Ignoring HIPAA provisions puts you in legal peril
By Jack A. Rovner
Partner and Co-Chair
Chicago Health Law Practice Group
Michael Best & Friedrich LLC
Chicago
Risk managers, your institutions are at serious risk. To control that risk, your institutions need to start dealing now with the impending federal patient data privacy and electronic data security and transmission mandates of the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Somewhat buried in the massive HIPAA legislation reforming health insurance and expanding federal health care fraud and abuse controls are the administrative simplification provisions. Congress intended those provisions to simplify administrative and financial transactions in health care through national standards for the electronic transmission of health information. The stated goals are to improve efficiency and reduce costs in health care. Good ideas. But the devil is in the details, and the details for implementation and compliance are anything but simple.
HIPAA requires every health plan, as well as every health care institution and practitioner who maintains or transmits health information in electronic form, to be in compliance with the administrative simplification mandates within 24 months of the effective date of final implementing regulations to be issued by the Department of Health and Human Services (HHS). HHS currently expects to start issuing final regulations in June.
Before the end of this two-year implementation window, each health care provider and plan will need to examine and evaluate its patient data privacy and electronic data security and transmission policies, procedures, and practices, as well as its electronic health information exchange capabilities and protocols. It will need to review and audit every operation and every business relationship that may involve use, disclosure, or electronic transmission or storage of individually identifiable health information.
HHS already has proposed implementing regulations for most of the HIPAA administrative simplification requirements. These proposed regulations preview just how complex and challenging it will be to comply. Indeed, it was the issuance of HHS’ proposed patient data privacy regulations on Nov. 3, 1999 (64 Fed Reg 59917), that appears finally to have brought the full impact of the HIPAA administrative simplification mandates to the radar screens of the health care industry.
Those proposed regulations, which have generated thousands of comments, complement HHS’ earlier proposed rules to set national standards for the following:
• the security and integrity of health information electronically transmitted and stored [63 Fed Reg 43241 (Aug. 12, 1998)];
• national standard data elements and code sets for electronic transmission of health care administrative and financial transactions [63 Fed Reg 25272 (May 7, 1998)];
• national standard health care provider and employer identifiers [63 Fed Reg 25320 (May 7, 1998) and 63 Fed Reg 32784 (June 16, 1998)].
Still to come are proposed rules for the national health plan identifier. The national identifier for individuals became so controversial with privacy advocates that the Clinton administration put it on hold until issuance of final patient data privacy rules.
Noncompliance sanctions and liability
HIPAA gives HHS the power to impose civil monetary penalties of $100 for each knowing failure to meet one of the HIPAA standards, up to a maximum annual fine of $25,000 for multiple violations of the same standard. As the cap applies only per standard, the exposure can be far greater if a health care organization is out of compliance with multiple standards. For example, violations of 100 different standards 250 or more times each in any year would bring an exposure of $2.5 million for that year.
Even more substantial are the HIPAA penalties for knowingly obtaining or disclosing patient data in violation of HHS regulations. The penalties for that infraction are $50,000 and one year in prison. If the infraction involves false pretenses, the penalties increase to $100,000 and five years in prison. If it involves commercial or personal gain or malicious harm, the penalties are $250,000 and 10 years in prison. This criminal exposure is both personal and corporate. There is also potential substantial liability under state negligence or other tort principles premised on noncompliance with these HIPAA standards.
Although HIPAA itself does not authorize private lawsuits by individuals, a state court could consider noncompliance to evidence lack of reasonable conduct sufficient to expose the noncompliant provider or plan to compensatory or even punitive damages to individuals harmed by the misuse, disclosure, or breach in integrity of their patient data.
HHS proposed rules are sweeping and complicated, covering more than 280 pages of the Federal Register. The following overview is, therefore, no substitute for the careful and thorough study that should be undertaken to determine how HHS final regulations will affect your organization and what your organization must do to comply:
o Covered entities and business partners.
The proposed rules cover every health care provider who maintains or transmits patient data directly or through agents such as billing services in electronic format. The proposed rules cover all forms of health plans, including individual and group plans, employer-sponsored ERISA plans (unless self-administered with fewer than 50 participants), church plans, government plans, health insurers, managed care organizations, and all federal and state health benefit plans.
Proposed rules require providers and plans to ensure, through written contract provisions, that their "business partners" comply with the regulatory protections. A "business partner" is any entity that performs a service, function, or activity for the provider or plan and receives protected patient data from the provider or plan.
Examples include health care clearinghouses and other data processors, billing services, third-party administrators, private accreditation organizations, outside attorneys, auditors, accountants, and consultants. The proposed rules would make patients "third-party beneficiaries" of these contract provisions. That could expose both the provider or plan providing the data and the business partner receiving the data to breach of contract and similar suits from such patients harmed by impermissible use or disclosure of their protected data.
o Covered patient data.
The proposed rules cover "individually identifiable health information" once it has been put into electronic format by a covered entity. "Individually identifiable health information" encompasses any data, including demographic information that:
• is created by or received from a health care provider, health plan, employer, or health care clearinghouse;
• relates to an individual’s past, present, or future physical or mental health or condition or to the provision of or payment for the individual’s health care;
• either identifies the individual or is reasonably believed when considered alone or in combination with any other available data to permit identification of the individual.
Providers’ duty
Once put in electronic format, "individually identifiable health information" will remain overed, no matter the media it may thereafter be in, including paper, or the mode by which it may thereafter be communicated, including verbally. Only information in paper records that a provider or plan has never digitized escapes the rules. Given the ubiquity of electronic data storage and transmission in health care, providers and plans probably should and practically may have to treat all "individually identifiable health information" as covered by the federal requirements.
o Covered transactions.
Providers and plans electronically transmitting any of the following 10 health care financial or administrative transactions must use the standard data elements and code sets proposed by HHS rules: health claims and encounters, payment and remittance advice, coordination of benefits, claims status, health plan enrollment and disenrollment, health plan eligibility, premium payments, referral certification and authorization, first report of injury, and health claims attachments.
o Use and disclosure of data without patient authorization.
The HHS proposed rules are designed to per-mit the free flow of covered patient data without patient authorization among health care providers and health plans for purposes of treatment, payment, and health operations (e.g., quality assessment, professional credentialing, and utilization review). The proposed rules also permit, subject to certain procedural requirements, use and disclosure of covered patient data without patient authorization in emergencies and for public health, national security, health oversight, judicial and administrative proceedings, and law enforcement purposes. The proposed rules permit use and disclosure of covered patient data without patient authorization for research, provided common rule protections, such as institutional review board or similar oversight, are followed. In all of those instances, only the minimum amount of patient data necessary to the purpose of the use or disclosure may be used or disclosed.
o Use and disclosure of data with patient authorization.
The proposed rules prohibit providers and plans from using or disclosing covered patient data without the authorized written consent of the individual to whom the data pertains. A provider or plan seeking authorization may not condition treatment or payment or use other coercion to obtain authorization and must make full disclosure of the intended use or disclosure.
o Patient access and disclosure accounting.
The proposed rules grant individuals the right to inspect and copy their patient data (except in very limited situations) and to correct or amend them. Individuals also have the right to an accounting of all disclosures of their patient data, except relating to treatment, payment, or health operations or to avoid impeding health oversight or law enforcement activities.
o Security requirements.
The proposed rules require health plans and providers that electronically maintain or transmit covered patient data to safeguard the integrity, confidentiality, and availability of those data. The proposed rules require plans and providers to implement the following:
• written policies, practices, and administrative security procedures;
• physical safeguards, such as hard drive backup;
• technical security services, such as access and audit controls;
• technical security mechanisms, such as encryption and audit trails.
Determining the appropriate level of implementation required in each of those areas is left to the judgment of each plan and provider. Accordingly, plans and providers must assess the potential risks to and vulnerabilities of covered patient data under their control and develop, implement, and maintain the security measures needed to safeguard those data.
o Preemption of state law.
The proposed rules do not generally preempt state patient data privacy laws that provide greater protections or rights for individuals and are not contrary to the federal requirements. Under most circumstances, covered entities will therefore be required to comply with the most stringent requirements of the jurisdictions to which they are subject. The proposed rules do not invalidate or limit state laws requiring reporting of disease, injury, child abuse, birth, or death; public health surveillance; investigation or intervention; or insurance regulation.
Compliance could result in reduced costs
There may be some silver linings in these ominous HIPAA clouds. The HIPAA provisions should cut costs and improve efficiency in health care delivery at least some day. Compliant providers and plans may find a competitive advantage, not only in reduced costs, but by enhanced patient confidence from the knowledge that the privacy and integrity of an individual’s most personal health information will be protected.
Perhaps if administrative simplification works, the future will allow providers and plans to substantially reduce and replace paper records, freeing storage space, reducing materials costs, and improving data access, sharing, and exchange.
Getting to that congressionally promised land won’t be easy or cheap. Becoming compliant will take enormous financial, human, and time resources. On the other hand, the liability stakes of noncompliance are high. To hope to manage this formidable challenge and make the best of it means to begin addressing it now. Anything less is to be at risk, rather than to manage that risk.
[For additional information, call Jack Rovner at (312) 845-5812 or send an e-mail to: [email protected].]
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.