauthorized disclosures may serve as a basis for a medical malpractice cause of action under their respective state statutes governing the professional liability of health care professionals. There are also federal and state medical record privacy statutes.
General Rules
The regulations apply to three primary types of health care entities that electronically transmit health information covered by the regulations: 1) health plans; 2) health care clearinghouses;5 and 3) health care providers. Collectively, those three types of entities are referred to in the regulations as "covered entities" (CEs).
The regulations establish several rules that must be followed by all CEs to ensure adequate protection of an "individual’s" protected health information (PHI). PHI is "individually identifiable health information" that is, or has been, electronically transmitted or electronically maintained by a CE. Moreover, PHI includes such information, no matter what its current form. In other words, once individually identifiable health information has been stored or transmitted electronically, it is subject to the regulations, even if the only remaining form by which the information has been retained is paper. Even more problematic is the fact that the definition of PHI extends linearly in the other direction, as well. That is, the original paper version, if any, of the individually identifiable health information that became the electronic record is also considered PHI. Indeed, it is this expansive definition of PHI that has generated much anxiety in the health care community as to the unanticipated wide reach of the regulations.
With that said, one must first understand the general rules governing PHI.
Basic Rule
In general, a CE may not use or disclose PHI unless the purpose of the use or disclosure:
- is to carry out treatment, payment, or health care operations, except for research information unrelated to treatment;
- is pursuant to an individual authorization by the individual;
- does not require an individual authorization for one of the 13 reasons listed in the regulations;
- is pursuant to a request by the individual to access the information; or
- is to HHS to enable it to investigate or determine the CE’s compliance with the regulations.6
Importantly, as a general rule, only the minimum amount of PHI necessary to accomplish the allowed purpose may be disclosed.
Disclose the Minimum Information Required
Standard. When a CE discloses PHI, it must generally only disclose the minimum amount of PHI necessary to accomplish the purpose of the allowed use or disclosure. There are several exceptions to this rule; when:
- the request is made by the individual or HHS pursuant to its enforcement authority under the regulations;
- the disclosure or use is required by law, and an authorization is not required by the regulations;
- the disclosure or use is necessary to ensure compliance with the regulations; or
- the request is by a health care provider to a health plan for audit-related purposes.7
Moreover, if the request is made by a public official in a situation that does not require an authorization, the CE may reasonably rely on the representations of the public official that the PHI requested is the minimum necessary for the stated purpose.
Policies and Procedures. CEs must identify appropriate persons within their organization who will be designated to determine what information should be used or disclosed consistent with the minimum necessary disclosure standard. Additionally, a CE must implement a procedure by which the minimum necessary determinations are made on an individual basis, while taking into consideration the limits of the CE’s technological capabilities. Overall, a reasonableness standard is applied. In other words, smaller or less sophisticated CEs are not expected to have the ability to make individual determinations. Nonetheless, HHS expects that, in most cases in which CEs possess more PHI than is necessary to accomplish the purpose of the use or disclosure, some method of limiting the PHI will be implemented.
Although the minimum necessary rule might sound good in theory, the impracticality of its application on a day-to-day basis is not difficult to imagine. First, the requirement that the amount of the PHI to be disclosed must be determined on an "individual basis" will obviously necessitate CEs devoting substantial administrative time to making such decisions. Second, the rule could serve, paradoxically, as an impetus for poor medical practice. Health care providers may become overly cautious as to what PHI they believe should be disclosed to others who require the information. Moreover, the amount and type of information that may be necessary for one health care provider, such as a physical therapist, might not be sufficient for a physician to treat the same individual within the parameters of the standard of care for his or her profession. Consequently, this rule poses a new potential for liability for health care providers, including emergency department physicians who are often under substantial time pressure when making decisions.
"De-identified" PHI
Standard. PHI that the CE has "de-identified" (i.e., the individual’s identity cannot be ascertained) is not subject to the regulations’ protections.8
Policies and Procedures. CEs may de-identify PHI by removing, coding, encrypting, or otherwise eliminating or concealing the information that makes such PHI individually identifiable. PHI is presumed to be de-identified if three requirements are satisfied:
1. All "identifiers" listed in the regulations pertaining to the individual must have been removed or otherwise concealed.
2. In addition to those enumerated identifiers, the CE must have removed any other unique identifying number, characteristic, or code that it reasonably believes might be available to an anticipated recipient of the otherwise de-identified PHI.
3. The CE must not have any reason to believe that an anticipated recipient of the de-identified PHI could use the information, alone or in combination with other information, to "re-identify" the individual.
Business Partners: Your Brother’s Keeper
Standard. A "business partner" is a person to whom the CE discloses PHI in order that such person can assist the CE with the performance of, or perform on behalf of the CE, one of its functions or activities. "Business partners" do not include members of the CE’s work force (employees, volunteers, trainees, etc.). Two primary rules govern business partners:
1. A CE must not disclose PHI to a business partner unless it first obtains "satisfactory assurance" (i.e., a contract) from the business partner that it will appropriately safeguard the information, unless the disclosure is between health care providers for consultation or referral purposes.
2. A CE must take reasonable steps to ensure that each of its business partners complies with the regulations as to any task or other activity it performs on behalf of the CE.
Policies and Procedures. In order to give "satisfactory assurances" that its business partner will meet the requirements of the regulations, the CE’s contract must affirmatively place upon its business partner the duties to:
- not use or further disclose the PHI other than as permitted or required by the contract;
- not use or further disclose the PHI in a manner that would violate the regulations if performed by the CE;
- use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by the contract and report to the CE any disclosures or uses not in conformity therewith of which the business partner becomes aware;
- ensure that any subcontractors or agents to whom it provides PHI received from the CE agree to the same restrictions and conditions that apply to the business partner with respect to such information;
- make the PHI available to the individual if he or she requests access;
- make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from the CE for purposes of determining whether the CE has complied with the regulations;
- either return to the CE or destroy all PHI received from the CE that the business partner still maintains in any form and retain no copies;
- incorporate any amendments or corrections to the PHI when notified in accordance with the regulations.9
In addition, the contract must state that the CE is permitted to terminate the contract if it determines that the business partner has violated any of the eight aforementioned duties and that the individuals whose PHI is disclosed pursuant to the contract are intended third-party beneficiaries of the contract.
This last requirement has already generated much controversy among health care attorneys. Although HHS claims that the regulations do not provide for a private right of action, it simultaneously imposes this third-party beneficiary requirement on contracts with business partners. Consequently, individuals will be able to sue not only the CE, but also the CE’s business partners, for any breach of the use and disclosure obligations as to the PHI contained in the contract.
Right to Restrict Uses and Disclosures
Standard. Health care providers must permit individuals to request that uses or disclosures of PHI for treatment, payment, or "health care operations"10 be restricted. If the health care provider agrees to the requested restrictions, it must not then make uses or disclosures that are inconsistent with such restrictions. Note that the health care provider does not have to agree to the requested restriction, but if it agrees, it is bound to abide by the restriction. HHS recognizes that an individual’s medical history and records, particularly information about current medications and other therapies, are often very relevant when new treatment is sought and, therefore, the individual cannot seek to withhold this information from subsequent providers without risk.
Exceptions: This standard does not apply if:
- the health care services provided to the individual are emergency services;
- the disclosure or use that the individual has requested be restricted does not require an authorization; or
- the disclosure is pursuant to the HHS’s enforcement authority under the regulations.
Although the first exception is particularly relevant to emergency department personnel, the exceptions seem somewhat irrelevant, because health care providers are not required to accept an individual’s request to restrict disclosure of PHI under this section. Nonetheless, HHS does believe that an exception for emergency services is necessary because such situations might not afford health care providers and their patients sufficient opportunity to discuss the potential implications of restricting further use and disclosure of the health care information. Additionally, HHS acknowledges that health care providers may not be free to refuse treatment to an emergency patient (e.g., because of Emergency Medical Treatment and Active Labor Act) if the provider does not wish to honor a patient’s request to restrict further use or disclosure of PHI, leaving the provider in an unfair position.
Policies and Procedures. CEs must establish procedures that:
- provide individuals with the opportunity to request a restriction on the uses and disclosures of their PHI;
- provide that restrictions to which the CE agrees will be in writing;
- enable the CE to honor such restrictions;
- provide for notification of the restriction to others to whom the information was previously disclosed.
CEs, however, do not have to ensure that any agreed-upon restrictions as to use or disclosure of PHI are maintained once the PHI leaves the control of the CE or its business partners.
Notice of CE’s Practices Concerning PHI
Standard. CEs, except for clearinghouses, must provide adequate notice to individuals of their policies and procedures, as well as the individuals’ rights, as to the PHI. The notice must adequately inform individuals of their rights under the regulations and the procedures for exercising those rights as to their PHI.
Policies and Procedures. CEs will be presumed to have given adequate notice if the notice states the following:
- the uses and disclosures of the PHI, as well as the CE’s policies and procedures governing PHI;
- that other uses and disclosures will only be made with the individual’s authorization and that the individual may revoke such an authorization;
- the individual may request that certain uses and disclosures of his or her PHI be restricted and that the CE is not required to agree to such a request;
- the individual has the right to request that he or she be permitted to inspect and copy, amend, or correct, and obtain an accounting of any disclosures by the CE of his or her PHI, as well as receive a description of the PHI’s procedures for exercising the aforementioned rights;
- the CE is required by law to protect the privacy of PHI, provide a notice of its policies and procedures concerning PHI, and abide by the terms of the notice currently in effect;
- the CE may change its policies and procedures concerning PHI at any time and may changes its policies and procedures concerning how individuals will be notified of those changes;
- individuals may complain to the CE or HHS if they believe that their privacy rights have been violated;
- the name and telephone number of the CE’s contact person or office;
- the date the version of the notice was produced.11
CEs must make their notices available to any person or entity that requests a copy of the notice. Additionally, health care providers, within the one-year period following the date at which they are required to be in compliance with the regulations, must provide a copy of the notice to their patients the first time thereafter that they provide service to each such individual. If the service is provided other than "face-to-face," however, the health care provider need only provide a copy of the notice within a reasonable period of time after the service was delivered. Health care providers also have a duty to post a copy of the notice "in a clear and prominent location where it is reasonable to expect individuals seeking service from the provider to be able to read the notice."12
Right to Access PHI
Standard. Individuals generally have the right to inspect and obtain a copy of their PHI in "designated record sets"13 from health care providers and health plans for as long as those entities maintain the PHI. The health care provider or health plan may reject an individual’s request for access if:
- a licensed health care professional has determined that, in the exercise of reasonable professional judgment, accessing the PHI is reasonably likely to endanger the life or physical safety of the individual or another person;14
- the PHI concerns another person and a licensed health care professional has determined that accessing the PHI would reasonably likely cause substantial harm to such other person;
- the PHI was obtained under a promise of confidentiality from someone other than a health care provider, and such access would likely reveal the source of the PHI;
- the PHI was obtained in the course of a clinical trial, the individual agreed to being denied access to the PHI when consenting to participate in the clinical trial, and the clinical trial is in progress; or
- the information was compiled in reasonable anticipation of, or for use in, a legal proceeding (e.g., a medical malpractice case).
Nonetheless, the CE must, if possible, make any other requested PHI available to the individual consistent with the denial.15
Policies and Procedures. Health care providers and health plans must implement procedures that enable individuals to exercise their right to access PHI as described in this rule. At a minimum, the CE must provide a means by which individuals can request access to or a copy of their PHI, as well as provide for "taking action"16 on requests for PHI as soon as possible, but not later than 30 days after receipt. If the request is accepted, the CE must additionally provide:
- for notification to the individual of the decision and of any procedures necessary to fulfill the request;
- the PHI requested in the form or format requested, if it is readily producible in such form or format;
- for facilitating the process of inspection and copying;
- for a reasonable, cost-based fee, if any, for copying PHI.
In contrast, if the request is denied (even if only partially), the CE must provide the individual with a written statement, in plain language, that explains the basis for the denial and describes how the individual may complain to either the CE pursuant to its complaint procedures, including the name and telephone number of the contact office or person, or to HHS, including the information relevant to filing such a complaint.
Right to Accounting of PHI Disclosures
Standard. Individuals have the right to an accounting of all disclosures of their PHI by a CE, as long as such information is maintained by the CE, with the following exceptions:
- the disclosure was for treatment, payment, or health care operations; or
- the disclosure was to a health oversight or law enforcement agency that has provided the CE with a written request that states that an accounting of the disclosure would reasonably likely impede the agency’s activities and specifying the period during which such exception is required.17
Policies and Procedures. CEs must implement procedures to provide individuals with the accounting required by this rule as long as the CE maintains the PHI. Those procedures must provide an accounting that includes:
- the date of each disclosure;
- the name and address of the organization or person who received the PHI;
- a brief description of the PHI disclosed;
- the purpose for which the PHI was disclosed (if the request was not made by the individual);
- copies of all requests for disclosure of the person’s PHI.
CEs must provide the accounting to the individual as soon as possible, but no later than 30 days after receiving the request. Moreover, CEs also must implement a procedure for requiring their business partners to provide such an accounting upon the CE’s request.
Amending or Correcting PHI
Standard. Individuals have the right to request health care providers or health plans to amend or correct PHI contained in the CE’s "designated record sets" for as long as the CE maintains the PHI.18 The CE, however, may deny the request if it determines that 1) it did not create the PHI; 2) the PHI would not be available for inspection or copying; or 3) the PHI is accurate and complete.
Therefore, although concerns that individuals will have an unbridled right to alter their medical records may be unfounded (if such records are accurate and complete), health care providers and health plans will nonetheless be faced with the administrative hassle of having to respond to each such request.
Policies and Procedures. Health care providers and health plans must implement procedures that provide individuals with a means by which to request an amendment or correction to their PHI and take action upon such a request within 60 days of its receipt. If the health care provider or health plan accepts any part of the request, it must then notify the individual of its decision and amend or correct the PHI, indicating in the PHI where it has made such modifications. Moreover, it must make reasonable efforts to notify all persons and entities who the individual requests be notified, as well as persons and entities, including business partners, which the health care provider or health plan knows have received the erroneous information and have relied, or could foreseeably rely, on its accuracy.
In contrast, if the health care provider or health plan rejects any part of the individual’s request, it must provide a written statement in plain language as to the basis for the denial, a description of how the individual may file a written disagreement with the denial, and a description of how the individual may file a complaint with the CE or HHS as to the denial. Additionally, the CE must include any statement of disagreement by the individual with future disclosures of the relevant PHI, regardless of whether any modifications were made. However, it is permitted to place a page limit on the statement or to summarize the content if necessary.
Health care providers and health plans also must have procedures for amending or correcting their designated record sets and notifying their business partners, when appropriate, if they receive a notice of amendment or correction from another health care provider or health plan. The procedures must specify the process by which the health care provider or health plan and its business partners shall make any necessary corrections or amendments.
Authorizations To Use or Disclose PHI
In addition to the nine basic rules governing PHI discussed above, the regulations include several rules focusing on when an individual’s authorization is necessary before his or her PHI may be used or disclosed, as well as the procedures required of CEs to implement those rules.
When Individual Authorization is Required
General Requirements. CEs must obtain authorization before using or disclosing PHI if: 1) the individual requests that the CE use or disclose the PHI; or 2) if the CE itself requests that the individual authorize the use or disclosure of the PHI, and the use or disclosure is not directly related to treatment, payment, or "health care operations."
At the same time, HHS has said that it will construe the terms "treatment" and "payment" broadly. Hopefully, such a policy will, in effect, make it easier for CEs to avoid the individual authorization requirement otherwise applicable to disclosures of PHI.
Additional Requirements. A CE may not condition the provision to an individual of treatment or payment on the individual’s consent to a requested authorization for use or disclosure, except where the authorization is requested in connection with a clinical trial. Moreover, a CE may not require an individual to sign an authorization for treatment, payment, or health care operations purposes, except if required by law.19
Special Cases: Psychotherapy Notes and Research Information Unrelated to Treatment. An individual’s authorization is required before his or her "psychotherapy notes" or "research information unrelated to treatment" may be used (except by the creator in the case of psychotherapy notes) or disclosed, unless an authorization is not necessary for the reasons discussed below. As with the requirements for the use and disclosure of PHI in general, a CE may not require an individual to authorize use or disclosure of psychotherapy notes as a condition to treatment, enrollment in a health plan, or payment.
When Individual Authorization is Not Required
The regulations permit the use and disclosure of PHI without the individual’s authorization in several situations as long as the CE adheres to the verification procedures discussed below:
• Public Health Authorities. CEs may disclose PHI to a "public health authority," or a person or entity acting on behalf of such authority, for the purpose of collecting information as to diseases, injuries, disabilities, births, deaths, and child abuse and neglect. In addition, CEs may disclose PHI to persons who might have been exposed to a communicable disease, if otherwise authorized by law.
• Health Oversight Agencies. CEs may disclose PHI to a "health oversight agency" (e.g., the Office of the Inspector General of HHS) for health oversight activities authorized by law. Such activities include audits; investigations; inspections; and civil, criminal, or administrative proceedings.
• Judicial and Administrative Proceedings. CEs may disclose PHI for the purpose of any judicial or administrative proceeding if: 1) the disclosure is in response to a court order or an order of an administrative tribunal; or 2) the individual is a party to the proceeding and his or her medical condition or history is at issue (e.g., personal injury or medical malpractice claims) and the disclosure is pursuant to lawful process (i.e., a subpoena) or otherwise authorized by law.
Additionally, if the request for disclosure is pursuant to a court order, the disclosure must be limited to that PHI that the court order authorizes to be disclosed.
• Coroners and Medical Examiners. CEs may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person or determining a cause of death to the extent otherwise consistent with the law.
• Law Enforcement Officials. CEs may disclose PHI to law enforcement officials if the disclosure is for one of the following purposes and meets the necessary requirements specific to that purpose. Understanding those purposes is particularly important for emergency department personnel, as they most likely will often be the primary source from which this information will be sought.
Under the regulations, CEs may disclose PHI to law enforcement officials in the following circumstances:
— Pursuant to Legal Process. If the disclosure is in furtherance of a legal inquiry or proceeding and is pursuant to a subpoena, warrant, judicial order, or administrative request, the PHI may be disclosed. Additionally, the PHI sought must be relevant and material to a legitimate law enforcement inquiry, the request must be as specific and narrowly drawn as is reasonable, and de-identified information could not reasonably be used in place of the requested PHI.
— Identification Purposes. The disclosure must be for the purpose of identifying a suspect, fugitive, material witness, or missing person. In this case, the CE may only disclose the individual’s name, address, Social Security number, date of birth, place of birth, type of injury or other distinguishing characteristic, and date and time of treatment.
— Victims of Crime or Abuse. The requested PHI concerns an individual who is, or is suspected of being, a victim of a crime, abuse, or other harm. The law enforcement official must represent to the CE that the PHI is needed to determine whether a violation of the law by a person other than the victim has occurred and that immediate law enforcement activity may depend upon obtaining such information.
— Health Care Fraud. The CE must believes in good faith that the PHI that it is disclosing constitutes evidence of criminal conduct that: 1) arises out of, and is directly related to, the receipt of health care or payment for health care, including a fraudulent claim for health care or the qualification for or receipt of benefits, payments, or services based on a fraudulent statement or material misrepresentation of the individual’s health; 2) occurred on the CE’s premises; or 3) was witnessed by a member of the CE’s work force. Note that this exception to the authorization requirement is limited to evidence of "criminal" conduct.
• Government Health Data Systems. CEs may disclose PHI to a government agency, or private entity acting on its behalf, for inclusion in a governmental health data system, the purpose of which is to collect health data for analysis in support of policy, planning, regulatory, or management functions authorized by law.
• Facility Directories. CEs may disclose a subset of PHI for directory purposes if the individual has agreed to such disclosure, unless the individual is incapacitated, in which case the CE may disclose PHI for this purpose at its discretion and consistent with good medical practice, as well as any prior expressions of preference by the individual of which it is aware. The type of PHI that may be disclosed for directory purposes is: 1) the individual’s name; 2) the location of the individual within the health care provider’s facility; and 3) a general description of the individual’s condition that does not communicate specific medical information about the individual.
Note that the requirements for an individual’s "agreement" are less formal than that for an authorization.
• Emergencies. This exception to the authorization requirement is particularly pertinent to emergency departments. If a CE has the reasonable belief that the use or disclosure of PHI is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public, it may use or disclose that information to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.20 A "reasonable belief" is presumed if the disclosure is made in good faith based upon a credible representation by a person with apparent knowledge or authority. The regulations specifically state that such a person includes a doctor, or a law enforcement or other government official.
• Banking and Payment Activities. CEs may disclose to financial institutions or entities acting on their behalf the "minimum amount" of PHI necessary to complete a banking or payment activity.
• Research Purposes. CEs may disclose PHI for research purposes if they obtain documentation of each of the following: 1) that the CE has obtained a waiver of authorization from either an Institutional Review Board (IRB) or a "privacy board" 2) the date of the waiver; 3) that certain criteria have been satisfied; and 4) that the chair of the IRB or privacy board has signed the written documentation.
• Family Members and Personal Friends. CEs may disclose PHI to the individual’s next-of-kin or other family members, as well as to the individual’s close personal friends, if: 1) the individual possesses the capacity to make his or her own health care decisions; and 2) the individual has verbally agreed to the disclosure. Or, if an agreement cannot be reasonably obtained, only the PHI that is directly relevant to the person’s involvement in the individual’s health care is disclosed, consistent with good health professional practices and ethics.
• Special Categories. The regulations apply special rules to the military, the Department of Veterans Affairs, the intelligence community, and the State Department.
• Uses and Disclosures Required by Other Laws. In addition to the specific exceptions to the authorization requirement listed in the regulations, this last exception is an effort not to impinge on other laws that might require the use or disclosure of PHI, but that are not explicitly covered in the regulations. Thus, CEs may disclose PHI in those cases as long as all of the requirements of such a law are satisfied.
Compliance Requirements and Plans
In addition to the policies and procedures discussed above pertaining to the basic standards and authorization requirements, the regulations also mandate several administrative" and "compliance" procedures that must be followed by CEs in order to ensure that they effectively comply with the regulations and don’t run afoul of the law.
Privacy Officials and Contact Persons. CEs must designate both a "privacy official" and a "contact person or office." The former is responsible for developing and implementing the CE’s privacy policies and procedures while the latter receives complaints and responds to notices pursuant to the regulations. If the CE chooses to designate a contact person, that individual may be the same person as the privacy official. Indeed, individual health care providers and smaller health plans likely will choose this option because of their limited resources.
Training Your Work Force. The regulations presume that all members of a CE’s "work force" are likely to obtain access to PHI. Consequently, a CE is required to train all such individuals as to its PHI policies and procedures that are relevant to each individual’s function within the CE. Undoubtedly, many individuals employed by health plans won’t require such training at all because their responsibilities don’t involve any contact with PHI, e.g., janitors, food workers, and maintenance. For those members of the work force whose positions do necessitate training, however, such training must satisfy the following requirements:
• Completion Date. For individuals who are members of the CE’s work force as of the date the regulations become applicable to the entity, the training must be completed by that date.21 The literal language of this requirement brings to the forefront the need for CEs to begin immediately implementing the policies and procedures required by the regulations. The regulations do not provide any indication as to when the regulations may become applicable to the various categories of CEs, or, for that matter, when the regulations will even be finalized. Consequently, CEs would be well advised to begin the process of developing a training program for their work forces. For individuals joining a CE’s work force after such date, the training must occur within a "reasonable period."
• Training Certification. Members of the work force must sign a certificate after they have completed the training that states the date of the training and that they agree to abide by all of the CE’s PHI policies and procedures.
• Recertification. The CE must not only require that members of its work force sign the certification, but they also must require that these individuals "recertify" at least once every three years that they will abide by all of the CE’s PHI policies and procedures.
• Retraining. Any time the CE materially changes its PHI policies or procedures, it must retrain the members of the work force affected by those changes.22 What is interesting to note about the recertification and retraining requirements is that, read in combination, they do not obligate the CE to perform any type of continuing education or ongoing training of its work force in the absence of a material change to its PHI policies or procedures. Nonetheless, given the broad impact of the regulations and the sanctions imposed for violations, a CE should conduct regular training seminars, at least annually, to be sure that its work force is in compliance.
Safeguarding PHI. CEs must have in place appropriate administrative, technical, and physical procedures to ensure the privacy of PHI.23 CEs must verify the identity and/or authority of persons requesting PHI, where such identity or authority is not already known to the CE, by implementing the procedures that: 1) are reasonably likely to establish that the individual or person requesting the PHI has the appropriate identity for the use or disclosure requested; and 2) in the case of a request for information by a government agency, provide reasonable evidence of identity and/or authority to obtain the information.
"Whistle-blowers." Disclosures by either a CE’s employee or a person associated with a business partner do not violate the regulations if the disclosing person believes that the PHI is evidence of a violation of the law and the disclosure is made to a law enforcement official, oversight agency, or attorney for the purpose of determining whether a violation of the law has indeed occurred and the remedies or legal actions that may be available to the employee (e.g., a qui tam action).24
Complaints to the CE and Sanctioning Employees for Violations. Health care providers and health plans must implement procedures that enable individuals to file complaints with the CE as to its compliance with the regulations. In addition, CEs must develop sanctions for members of their work force who violate the CE’s policies and procedures governing PHI.
Documentation of Policies and Procedures. CEs must document their policies and procedures for complying with the regulations. The regulations list the individual documentation requirements that must be satisfied for uses and disclosures of PHI, protection of individual rights, and complying with administrative requirements. Generally speaking, those documents must be kept for a minimum of six years.
Penalties for Violations
Penalties for violating the regulations are found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This statute grants HHS the power to impose civil monetary penalties in the amount of $100 for each failure to comply with the standards established by the regulations.25 Those penalties are capped at $25,000 per annum for each violation.26
In addition, HIPAA also establishes criminal penalties for wrongful disclosures of individually identifiable health information. If such a disclosure is made "knowingly" (i.e., mere negligence would not constitute sufficient intent), the person could be fined as much as $50,000 and/or imprisoned for up to one year.27 If the offense is committed under false pretenses, the person can be fined up to $100,000 and/or imprisoned for up to five years.28 Finally, if the offense is committed with the intent to sell, transfer, or use the individually identifiable health information for commercial advantage, personal gain, or malicious harm, a person can be fined up to $250,000 and/or imprisoned for up to 10 years.29 Needless to say, those relatively draconian penalties underscore the need for all persons who handle PHI to take the regulations quite seriously.
Conclusion
To recap, CEs are prohibited from using or disclosing PHI except in the following situations:
- the CE has obtained the individual’s authorization;
- the use or disclosure is for treatment, payment, or health care operations;
- the use or disclosure is for specified public and public policy-related purposes, including public health, research, health oversight, law enforcement, and use by coroners; or
- the use or disclosure is required by other law, such as mandatory reporting pursuant to state law or pursuant to a search warrant.
Moreover, CEs are required to disclose PHI for only two purposes: 1) to permit individuals to inspect and copy their PHI; and 2) to HHS for purposes of enforcing the regulations.
The regulations also establish four basic rights for individuals:
- the right to a notice of the CE’s practices concerning PHI;
- the right to obtain access to their PHI;
- the right to obtain access to an accounting of how their PHI has been used or disclosed;
- the right to request that a CE amend or correct their PHI.
The principle underlying those rules is based upon HHS’s belief that a combination of strict limitations on how CEs can use and disclose PHI, adequate notice to individuals about how such PHI will be used, and individuals’ rights to inspect, copy, and amend their PHI, will provide individuals with better privacy protection and more effective control over the dissemination of their PHI.
When faced with situations that might be covered by the regulations, the responsible person within the CE (e.g., the "privacy official") should ask himself or herself the following basic questions:
1. Does this situation involve individually identifiable health information? In almost all instances, for anyone involved in the delivery of health care, the answer to this question will be yes.
2. Is the individually identifiable health information PHI? The answer to this question is determined by assessing whether or not the PHI has ever been electronically maintained or transmitted. However, as discussed in this article, most CEs may find it more efficient to avoid this analysis by simply treating all individually identifiable health information as though it were PHI.
3. Is only the "minimum necessary" PHI being used or disclosed? Unfortunately, this question is the most difficult to answer and is the one that will likely be the most administratively time-consuming. Nonetheless, CEs must remove all nonessential PHI prior to making a disclosure.
4. Is the PHI being used for purposes of treatment, payment, or health care operations? Keep in mind that there is a large "carve-out" to the authorization rule imposed by the regulations for PHI that is used or disclosed for one of those purposes.
5. If the PHI is not being used for purposes of treatment, payment, or health care operations, is the individual’s authorization required? To answer that question, see if the PHI fits within one of the 13 situations discussed above that permit the CE to disclose PHI without the individual’s authorization, even if the use or disclosure is not for purposes of treatment, payment, or health care operations.
After having read this article, it might seem amusing that throughout the preamble to the regulations, HHS consistently proclaims that the regulations are "intended to simplify and improve the efficiency of the administration of our health care system."30 One cannot help but wonder how these 147 pages of regulation will do anything but hinder the delivery of health care and increase its overall cost.
Endnotes
1. See: e.g., California HealthCare Foundation. National Survey: Confidentiality of Medical Records January 1999; Web site: www.chcf.org.
2. Web site: www.whitehouse.gov/WH/SOTU00/sotu-text.html.
3. 64 Fed. Reg. 59918. Congress mandated that HHS create the regulations as part of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Id. at 59918. If Congress failed (which it did) to enact a "privacy statute" within three years after it passed HIPAA, HHS was required to step in and promulgate health privacy regulations. Id. at 59920, 59921.
4. Id. at 59918. "The risk of improper uses and disclosures has increased as the health care industry has begun to move from primarily paper-based information systems to systems that operate in various electronic forms." Id. at 59920.
5. Health care clearinghouse" is defined as a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements." Id. at 60049. Health care clearinghouses "receive[ ] health care transactions from health care providers or other entities, translate[ ] the data from a given format into one acceptable to the intended payer or payers, and forward[ ] the processed transaction to appropriate payers and clearinghouses," e.g., community health information systems. Id. at 60049. Because the intended audience of this article does not include clearinghouses, rules that are limited in their applicability to these entities will be omitted from the discussion where possible.
6. Id. at 60053-60054.
7. Id. at 60054.
8. Id.
9. Id. at 60054-60055. Ironically, despite these extensive requirements, HHS contends that it does "not intend to interfere with business relationships in the health care industry . . ." Id. at 59925.
10. "Health care operations" is broadly defined as the following activities conducted by or on behalf of a health plan or health care provider for the purpose of carrying out its management functions necessary for the support of treatment or payment: 1) quality assessment and improvement activities; 2) reviewing the competence, performance, and qualifications of health care providers and training programs for students, including accreditation, certification, licensing, or credentialing activities; 3) insurance rating and other insurance activities concerning the renewal of a contract for insurance; 4) conducting or arranging for medical review and auditing services, including fraud and abuse detection and compliance programs; and 5) compiling and analyzing information in anticipation of, or for use in, a civil or criminal legal proceeding. Id. at 60052.
11. Id. at 60059.
12. Sound familiar? The Emergency Medical Treatment and Active Labor Act ("EMTALA") regulations require affected hospitals to "post conspicuously . . . a sign . . . specifying rights of individuals under [EMTALA] with respect to examination and treatment for emergency medical conditions and women in labor . . ." 42 CFR § 489.20(q).
13. "Designated record set" refers to a group of records under the control of a CE from which information is retrieved by the name of the individual or some other identifier assigned to the individual and which is used by the CE to make decisions about the individual. Id. at 60052.
14. See discussion of the Tarasoff case in note 20 below.
15. Id. at 60059.
16. "Taking action" could imply something less than an actual response to the request.
17. 64 Fed Reg at 60060.
18. Id.
19. Id. at 60055.
20. Id. at 60058. This rationale is based largely on the landmark case of Tarasoff v. Regents of the University of California, 17 Cal. 3d 425 (1976), in which the court decided that a psychotherapist whose patient has made a credible threat against the physical safety of a specific person has a duty to use reasonable care to protect the intended victim against danger, including warning the victim. Id. at 59972. Note, however, that the regulations do not impose an affirmative duty upon CEs to warn in such cases, they merely allow for such disclosures if otherwise required by law or applicable ethical standards. Id. at 59972. Additionally, a CE that makes a reasonable judgment as to this type of use or disclosure under the pressure of an emergency situation will not be found liable for a wrongful disclosure if circumstances later prove that the disclosure was unwarranted (i.e., the disclosure was made in "good faith"). Id. at 59972.
21. Id. at 60061.
22. Id. at 60061.
23. Id. at 60061.
24. Id. at 60062.
25. 42 U.S.C. § 1320d-5(a)(1).
26. Id.
27. Id. § 1320d-6(b)(1).
28. Id. § 1320d-6(b)(2).
29. Id. § 1320d-6(b)(3).
30. Id. at 59921. HHS goes so far as to say that "even if the rules . . . were to impose net costs, which we do not believe they do, they would still be consistent with’ the objective of reducing administrative costs for the health care system as a whole." Id. 59922.
CME Questions
1. When is it always permissible for a CE to disclose PHI?
a. If the individual authorizes the disclosure.
b. If the disclosure is to one of the CE’s business partners.
c. If the disclosure is to one of the individual’s family members.
d. If the PHI is held by a hospital and it wishes to use the PHI as a basis for mailing information to the individual concerning health-related products.
2. Assuming the disclosure is otherwise permissible, when is it unnecessary for the CE to ensure that it discloses only the "minimum necessary" PHI?
a. When the disclosure or use is requested by the individual.
b. When the disclosure or use is requested by a law enforcement officer.
c. When the disclosure is to one of the CE’s business partners.
d. a and b.
3. How often must CEs retrain their work force as to the CE’s policies and procedures governing PHI?
a. Never.
b. Each year.
c. Every three years.
d. Only if and when the CE materially changes its policies and procedures as to PHI.
4. Which of the following statements is true?
a. Removing the individual’s name will always adequately "de-identify" PHI.
b. Individuals have the absolute right to correct or amend their PHI.
c. If a CE reasonably believes that disclosure of PHI is necessary to prevent imminent harm to a person, it may do so without first obtaining the individual’s consent.
d. CEs may give a law enforcement official complete access to an individual’s PHI for purposes of identifying a suspect in an alleged crime.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.