HHS Issues Final Federal Privacy Regulations
advisory summarizes the key features of the rule, highlights several
areas of significant change from the proposed rule, and provides some
"action steps" for moving forward towards compliance with the rule's
requirements. For a general overview of HIPAA, please see our previous
advisory "Getting a Handle on HIPAA ."
e-health issues affecting your organization, keep you informed of
evolving interpretations, and provide a forum for questions and answers.
We will also address the critical role of state law in the
implementation of HIPAA. We invite you to submit your questions to us at
[email protected] for consideration in future advisories.
advice, which can only be obtained as a result of personal consultation
with an attorney. The information published here is believed to be
accurate at the time of publication, but is subject to change and does
not purport to be a complete statement of all relevant issues. If you
have any requests for topics or other suggestions, please contact
Advisory editor Michelle Wilcox DeBarge at 860.297.3702, or by e-mail at
HHS Issues Final Federal Privacy Regulations
delivered on its promise to issue a final federal privacy rule before
the end of 2000. HHS officially released the rule on December 28, 2000,
complete with approximately 340 pages of preamble to ring in the new
year. The preamble attempts to address the more than 52,000 comments
received by HHS on the proposed rule.
Portability and Accountability Act ("HIPAA") requiring federal standards
for the privacy of individually identifiable health care information.
The federal privacy rule is one of a number of rules issued by HHS, both
proposed and final, addressing HIPAA's "Administrative Simplification"
provisions relating to the electronic transmission, storage, security
and privacy of individually identifiable health care information.
due to a regulatory technicality it will now be effective on April 14,
2001. Most entities covered by the rule must be in compliance with the
rule's standards by April 14, 2003. Secretary of HHS, Tommy Thompson,
recently announced, however, a new 30-day public comment period on the
final rule beginning February 28, 2001. Comments are due to HHS no later
than 5:00 p.m. on March 30, 2001. It is not clear what impact the new
comment period will have on the April 14, 2003 compliance date. Notably,
Secretary Thompson has stated that, after hearing the public's concerns
about the final rule, HHS's commit-ment is "to put strong and effective
patient privacy protections into effect as quickly as possible."
to these contractors as "business associates" (instead of "business partners"
August, 2000 concerning standard transactions and code sets.
concerning the use and disclosure of individually identifiable health
information. The contract must require, among other things, that the
business associate use appropriate safeguards to prevent use or
disclosure of the information other than as permitted by the contract.
However, a business associate contract is not required for disclosures
by a covered entity to a health care provider concerning an individual's
treatment. In addition, members of the covered entity's workforce are
not considered business associates.
actions of its business associates if it (1) knew of a pattern of
activity of the business associate that violated the business associate
contract, and (2) failed to take reasonable steps to rectify the
problem. If the covered entity discovers a problem and the problem is
not rectified, it must terminate its contract with the business
associate, if feasible. If termination is not feasible, the covered
entity must report the problem to HHS.
that the business associate agreement include language making protected
individuals third party beneficiaries of the agreement. This language
potentially would have given protected individuals the ability to sue
under the business associate contract, even though the HIPAA statute
does not give protected individuals a private right of action.
In an abrupt departure from the proposed rule, the final privacy rule
permits the use or disclosure of individually identifiable information
by a covered health care provider for treatment, payment, or health care
operations only with the protected individual's written "consent." The
consent must comply with certain content requirements, including the
requirement to notify the individual that individually identifiable
information may be used for treatment, payment, or health care
operations. The consent can be combined with other consents, such as
informed consent to treatment, provided a number of conditions are
as a condition of treatment.
required, such as in an emergency or when the covered health care
provider has an "indirect treatment relationship" with the individual.
An indirect treatment relationship exists (1) when the health care
provider delivers care to the individual based on the orders of another
health care provider, and (2) the health care provider typically
provides services, products or reports results directly to another
health care provider, who in turn provides the services, products or
reports to the individual. An indirect treatment relationship might
arise, for example, between a radiologist or pathologist and a patient.
"organized health care arrangement" to have a joint consent. An
organized health care arrangement is defined to include specific
integrated delivery or payment arrangements between providers or payors.
3. Opportunity to "Agree" or "Object"
- related to the public health and welfare, such as the reporting of
abuse, neglect or domestic violence;
- required by law;
- for healthcare oversight;
- for judicial and administrative proceedings;
- for law enforcement purposes; and
- for workers' compensation.
how to handle uses and disclosures of information created or received
before the compliance date of the final rule. Covered entities may rely
on previously obtained consents, authorizations or other legal
permissions to use or disclose information created or received prior to
the compliance date of the final rule.
Notably, the final rule clarifies that the minimum necessary
requirements do not apply to, among other things, disclosures to or
requests by a health care provider for treatment purposes. This
clarification alleviates concerns raised by many health care providers
that the minimum necessary requirements might impair patient care by
limiting access to relevant treatment information.
- identifies the covered entity as the party making the communication;
- prominently states if the covered entity has or will receive any direct
or indirect remuneration for making the communication; and
- tells individuals how they may opt out of receiving future
of a newsletter or similar general publication distributed to a broad
cross-section of individuals.)
the individual's health status or condition, the covered entity must
- make a determination prior to making the communication that the marketed product or service may be beneficial to the health of the type or class of individual targeted; and
- explain in the communication why the individual has been targeted and
how the product or service relates to the health of the individual.
operations, to use or disclose to a business associate or to an
institutionally related foundation certain limited information for the
covered entity's own benefit. However, the covered entity must provide a
statement in its privacy notice (discussed below) that the covered
entity may contact the individual to raise funds for the covered entity.
In addition, the fundraising materials must include a description of how
the individual may opt out of receiving any further fundraising
(3) the individual's rights. The final rule describes in detail the various content requirements of the notice.
proposed rule remain in the final rule. These include workforce training
requirements, designation of a privacy official, implementation of a
complaint process, and development of policies and procedures addressing
implemen-tation of and compliance with the various HIPAA privacy
- Right to have access to, and to copy, their protected health
- Right to request amendments to their protected health information;
- Right to an accounting of disclosures of their protected health
information made by the covered entity.
implementation of these various rights.
directly or indirectly, to influence or direct the actions or policies of another entity. "Common ownership" is defined as when an entity or entities possess an ownership or equity interest of 5 percent or more in another entity.
entities streamline resources expended in complying with the rule. For
example, affiliated entities may distribute a single shared notice of
information practices and consolidate certain other functions as a
single "covered entity."
process outlined in the proposed rule. That process would have allowed
states to request, or HHS to issue on its own initiative, advisory
opinions as to whether a provision of state law remains in effect under
- Filing of complaints to the Secretary of HHS by aggrieved individuals,
with subsequent investigation by the Secretary;
- Compliance reviews initiated by the Secretary of HHS.
assistance to covered entities to help them comply voluntarily with the
privacy requirements and suggests that the Secretary will attempt to
resolve non-compliance through informal means before formal action is
for noncompliance, HIPAA provides significant penalties for violations.
The Office of Civil Rights, acting under the authority of HHS, may
impose civil fines of up to $100.00 per violation with an annual $25,000
cap for violations of the same requirement. Criminal penalties are also
available with fines of up to $250,000 and imprisonment of up to 10
years, depending on the nature of the violation.
1. Appoint a HIPAA leader or officer to spearhead compliance efforts.2. Inventory current systems, and policies and procedures, and assess
against HIPAA requirements and state confidentiality laws.3. Inventory contractual arrangements and develop a list of business
associates.4. Develop a working plan and working groups to accomplish specific tasks. These tasks should include the development of business associate agreements, policies and procedures addressing all of the HIPAA requirements, a notice of information use and disclosure practices, a complaint process, and appropriate consents and authorization forms.5. Develop workforce training programs and revise employee handbooks and policies to address HIPAA requirements.6. Develop a HIPAA compliance plan or work HIPAA compliance into your existing corporate compliance program.
HIPAA compliance is available on our web site at www.wiggin.com.
technology (IT) law. Our Health Information Technology (HIT) practice
combines our health care regulatory and corporate practice with our IT
practice, including systems licensing, e-commerce and Internet issues,
as well as intellectual property matters to provide a sound, practical
understanding of IT legal and business issues that takes into account
each client's unique operational needs, goals and priorities, and the
applicable state and federal regulatory requirements. Our lawyers are
well-versed in the technical, regulatory, business and practical
considerations shaping health care in our IT world today. We advise
clients concerning the computerization of medical records and health
claims information, the collection and electronic transmission of highly
confidential patient information, Internet-based health services and
other health care e-commerce, the digitization of medical imaging, and
business clients: health care providers; systems and networks; health
care provider associations; health plans; e-commerce businesses;
software developers; data clearinghouses and networks; web designers, IT
vendors, suppliers, and consultants; technology companies; and
application service providers. Wiggin & Dana helps our health care and
business clients manage the business risks and legal issues associated
with IT systems and services, including the electronic exchange of
health information and data, e-commerce, and intranet and Internet
activities. Our HIT attorneys:
- Develop policies, procedures, notices, contracts and other documentation
required under state and federal law regarding security, privacy and
other government requirements for health information management.
- Audit processes, contractual arrangements, services and products for
compliance with federal and state requirements.
- Provide ongoing advice concerning health information technology issues
by keeping abreast of legislative and regulatory changes and industry
- Assist in the development of information systems and in the creation and
operation of databases and repositories.
- Help structure Internet-based services and assist with e-commerce
ventures and other entrees into the digital world.
- Facilitate outsourcing arrangements for administrative and IT functions.
- Draft, review and negotiate software development and licensing
- Prepare written testimony and comments on legislative and regulatory
issues, proposals and changes affecting our clients.
- Provide in-service and other educational information and programs for
our clients' staff, consultants, vendors, and customers.
confidentiality and security of health information and data require
integrating many legal, regulatory and practical considerations. Use of
health information systems, the Internet and electronic connectivity for
health care service delivery and business ventures have also created new
business opportunities and legal challenges. We help our clients work
through the federal electronic transactions, security and privacy
requirements being implemented under the Health Insurance Portability
and Accountability Act of 1996 (HIPAA), comply with Federal Trade
Commission (FTC) and Food and Drug Administration (FDA) requirements,
and establish intellectual property protections in the new media being
used in these ventures, as well as help them develop long-term
strategies for using the Internet and other IT ventures to their
delivery need to respond rapidly to the Internet and IT marketplace, as
it changes at "Internet speed." Our lawyers help our clients find
creative and efficient ways to make the most of new IT opportunities,
while managing the associated legal and business issues with our
comprehensive knowledge of the health and technology sectors.
Technology practice, please contact one of the following lawyers: