Impact of HIPAA and the Privacy Rule

By D’Lisa Simmons

The Mention the term “HIPAA” and many people cringe, thinking of the need to execute yet more forms for their insurance carriers and health care providers. Routine check-in and sign-in forms at the doctors’ offices are now guarded with the utmost of secrecy at many offices. What is HIPAA and why do we have it?
The Health Insurance Portability and Accountability Act (“HIPAA”) was passed in 1996 to establish national standards for healthcare providers and insurance carriers, as well as to protect the patient’s confidential health information. The Privacy Rule was added in 2002, giving further patient protection and confidentiality. The Privacy Rule applies not only to healthcare providers, but also administrators and personnel of healthcare plans, healthcare clearinghouses, and healthcare insurance companies. The passage of HIPAA and the Privacy Rule prohibit the passage of personally identifiable health information to lenders, potential creditors, mortgage companies, or employers or prospective employers without consent of the individual in question.1

Impact on Patients and Individuals
HIPAA was enacted for the benefit of the patient and to protect the privacy of the patient’s health concerns and the records detailing that information. Civil and criminal penalties may be assessed if an entity charged with maintaining the privacy of a patient’s records has violated that right of privacy.2 Patients have the right to examine their records and request corrections thereto.3
Patients now have the right to control certain uses and disclosures of their health information. Individuals and companies who are not necessary to the provision of healthcare or payment thereof no longer may be provided with such information (i.e., potential lenders, potential creditors, mortgage companies, or employers or prospective employers).4

Impact on Healthcare Providers and Health Insurance Carriers
Healthcare providers and health insurance carriers now carry an enhanced burden of patient confidentiality. Healthcare providers are required to meet a minimum level of privacy protection. Many healthcare professionals now give their patients written information as to their privacy rights and how their information may be used. Providers usually require their patients to sign a form acknowledging this information and the specific release of their confidential records for insurance coverage confirmation, billing, and the like. Good healthcare providers take steps to make sure that their patients understand what they are signing, either by providing the forms in English and native language, or with verbal instruction in the native language by an office employee, with written certification of such translation maintained in the patient’s file.
Healthcare providers and insurance carriers must also adopt and implement procedures for the protection of the privacy of their patients, together with education and training of their staff to ensure that the procedures are followed.5 An in-house training seminar is now being required by many healthcare providers and health insurance carriers, with a separate, written acknowledgment of attendance and completion of seminar. A responsible individual within the company also may conduct an audit to ensure that privacy policies have been adopted, training provided, and the policies actually followed. Further, healthcare providers and health insurance providers are responsible for securing patient records, which contain individually identifiable health information (including social security numbers), to prevent the unintended release of such personal information.6
A health plan provider may disclose, under certain circumstances, private health information about a patient to his family member, relative, or close personal friend; however, this permissible disclosure may occur only to the extent that the private health information is relevant to the third party’s care or payment for healthcare, and as long as the individual has not objected to such disclosure. In the event the patient is incapacitated or not present, the covering entity (healthcare provider, insurer) may, in its professional judgment, disclose private health information, but only to the extent necessary for treatment or payment for healthcare services.7 With regard to medical information obtained by emergency room staff and ambulance workers, Attorney General Gregg Abbott issued an opinion in 2004 stating that the Texas Public Information Act could supersede the HIPAA privacy requirements.

Impact on Employers
Many employers now self-insure all or part of the health insurance coverage provided to their employees. As a result, company employees may become aware of confidential medical procedures of other employees and family members. Good internal practices should be followed to insure that employee record confidentiality is maintained, similar to those detailed above in the section for healthcare providers. Care should be taken to ensure that employees’ personnel files and all related information are kept in password-protected electronic media and locked filed cabinets. After employees leave the company, care should be taken that, following the company’s record retention policy, the company destroys all records relating to the employee through shredding or incineration.

Impact on Researchers
HIPAA also covers researchers who provide health care or health care services to individuals.8 The Department of Health and Human Services requires that each institution engaged in human subject research provide a satisfactory Assurance of Compliance to meet the requirements of HIPAA, or provide information as to why the research may be exempt. Care should be taken that any transmission of research data conforms to the Transactions Rule found in the Act. For projects begun before the compliance date of HIPAA, consent to disclose information may be required so that study results may be reviewed as required for publication or otherwise. Many patients remain concerned about health insurance discrimination and loss of privacy as reasons for not participating in new or experimental testing procedures.

Conclusion
The impact of HIPAA reaches much farther than many people initially anticipated. While many lawyers associate HIPAA with estate planning lawyers and part of the plethora of paperwork now required by healthcare providers and insurance carriers, lawyers practicing employment law, healthcare, and educational research also should be aware of the requirements of HIPAA to best advise their clients.

Endnotes
1. See generally, http://www.hhs.gov/news/facts/privacy.html 2. See generally, 45 CFR 160.402-408; and the Department of Justice’s Memorandum Opinion, p.1, June 1, 2005, found at http://www.usdoj.gov/olc/hipaa_final.htm. 3. 45 CFR 164.526(b). 4. See generally, http://www.hhs.gov/news/facts/privacy.html. 5. 45 CFR 160.310(a). 6. 45 CFR 164.530; and the Department of Justice’s Memorandum Opinion, p.1, June 1, 2005, found at http://www.usdoj.gov/olc/hipaa_final.htm 7. 45 CFR 164.501,506; see also, http://www.hhs.gov/ocr/hipaa/guidelines/sharingfortpo.pdf. 8. 45 CFR 164.532.

< BACK TO TOP >