Jump to Navigation | Jump to Content
American Bar Association

ABA Section of Business Law

ABA Section of Business Law
Business Law Today
September/October 2000

Secrets? What secrets?

Proposed regulations champion patient privacy


T rue or false: My medical records are safe from prying eyes. If you hesitated before you answered, this article is for you.

If you helped a client with Y2K compliance last year, you may have some inkling of the sea change that is about to occur in the health-care industry as a result of proposed privacy regulations. Sound overly dramatic? The regulators themselves estimate the implementation costs are upwards of $3.8 billion. No two ways about it: These regulations will keep many lawyers and consultants knee deep in billable hours for some time to come.

So why all the concern? Did someone complain that their entire medical history was published on the Internet? Is this the work of a paranoid populace and election-sensitive politicians?

Consider this: You don’t feel well, so you go see a doctor. Before you have time to sneeze, the doctor’s receptionist hands you a 10-page form to complete, asking you to describe every health ailment ever suffered by you or your ancestors. Maybe you answer every question completely and maybe you don’t. After all, nobody needs to know about that time you were treated for depression during law school, right?

A recent survey showed that one out of six people are engaging in this type of self-censoring activity because they are afraid their health records will fall into the wrong hands, leading to discrimination, loss of benefits, stigma and unwanted exposure. (January 1999 Survey, Princeton Research Associates for the California HealthCare Foundation and the Internet Healthcare Foundation.) Because health information is generally stored electronically and can be transmitted to thousands of recipients in seconds, there is a legitimate concern that private material may be obtained by those outside the appropriate health-care community.

These concerns are real. But requiring every hospital, doctor, insurer, claims processor and receptionist to obtain a patient’s authorization before using or disclosing their medical records would bring the health-care system as we know it to a standstill.

Accordingly, the Department of Health and Human Services (HHS) has attempted to promulgate comprehensive regulations that strike a balance between the uninterrupted provision of medical services and the protection of individual privacy. Specifically, the regulations seek "to make the use and exchange of protected health information relatively easy for health care purposes, and more difficult for purposes other than health care." 64 Fed. Reg. 59924.

The privacy regulation, which we will fondly refer to as the K.I.S.S. (Keep It Secret, Stupid) Rule, does not stand alone. The rule is to be promulgated together with all the standards enacted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The purpose of HIPAA was, in part, to improve the efficiency and effectiveness of the health-care system by standardizing the electronic transmission of certain administrative and financial information and protect the security and privacy of health information.

To serve these purposes, HHS proposed not just one, but five separate regulations establishing "administrative simplification" requirements for the electronic transmission, security and privacy protection of health-care information. "Simple" may not be the best adjective to describe these requirements.

Recognizing that there are four other rules to be analyzed and discussed in tandem with the K.I.S.S. Rule, this article will only cover the 147-page proposed K.I.S.S. Rule itself. If you yearn for more information on privacy and other administrative-simplification rules, please feel free to check out the HHS Web site: http://aspe.os.dhhs.gov/admnsimp.

The K.I.S.S. Rule was published as a proposed rule, asking for public commentary, on Nov. 3, 1999. Indicative of how controversial it is, HHS received more than 50,000 comments from interested parties. As such, everything you read here is subject to change. HHS has publicly announced, but has not given official notice, that all five administrative-simplification rules will be published by the end of the Year 2000.

The K.I.S.S. Rule is HHS’ proposed attempt to keep private health information private, without forcing health-care professionals, insurance companies and related personnel to ask for a patient’s permission every time her medical information is disseminated.

A covered entity must be in compliance with the final rule not later than 24 months following the effective date of the rule (expected by December 2000), except that a covered entity that is a small health plan (a health plan with annual receipts of $5 million or less) must be in compliance no later than 36 months following the effective date.

To identify the information that must be kept secret, the term "Protected Health Information" is defined in the rule. (See the sidebar, "The K.I.S.S. glossary," for the official definition.) Practically speaking, protected health information means any electronically stored or transmitted health-care-related document that allows you to identify the patient.

This brings us to surprising part No. 1: The K.I.S.S. Rule does not apply to paper records. That means that every doctor who refused to buy or learn how to use a computer and keeps all of his patient’s records on paper is home free.

Not surprisingly, HHS has requested that Congress expand the definition of covered information to include documents in paper form as well as those that have been electronically transmitted or maintained. In reality, it would be so rare for health-care information to have avoided electronic storage or transmission that the K.I.S.S. Rule really applies to all patient-related materials.

If your client is a health plan, a health-care clearinghouse, or certain health-care providers that either store electronic health-care data in a data repository, (including a desktop computer), or transmit such data over a network, then they will be required to comply with the K.I.S.S. Rule. Health-insurance issuers, HMOs, certain Medicare and Medicaid programs as well as employee welfare-benefit plans are among those included in the definition of health plans. HHS wants to expand the scope of the regulation to apply to additional entities such as worker compensation and life insurance companies.

One of the more controversial aspects of the K.I.S.S. Rule is the coverage of so-called "business partners" of health plans. Business partners include: lawyers, auditors, consultants, third-party administrators, health-care clearinghouses and billing companies. Whenever protected health information is exchanged in these routine business relationships, the K.I.S.S. Rule applies.

Helpfully, HHS anticipates and acknowledges the reality of the routine business relationship in the health-care industry and thus provides for the necessary disclosure of private health information to business partners. Generally, the K.I.S.S. Rule permits the disclosure of private health information to business partners without a patient’s authorization, but requires that a covered entity enter into a contract with the business partner to ensure compliance with the privacy standards.

The liability concerns for covered entities here, however, loom large. To the extent that a covered entity’s business partner improperly disclosed private health information, the plan could be found liable and subjected to the rule’s remedial measures.

When is patient permission unnecessary? The good news is, a covered entity is permitted to use or disclose protected health information without individual authorization for purposes of treatment, payment and health-care operations. The definition of health-care operations is, at first glance, quite broad in scope, allowing the use of health-care information without permission for any "management functions necessary for the support of treatment or payment."

The K.I.S.S. Rule includes the following activities as part and parcel of health-care operations:

• conducting quality assessment and improvement activities;

• reviewing the competence or qualifications of health-care professionals;

• rating insurance and other insurance activities relating to the renewal of a contract for insurance;

• conducting or arranging for auditing services;

• compiling and analyzing information in anticipation of or for use in civil or criminal legal proceedings.

Complaints about the health-care operations definition, however, indicate that it is actually too narrow in scope. For instance, a number of health plan representatives have suggested that even a simple reminder card of a doctor’s appointment, or other patient-specific health and safety promotions, are prohibited without patient authorization.

HHS recognizes the additional need for health information to support certain national priority activities, such as reducing health-care fraud, improving the quality of treatment through research and protecting public health. As such, the K.I.S.S. Rule permits certain uses and disclosures of health information without individual authorization for the following activities:

• oversight of the health-care system

• public health functions

• research

• judicial and administrative proceedings

• law enforcement

• emergency circumstances

• identification of the body of a deceased person, or the cause of death

• government health-data systems

• facility patient directories

• to process health-care payments and premiums at banks

• management of active-duty military and other special classes of individuals.

Remember the earlier example about being treated for depression during law school? Psychotherapy notes have special protected status under the K.I.S.S. Rule. A covered health-care provider would not be permitted to disclose psychotherapy notes for treatment, payment or health-care operations unless specific authorization is obtained from the individual.

In addition, a covered entity would not be permitted to condition treatment of an individual, enrollment of an individual in a health plan, or payment of a claim for benefits made by or on behalf of an individual, based on the individual’s specific authorization for the disclosure of psychotherapy notes.

Covered entities are required to disclose protected health information without individual authorization in two circumstances:

• in response to a request by an individual to inspect, and obtain a copy of, his or her own protected health information, and

• in connection with an enforcement action or compliance review brought by the secretary of HHS.

Except in the foregoing circumstances, covered entities are required to obtain an individual’s explicit consent before using or disclosing protected health information about that individual.

The K.I.S.S. Rule contemplates two situations in which individual authorization can occur. It can be initiated at the request of either the individual or the covered entity. For instance, disease-management activities are not permitted without individual authorization.

One of the main tenets of the K.I.S.S. Rule is the requirement that an individual’s authorization is truly voluntary. To accomplish this, the rule issues the following mandates:

• Covered entities are not permitted to condition treatment or payment on the individual agreeing to disclose information for other purposes.

• Authorizations must clearly and specifically describe the information to be disclosed.

• If an authorization is sought so that a covered entity may sell, barter or otherwise exchange the information for purposes other than treatment, payment or health-care operations, the covered entity would have to disclose this fact on the authorization form.

• Authorizations may be revoked by an individual at any time.

Although individual authorizations are not necessary for treatment and payment purposes, an entity may need to obtain such an authorization to comply with a state’s mandated authorization requirement. The federal rule would not supersede such state requirements.

The K.I.S.S. Rule will require a lot of time, ingenuity and money to keep liability at bay. Indeed, liability for noncompliance is stringent: The HHS secretary may impose civil fines, capped at $25,000 for each calendar year for each standard that is violated. Criminal penalties range from a $50,000 fine or imprisonment for one year to a $250,000 fine and imprisonment for 10 years. HIPAA does not provide for a private right of action for individuals, but the HHS is lobbying Congress for the right of individuals to sue for a breach of privacy.

No matter how many changes are made to the proposed rule, the final rule will still require covered entities to create new policies, implement new procedures, hire more people and overhaul their computer systems. At the very least, covered entities will have to:

• designate a privacy official,

• develop a privacy-training program,

• implement safeguards (in computer systems and personnel policies) to protect health information from intentional or accidental misuse,

• provide a means for individuals to complain about an entity’s information practices,

• change all its existing contracts with business partners to reflect the rule’s requirements, and

• develop a system of sanctions for employees or business partners who violate the entity’s policies and procedures.

Many comments forwarded to HHS requested congressional action to provide for federal preemption of all state privacy laws. As it now stands, the K.I.S.S. Rule establishes a floor, not a ceiling, of privacy protections. State laws that are less protective of privacy are preempted, but states are free to enact, and are increasingly doing so, more stringent statutes or regulations.

This obligates covered entities to not only implement a set of federal privacy standards and separate standards for each state in which they do business, but also mandates that they hire lawyers or consultants to discern which set of standards apply in a given situation.

Key members of Congress, incidentally, have stated that there is almost no chance that Congress will pass new privacy legislation this year, with the possible exception of a bill to study the issue. Without new legislation addressing the preemption issue before 2002, covered entities face a frustrating tug-of-war over which set of standards to apply. Given the opportunity to choose, plans may comply with the less costly standard, ultimately placing patient privacy at risk.

The K.I.S.S. Rule requires covered entities to disclose only the minimum amount of health information necessary for a given purpose. This will require covered entities to take steps, on a case-by-case basis, to limit the amount of protected health information used or disclosed.

For example, if a treating doctor in an emergency room requires information from a patient’s primary-care doctor, the latter will be forced to spend precious time determining how much information is the "minimum necessary" for the situation, placing the patient’s health at possible risk if too much is left undisclosed. It is a fairly safe bet that the final rule will incorporate significant changes to this requirement, given the number of strenuous objections made to this provision by key industry players.

HHS admits that a covered entity may skirt the patient-authorization requirement if there is no way to identify whom the patient is from the documents being used or disclosed. According to the rule, "de-identifying" the health-care information merely requires the removal of 19 bits of personal information and the belief that there is no possibility that "any anticipated recipient" of the information could identify the patient. (The 19 bits of personal information are fairly obvious, such as name, address, birth date, phone numbers, etc.)

Trouble ensues when, for instance, a claims processor who legitimately receives the information, but is also a part-time computer hacker, discovers a way to identify the patient via some otherwise innocuous numbers on a patient’s medical forms. Covered entities, under the proposed K.I.S.S. Rule, could be held liable for such a discovery.

In addition, this provision of the rule brings about countless paperwork headaches. There may be circumstances, for instance, when recipients of de-identified health information will have a legitimate reason to request that the de-identified information be re-identified by the originating covered entity.

For example, if a researcher received de-identified information from a covered entity and the research revealed that a particular patient was misdiagnosed, the covered entity should be permitted to re-identify the patient’s health information so that the patient could be informed of the error and seek appropriate care.

Under the proposed K.I.S.S. Rule, entities would be expected to establish a process for determining when re-identification is appropriate. Once covered entities re-identify information, it once again becomes protected information and may, therefore, be used and disclosed only as permitted by this regulation.

As with all major public policy change, these federal regulations will have a dramatic effect on how the health-care industry does business. The sheer volume of comments submitted on the proposed rule, more than 50,000, is indicative of its perceived impact. Truly, the proposed K.I.S.S. Rule goes a long way to assure patients that their private health-care information is protected from disclosure to anyone without their consent.

It requires serious revision, however, to assure patients that their information will be disclosed when necessary without delay, that bills will be paid on time and that premiums will not skyrocket.

Barnes is an associate at King, Pagano & Harrison in Washington.

Back to September/October Business Law Today | Back to Business Law Home Page

Back to Top