Handling employees' health information
HIPAA targets the HR department
By Ryan D. Meade
Buried deep within the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has been a sleeping giant. The giant has now been awakened by aggressive new regulations governing how businesses interact with personal health information, but few outside the health-care industry realize this. That will change soon.
Regulations to support HIPAA were recently made final by the Department of Health and Human Services (HHS) amid great controversy. The rules are not only poised to radically change the delivery of health care in the United States, but will also affect how companies that do business with the health-care industry organize themselves to handle the health information maintained by their health-care customers. Most employers will also feel HIPAA's impact in regulating how they use the health-benefit information of their employees. The tentacles of HIPAA will even reach beyond the borders of the United States if a health-care company uses a foreign vendor.
HIPAA was a bi-partisan attempt at health-care reform, principally focused on making it easier for employees to carry their health insurance benefits from one employer to another, hence the "portability" aspect of HIPAA. However, one of the reforms HIPAA attempted was to mandate a national system for exchanging electronic health information between health-care providers and health plans. HIPAA charged HHS with the task of promulgating standard formats for these exchanges, mainly focusing on payment transactions.
These standards are known within the act as "administrative simplification." But the final HHS regulations are anything but simple.
Along with standardizing electronic health-information exchanges (currently more than 400 distinct systems exist), HIPAA also established civil and criminal penalties for regulated entities that breach the privacy and security of the health information. HIPAA did not spell out the privacy or security standards that the health-care industry would be held to, but left these rules to be worked out by HHS if Congress didn't adopt standards by a certain date. Congress never met its deadline, thereby prompting HHS to promulgate a series of proposed regulations.
While some of the HIPAA regulations are still in their proposed form, the first rules to be made final last fall were those sketching out the standardized formats for exchange of health information and the type of electronic code sets to be used.
The privacy rules followed on Dec. 20, 2000, as part of the last-minute regulations issued by the Clinton administration (published Dec. 28, 2000 in the Federal Register at 65 FR 82462). The privacy rules unleashed a hew and cry from the health-care industry because they were even more complicated and burdensome than the proposed regulations issued in 1999.
The Bush administration was not swayed by health care's complaints of over-regulation and allowed the privacy rules to go into effect on April 14, 2001. Other standards governing maintaining the security of health information are expected at any time, as well as the last round of rules that mostly deal with the process of assigning unique identifiers for health-care actors.
HIPAA gives directly regulated organizations two years to come into compliance with any regulations issued according to the statutes. Hence, the race is on to comply with the HIPAA privacy standards by April 14, 2003.
The basic premise of the HIPAA privacy rule is that no directly regulated entity (such as a hospital or doctor) can access, use or disclose individually identifiable health information without first obtaining the proper permission of the patient (or subject of the information). This sounds like a simple principle, but in the jungle of federal health-care regulations, nothing is simple. Indeed, it took HHS more than 1,500 pages to explain this simple rule.
The complexities of the privacy rule lie amid several layers of regulations. Not all permissions are equal under HIPAA, so HHS set out distinctions between "consents" and "authorization" and provided a myriad of rules as to when one versus the other is needed and when additions and modifications to these basic forms are required. The rules are so detailed and far reaching that directly regulated entities will need to analyze virtually every interaction their employees have with individually identifiable health information to determine whether the information may be appropriately accessed.
The privacy rules also go far beyond the language of the statute. HIPAA's "administrative simplification" passed by Congress focused on electronic exchanges of health information. HHS's privacy rules cover all individually identifiable health information maintained by a directly regulated entity whether the data is in electronic, paper or oral form.
Affected organizations must be concerned not only with the basic HIPAA privacy rules, but also with state laws. While until recently only a few federal laws have protected the confidentiality of health-related information, the states have now developed a large body of health-information protections. HIPAA's privacy standard generally preempts state law unless the state law is more stringent than the privacy rules. This preemption provision engenders a difficult and tedious examination of all state statutes, regulations and case law that affect HIPAA-protected information. In the end, the HIPAA privacy rule is only the beginning of the study to determine what privacy rules must be followed.
There are essentially five types of organizations affected by the HIPAA regulations: health-care providers, health plans, health-care clearing houses, so-called business associates and employers. The first three in this list are known as "covered entities" and are directly regulated by HIPAA. The latter two are indirectly regulated by the privacy rules because HHS did not have statutory authority to regulate them directly. As explained below, business associates and employers will be regulated by the law requiring the covered entities to contractually obligate them to follow the HIPAA rules.
Health-care providers will without a doubt see the most dramatic impact of HIPAA. While HIPAA does not regulate all health-care providers only those that engage in certain electronic exchanges of information (principally related to payment) are directly regulated the landscape of the provider community is that very few hospitals, long-term care facilities or doctor offices do not perform at least some of these payment-related transactions electronically.
The definition of health-care provider is also greatly expansive. Under the privacy rules, the idea of health-care services reaches beyond the traditional understanding and includes such actors as therapists, social workers, optometrists, counselors and dieticians. Additionally, if an organization or person performs any type of physiological diagnostic test, it will be a health-care provider. Enterprises that never thought of themselves as health-care providers will now need to pay attention to HIPAA.
Some of the practical implications of HIPAA will be obvious to patients on entering the doctor's office or waiting room. In order to minimize chances of disclosing protected health information, some specialty practices are revising reception procedures to offer patients the opportunity take a number or carry a restaurant-style pager while waiting to see the doctor. However, past the reception area, the effects on health-care operations will be deeply felt. For instance, most nursing stations will need to be physically re-engineered to avoid visitors happening upon HIPAA-protected health information by peering over the counter at an exposed monitor or viewing a board listing the patients and nurses assigned to them.
The privacy rules' understanding of a health plan is quite expansive as well. Virtually any organized attempt to coordinate or pay for health care will be considered a HIPAA-regulated health plan. From traditional health insurance issuers to HMOs to employee group health plans, these vehicles for spreading the cost of paying for health-care services will all need to re-examine how they interact with the health information of their enrollees. Indeed, even a person's enrollment in a health plan is a regulated HIPAA-protected fact.
HIPAA also named a new category of health-care organization in its list of covered entities when it coined the term "health-care clearing house." A health-care clearing house is an entity that works with the standardized formats and code sets and converts information into the HIPAA format or converts the information back into non-HIPAAese. Coding and billing companies would be examples of clearing houses. Management companies may be health-care clearing houses to the extent that they perform coding and billing services on behalf of their clients.
While HHS did not have authority under HIPAA to regulate entities other than health-care providers, health plans and health-care clearing houses, privacy advocates were concerned that the statute missed a large sector of the economy that had access to individually identifiable health information, namely the health-care industry's vendors. HIPAA did not give HHS authority to protect health information once it was disclosed to a vendor. The statute's protection stopped once the information left the hospital's door.
To extend HIPAA's reach, HHS devised a clever approach. Under the privacy rules, covered entities are required to enter into "business-associate agreements" with these vendors who interact with individually identifiable health information. These business-associate contracts require the vendors to give the covered entity satisfactory assurances that the vendor will safeguard the confidentiality of the health information it receives or interacts with in the same fashion as its client, as if the vendor were a covered entity itself. Consequently, as a practical matter, all business associates will need to become HIPAA compliant just as their customers will.
Not obtaining a business-associate contract can have serious consequences for covered entities. HHS has promised to hold the covered entity vicariously liable for their business associate's negligent privacy breaches if a proper agreement is not in place. With a business-associate contract binding the covered entity and its vendor, HHS will only penalize the covered entity if it knew of a privacy breach by the vendor or knew of a pattern of disregard for health-information privacy.
Business associates will include a vast array of enterprises. While some common vendors of the health-care industry come to mind as naturally having a business-associate relationship with covered entities, such as doctors' practice-management companies, others are not so obvious. Storage facilities, temporary clerical worker agencies, accounting firms, law firms, consultants, document-shredding companies and software maintenance services all will likely need to be prepared to sign business-associate agreements. Indeed, any vendor who has a business associate relationship will likely need to become HIPAA compliant in order to continue to do business with the health-care industry.
Employers are in a special category of their own under the HIPAA privacy rules. Employers are affected when they sponsor group health plans that provide health benefits to their employees and the employer organization interacts with individually identifiable health-benefit information. If an employer's plan bears no risk in providing health benefits (a fully funded health plan), then the employer is affected very little by HIPAA. But when an employer's plan bears some of the risk or costs of providing health benefits (a self-insured health plan), then the effects can be significant.
As a threshold matter, employers who have a fiduciary relationship with their group health plans will need to make the plan HIPAA compliant since the plan is a covered entity on its own. The employer will need to review how it interacts with its employee's health benefit information. Many employers provide administrative assistance to the plan, using the employer organization's human resource department to administer the plan and shepherd claims appeals. In these support capacities, the employer may technically be a business associate to the plan and will need to follow the business-associate rules. The HIPAA privacy rules allow employers to elect a special certification process in place of the business-associate agreement, although the internal practical implications are virtually the same.
The struggle for employers will be to control how they use health information from their employee benefit plan for basic operations purposes. Is the employer obtaining diagnosis information from the health plan in order to provide special accommodations to certain employees or to identify whether an individual may have a substance-abuse problem as an explanation for aberrant behavior? Under HIPAA, these and countless other practices will be illegal without the proper authorizations from the employees.
HIPAA provides steep civil and criminal penalties for violations of the privacy standards. However, the most significant and worrisome liability exposure for HIPAA-affected businesses will be the result of private privacy litigation.
While HIPAA does not afford a private right of action for privacy breaches, there are many avenues available to individuals to recover damages for violations. Virtually all states have some form of invasion-of-privacy tort. For fueling the development of this tort, HIPAA will be like pouring gasoline on a fire as health-care organizations develop an array of new policies and procedures promising patients and clients privacy protection.
Also, subjects of health information will likely be third-party beneficiaries to the business-associate contracts, allowing patients, health-plan enrollees and employees to sue both the covered entity and its vendor for privacy violations.
Finally, ERISA allows a federal private right of action to employees when benefit-plan document standards are breached. These ERISA-inspired lawsuits will come into play to the extent that plan documents are modified to afford employees privacy standards in the handling of their health-benefit information.
Meade is a partner at Katten Muchin Zavis in Chicago. His e-mail is firstname.lastname@example.org.