In the December 28, 2000 Federal Register (65 Fed. Reg. 82461), the Department of Health and Human Services ("HHS") published controversial final regulations establishing privacy standards for personal health records. The extensive new requirements set out by this 360-page document will impose significant burdens on health care providers (including health care suppliers and manufacturers), health plans, and health care clearinghouses, as well as upon those furnishing services to these entities.

1. What Are The HIPAA Privacy Regulations?

The new requirements are part of a suite of regulations issued pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Published in proposed form in November 1999, the final regulations are intended, according to the preamble, to "begin to address growing public concerns that advances in electronic technology and evolution in the health care industry are resulting, or may result, in a substantial erosion of the privacy surrounding individually identifiable health information maintained by health care providers, health plans and their administrative contractors." Although HHS acknowledges that "these privacy standards will entail substantial initial and ongoing administrative costs for entities subject to the rules," it contends they are consistent with reducing administrative burdens in the long run.

2. When Are The Privacy Regulations Effective?

The regulations become effective on February 26, 2001; however, compliance for most entities will not be required until February 2003. Small health plans have an additional year to comply, i.e., by February 2004.

3. To Whom Do The Privacy Regulations Apply?
   

   It is not an understatement to say that every person and entity involved with the United States health care system will be affected in some way by the new privacy regulations. From consumers of health care, to employers sponsoring health plans, to health care insurers, to providers and suppliers of health care items and services, the impact of the most sweeping health privacy standards in history will be profound.

   The most immediate and direct impact, of course, will be felt by three groups specifically identified in the regulation as "covered entities": (i) health plans; (ii) health care clearinghouses; and (iii) health care providers who transmit any health information in electronic form in connection with the standard transactions identified under HIPAA. "Business associates" of covered entities also will be affected, as described in Section I below. The three types of covered entities are described generally in the final regulations as follows:

   • Health Plans: Individual or group plans that provide or pay the cost of medical care, including group health plans, insurance issuers, health maintenance organizations, Medicare Parts A and B, Medicare+Choice organizations, Medicaid and other types of plans. Only listed government-funded programs are included; others, even though they provide health care (such as health centers funded under the Ryan White Comprehensive AIDS Resources Emergency Act), are not considered to be health plans. The term "group health plans" includes those insured and self-insured employee welfare benefit plans (as defined under ERISA, the Employee Retirement Income Security Act) that provide medical services and that either have 50 or more participants or are administered by entities other than the employer which established and maintains the plan. Self-administered group health plans with fewer than 50 participants are thus excluded from the scope of the rule.
     
   • Health Care Clearinghouses: Public or private entities (including billing services, repricing companies, community health management information systems, community health information systems, and "value-added" networks and switches) that process or facilitate processing health information received from another entity in a nonstandard format or containing nonstandard data content into standard format or standard data content, and vice versa. The final rule notes that telecommunication entities providing connectivity, such as telephone companies and Internet Service Providers, are not health care clearinghouses unless they actually perform the enumerated clearinghouse functions for another entity.
     
   • Health Care Providers: "Providers of services" (e.g., hospitals and skilled nursing facilities) and providers of "medical or other health services" (e.g., physicians and suppliers), both as defined in the Social Security Act, and any person or organization who furnishes, bills, or is paid for health care in the normal course of business. This expansive definition encompasses a wide variety of entities, including, for example, providers that are strictly "private pay" in nature and do not participate in Medicare or Medicaid.

   In a change from the proposal, the final rule now addresses explicitly how the privacy standards are to be implemented with respect to "organized health care arrangements" (i.e., legally-separate covered entities with integrated clinical or other operations, like an independent practice association), "hybrid entities" (i.e., where a covered entity or function is part of a larger legal entity), "multiple covered function entities" (i.e., where an organization operates more than one covered function), and affiliated organizations that operate covered entities. In the latter case, HHS now has provided the option for affiliates to designate themselves as a single covered entity for purposes of complying with the privacy rule.

4. To What Documents And Information Do The Regulations Apply?

The final regulations apply to "protected health information," which is defined generally as individually identifiable health information transmitted or maintained in any form or medium, excluding certain education records and student medical records. As expanded from the proposed regulation, the rule applies to and seeks to protect paper and oral communications, as well as those in electronic form, regarding an individual’s past, present, or future physical or mental health or condition, or relating to the provision of health care to the individual or payment for that health care, if the individual can or may be identified by such information.

In contrast, the regulations do not restrict the use or disclosure of "de-identified" health information (i.e., information that does not identify an individual, or with respect to which there is no reasonable basis to believe individual identification is possible). Information will be considered de-identified under two circumstances: (i) where a person with appropriate statistical and scientific expertise determines and documents that the risk of identification is very small; or (ii) where the covered entity removes all of a list of enumerated "identifiers," including names, dates, geographic designations, telephone and fax numbers, email addresses, URLs, and biometric and other unique identifiers, and has no actual knowledge that the information could be used to identify the subject.

1. What Do The Regulations Require In Protecting Privacy?

First, in a change from the proposed rule, covered health care providers who have a direct treatment relationship with an individual must obtain written consent from the individual in order to use or disclose protected health information for treatment, payment, and health care operations. The required form of this consent is similar to informed consent documentation currently used by providers and others. This consent requirement does not apply in certain specified treatment situations, including emergencies. Other covered entities are permitted to obtain consents, but also may use and disclose protected health information for treatment, payment, and operations purposes without obtaining individual consent.

Second, covered entities must obtain an individual’s verbal agreement before using or disclosing protected health information for facility directories, to persons assisting in the individual’s care, and in specified emergency and other circumstances.

Third, use and disclosure of protected health information is permitted without the individual’s consent, authorization, or agreement for specific public policy purposes, such as for law enforcement and public health activities (see Section F below). Certain information can also be used for research under this provision (see Section G below).

Fourth, covered entities can disclose protected health information to the individual who is the subject of the information without any condition.

Fifth, covered entities must obtain the individual’s written authorization (as distinguished from consent) in order to use or disclose information for any "other lawful purposes," including certain disclosures of psychotherapy notes. The regulations set out extensive and detailed requirements on the use and content of authorizations, in order to provide the individuals with "concrete information about, and control over, the uses and disclosure of protected health information about themselves." Specific provisions governing authorizations for use of information relating to research, marketing, and fundraising are discussed further below.

In all cases in which use or disclosure of protected health information is permissible, the final rule obligates covered entities to develop policies that "reasonably ensure" that uses and disclosures of information are limited to the minimum necessary required to accomplish the intended use and purpose of the use or disclosure. In a significant change from the proposal, HHS has provided that any disclosures to, or requests by, a health care provider for treatment purposes are not subject to this standard; in other words, for treatment purposes, the entire medical record may be furnished to another provider.

2. What Public Policy Exceptions Exist To The General Rule Against Disclosure Of Protected Health Information?

• Public health activities (e.g., reporting on products, adverse events or post-market surveillance to the Food and Drug Administration and reporting exposure to communicable disease);
• Reports of abuse, neglect or domestic violence;
• Health oversight activities (e.g., civil and criminal investigations, inspections, and licensure or disciplinary actions);
• Judicial and administrative proceedings;
• Law enforcement purposes (e.g., pursuant to a subpoena, warrant, discovery request, or court order, if "relevant" to a "legitimate law enforcement proceeding");
• Information about decedents (e.g., to coroners, medical examiners, and funeral directors);
• Tissue or organ procurement organizations;
• Research (see Section G below);
• Serious threat to health or safety;
• Specialized government functions (e.g., military and veterans affairs, national security and intelligence, Secret Service protection and correctional institutions); and
• Workers’ compensation.

1. How Can Protected Health Information Be Used For Research?

Two separate sets of provisions in the final regulation govern use of information for research purposes. Under one provision, when the research includes treatment of an individual, that individual must provide a written authorization for a covered entity’s use and disclosure of his or her protected health information. Under a separate section, the covered entity need not obtain an individual’s authorization, if it has instead obtained a specific waiver for such authorization from either an institutional review board or a specially designated privacy board, if such boards are free of conflicts of interest. The granting of such a waiver must be premised on meeting a list of specified, restrictive criteria, including that the research cannot practicably be conducted without the waiver and that there is an adequate plan to protect the identifiers. In addition, the covered entity must obtain from the researcher a number of specific representations, including that the use or disclosure was sought to prepare a research protocol or was preparatory to research and that no protected information will be removed from the entity.

2. How Can Protected Health Information Be Used For Marketing And Fundraising?
1. Marketing

The general rule is that a covered entity must obtain a written authorization from an individual before it can use or disclose any protected health information for marketing purposes. At the same time, certain activities under the rule are excluded from this restriction. For example, excepted from the definition of "marketing" are activities relating to treatment, payment, and health care operations. Moreover, the covered entity can engage in "face-to-face" marketing to an individual through oral communications. In addition, covered entities may permissibly send newsletters and other communications to broad cross-sections of patients, and can provide to individuals nominally-priced items and services (e.g., calendars and pens) promoting the covered entity. Finally, more targeted marketing of health-related products by a covered entity must meet a list of restrictive conditions (e.g., prominently disclosing whether it receives payment for undertaking the marketing, identifying the covered entity making the communication, and instructing individuals how they may opt out of receiving future communications).

2. Fundraising

A covered entity need not obtain a written authorization for certain fundraising activities. For purposes of raising funds on its own behalf, a covered entity can use, or disclose to a business associate or institutionally-related foundation, demographic information about the individual (name and address) and the dates of health care provided to the individual. A covered entity must obtain a separate consent to use other information about the individual (e.g., diagnosis) for fundraising purposes, and it must, in any case, give the individual the opportunity to opt out of receiving further fundraising communications.

3. How Do The Privacy Regulations Affect "Business Associates" Of Covered Entities?

Covered entities generally are permitted by the rule to disclose protected health information to "business associates," provided that they obtain contractual assurances from the business associate that it will safeguard the information. A business association is created when the right to use or disclose protected health information belongs to the covered entity and another person or entity needs to use or disclose the information either (1) to perform a function for or on behalf of the covered entity, or (2) to provide certain specified services to the covered entity.

Identifying business associates will be one of the most significant implementation challenges. The first type of business associate relationship may arise when a third-party performs functions, such as claims processing or administration, data analysis or processing, utilization review, quality assurance, and practice management, on behalf of a covered entity. The second type of business associate relationship may arise when organizations furnish legal, actuarial, accounting, accreditation, consulting, management, data aggregation, and financial services, among others, to covered entities.

Importantly, the first type of business associate relationship arises only when the disclosure of protected health information is required to perform services or undertake functions for or on behalf of the covered entity. For example, no business associate relationship is created when a covered entity discloses information to a health plan to permit payment of claims, because the plan is not acting on the covered entity’s behalf. Similarly, the fact that a hospital extends staff privileges to a physician does not automatically create a business associate relationship, because neither party is providing functions or activities on behalf of the other. Such a relationship could arise, however, if the hospital performed billing services for the physician and required access to protected health information as part of that process.

Business associate contracts are not required under the final rule when disclosure of protected information is necessary for treatment purposes (e.g., by one health care provider to another). In addition, members of a covered entity’s workforce (e.g., employees and independent contractors) are not considered business associates.

The final rule enumerates the specific assurances that are required to be obtained by covered entities in their business associate contracts. Notably, HHS omitted from the final rule its proposed requirement that subjects of protected health information disclosed to a business associate be made third-party beneficiaries to business associate agreements. The agency also has relaxed somewhat its requirements for covered entities to monitor compliance with business associate contracts.

4. How Do The Privacy Regulations Affect Sponsors Of Group Health Plans?

Although neither employers nor sponsors of group health plans are defined as covered entities under the final rule, these parties may perform certain functions integrally related to the functions of group health plans and, as a result, may often require access to individual health information held by the group health plan. Based on these realities, but in an attempt to prevent protected health information from being used improperly for other employment-related functions, the privacy regulations now allow group health plans to disclose information to sponsors if the sponsor agrees to use and disclose the information in accordance with certain requirements. Group health plans also may authorize insurers and HMOs to make such disclosures to sponsors. The information may be used only for plan administration functions that the sponsor performs on behalf of the group health plan as specified in the plan documents. Note that enrollment functions performed by an employer on behalf of its employees will not be considered plan administration functions.

A group health plan is not required to have a business associate agreement with its plan sponsor. However, several other requirements must be met in order for the group health plan to disclose protected health information to the sponsor. Plan documents must be amended to provide certain assurances concerning the treatment of protected health information (e.g., the sponsor must erect firewalls to restrict access to identified classes of employees who perform functions on behalf of the plan. In addition, the sponsor must furnish a written certification to the plan that it agrees to limit its use of, and otherwise safeguard, protected health information received from the plan.

5. What Rights Are Afforded To Patients Regarding The Privacy Of Their Medical Records?

• Right to adequate notice of privacy practices: Individuals must be provided with a notice of the covered entity’s privacy practices, i.e., of the protections in place regarding uses and disclosures of protected health information. Among other things, the notice must advise individuals how to file a complaint with the covered entity or the Secretary of HHS about alleged violations of their privacy rights, and must contain the name, title, and telephone number of a privacy contact. Specific requirements on the timing of providing notice are set forth, along with a special provision permitting health plans to provide notice every three years of the availability of the privacy notice (rather than having to reissue it).
  
• Right to access protected health information: Individuals must be permitted to access, inspect, and copy their own protected health information, for as long as the information is maintained in a designated record set. The covered entity must act on the request within 30 days for records retained on-site, and within 60 days for records off-site. The entity may deny access for certain types of information, including psychotherapy notes and information needed for civil, criminal, or administrative actions, but must follow special provisions governing review of denials.
  
• Right to an accounting of disclosures: Within 60 days after receiving a request, covered entities must provide individuals with a six-year accounting of disclosures of their protected health information. Certain exceptions apply, however, and the accounting need not include disclosures used for treatment, payment, or health care operations; disclosures made to national security, intelligence, or law enforcement officials, among others; or disclosures occurring prior to the compliance date for the covered entity.
  
• Right to request amendment of protected health information: Individuals can request that the record of their protected health information be amended, but the covered entity may deny the request if it determines the record to be accurate and complete, otherwise exempt from inspection, or if it did not create the record in the first place.
  
• Right to request privacy protection for protected information: Two types of requests for privacy protection are set forth. First, individuals can request that use and disclosure of their protected information be restricted, but covered entities need not agree to such restrictions. If the covered entity does agree, however, it must abide by the agreement except in emergency situations. Second, individuals can request that covered health care providers and plans communicate protected health information to them by alternative means or at alternative locations; providers must accommodate all reasonable requests, although health plans need not make such accommodation unless the individual clearly states that disclosure of the information could endanger the individual.

1. What Happens If Protected Health Information Is Disclosed Improperly?

• Complaints to HHS: In general, any person who believes that a covered entity is not complying with the rule may file a written complaint with HHS within 180 days of when noncompliance was or should have been known (unless HHS waives that time limit for good cause shown). HHS may investigate the complaint or conduct a compliance review. Entities must cooperate, including furnishing on-site access, and may need to submit compliance reports.
  
• Action by HHS: When HHS discovers a failure to comply with the rule, it will notify the covered entity (and, where appropriate, the complainant) and attempt to resolve the matter informally. If HHS determines that the matter cannot be resolved informally, it may issue written findings of noncompliance.
  
• Civil or Criminal Penalties: While the final regulations do not discuss penalties for noncompliance, the HIPAA statute sets forth an array of civil and criminal penalties. These include civil penalties of no more than $100 per person per violation or no more than $25,000 per person for violation of a single standard per calendar year. Criminal penalties for "knowingly" using a unique health identifier or obtaining or disclosing individually identifiable health information include a fine of not more than $50,000 and/or imprisonment for up to one year. In addition, if the offense is committed under "false pretenses," a fine of not more than $100,000 and/or imprisonment for up to 5 years may be assessed. Finally, if the offense is committed with intent to sell, transfer or use the privacy information for commercial advantage, personal gain or malicious harm, a fine of not more than $250,000 and/or imprisonment of up to 10 years may be assessed.

1. WHAT SHOULD PROVIDERS AND OTHER COVERED ENTITIES BE DOING NOW TO COMPLY WITH THE NEW REQUIREMENTS?

• Appoint a Privacy Officer and/or Privacy Committee: The final regulations are very long and extremely complex. Dedicated personnel—preferably both operational and technological in their day-to-day functions—should be assigned to HIPAA compliance issues from the beginning. They should begin now familiarizing themselves with the rule, assessing compliance priorities, and monitoring future HHS transmittals and guidance about the rule. This recommendation applies to all types of organizations, from covered entities, to those furnishing services to covered entities (including law firms and consulting firms), to those that perform functions on behalf of covered entities (such as billing or management companies).
  
• Identify and Collect in One Place All Current Informed Consent and Privacy Policies: A multi-system health care provider, for example, could have a host of different policies and forms in place used by different components of the organization: consents to treatment, consents to research, billing authorizations, medical records privacy disclosures, and the like. These should be compiled into a working file. In sending a general notification of the pendency of the privacy regulations to all components of the organization, the Privacy Officer/Committee should request copies of existing policies and caution against making any changes to those policies without consultation and approval.
  
• Identify Policy "Gaps": The new regulations will require covered entities to have specific policies in place to address certain issues that may not currently be covered (e.g., certain fundraising activities). Although entities need not comply with the new regulations for several years, they may want to begin preparing policies to fill the identified gaps.
  
• Begin to Identify Protected Health Information and Information "Flows": Protected health information can take many forms: paper, electronic or oral. It can be created by a covered entity, used or maintained by the entity, and received or transmitted by the entity. Uses can range from treatment to operations, from research to fundraising, and from enrollment or admission to discharge. Entities potentially subject to the new regulations need to focus on the types and categories of protected health information they typically use or disclose, as well as the flow of the information (i.e., the data entry and exit points).
  
• Begin to Identify Business Associates: By the time the regulations finally are implemented, a covered entity’s specific business associates may have changed. Nevertheless, covered entities should begin now identifying types or categories of business associates (consultants, service providers, accreditation entities) and the types of applicable information flow to and from those entities. With respect to any business associate relationship (i.e., involving performance of a specified service or a function for or on behalf of the covered entity plus the disclosure of protected health information in connection with the service) that is anticipated to extend beyond February 2003, a covered entity should conform its agreement with the business associate to the new regulatory requirements or, at a minimum, add a provision that permits future amendment of the document to satisfy those requirements.

• Assess State Law Privacy Requirements: The new regulations preempt some but not all state privacy law requirements. Some states have more stringent regulations than those set forth in the federal regulations (e