HHS Issues Final Federal Privacy Regulations

March 1, 2001 Advisory
2
This is an introductory advisory on the final HIPAA privacy rule. The
advisory summarizes the key features of the rule, highlights several
areas of significant change from the proposed rule, and provides some
"action steps" for moving forward towards compliance with the rule's
requirements. For a general overview of HIPAA, please see our previous
advisory "Getting a Handle on HIPAA ."
.
In future advisories, we will address specific HIPAA privacy and
e-health issues affecting your organization, keep you informed of
evolving interpretations, and provide a forum for questions and answers.
We will also address the critical role of state law in the
implementation of HIPAA. We invite you to submit your questions to us at
[email protected] for consideration in future advisories.
Nothing in this Health Information Technology Advisory constitutes legal
advice, which can only be obtained as a result of personal consultation
with an attorney. The information published here is believed to be
accurate at the time of publication, but is subject to change and does
not purport to be a complete statement of all relevant issues. If you
have any requests for topics or other suggestions, please contact
Advisory editor Michelle Wilcox DeBarge at 860.297.3702, or by e-mail at
[email protected].

HHS Issues Final Federal Privacy Regulations

Introduction
The federal Department of Health and Human Services (HHS)
delivered on its promise to issue a final federal privacy rule before
the end of 2000. HHS officially released the rule on December 28, 2000,
complete with approximately 340 pages of preamble to ring in the new
year. The preamble attempts to address the more than 52,000 comments
received by HHS on the proposed rule.
The final privacy rule implements provisions under the Health Insurance
Portability and Accountability Act ("HIPAA") requiring federal standards
for the privacy of individually identifiable health care information.
The federal privacy rule is one of a number of rules issued by HHS, both
proposed and final, addressing HIPAA's "Administrative Simplification"
provisions relating to the electronic transmission, storage, security
and privacy of individually identifiable health care information.
The rule was previously scheduled to take effect February 26, 2001, but
due to a regulatory technicality it will now be effective on April 14,
2001. Most entities covered by the rule must be in compliance with the
rule's standards by April 14, 2003. Secretary of HHS, Tommy Thompson,
recently announced, however, a new 30-day public comment period on the
final rule beginning February 28, 2001. Comments are due to HHS no later
than 5:00 p.m. on March 30, 2001. It is not clear what impact the new
comment period will have on the April 14, 2003 compliance date. Notably,
Secretary Thompson has stated that, after hearing the public's concerns
about the final rule, HHS's commit-ment is "to put strong and effective
patient privacy protections into effect as quickly as possible."
Who's Covered Under the Rule
The privacy rule primarily governs the activities of "covered entities."
However, the rule also reaches contractors of covered entities who perform
functions that involve the use or disclosure of individually identifiable health information.
1. Covered Entities
The final rule did not change the definition of "covered entity." Thus, the HIPAA
privacy standard applies to three types of covered entities: health plans, health care clearinghouses (entities that process health care data), and health care providers that transmit health information in electronic form to carry out certain administrative and financial transactions. Covered health care providers include all health care providers ranging from institutional providers, such as hospitals and nursing homes, to home health agencies, mental health providers, pharmacies, individual physicians and other practitioners.
2. Business Associates
The final rule confirms that HIPAA's requirements must be met by contractors
of a covered entity that handle individually identifiable health information while
providing a function or activity to or for the covered entity. The final rule refers
to these contractors as "business associates" (instead of "business partners"
used in the proposed rule) for consistency with the final HIPAA rule published in
August, 2000 concerning standard transactions and code sets.
Covered entities are required to contract with business associates
concerning the use and disclosure of individually identifiable health
information. The contract must require, among other things, that the
business associate use appropriate safeguards to prevent use or
disclosure of the information other than as permitted by the contract.
However, a business associate contract is not required for disclosures
by a covered entity to a health care provider concerning an individual's
treatment. In addition, members of the covered entity's workforce are
not considered business associates.
A covered entity may be held responsible under the privacy rule for the
actions of its business associates if it (1) knew of a pattern of
activity of the business associate that violated the business associate
contract, and (2) failed to take reasonable steps to rectify the
problem. If the covered entity discovers a problem and the problem is
not rectified, it must terminate its contract with the business
associate, if feasible. If termination is not feasible, the covered
entity must report the problem to HHS.
Significantly, HHS removed the highly controversial proposed requirement
that the business associate agreement include language making protected
individuals third party beneficiaries of the agreement. This language
potentially would have given protected individuals the ability to sue
under the business associate contract, even though the HIPAA statute
does not give protected individuals a private right of action.
What's Covered Under the Rule
The proposed privacy rule covered individually identifiable health information
electronically transmitted or stored at any time. The final rule expands the category of information protected under the rule to include individually identifiable health information transmitted by a covered entity, regardless of form or medium. Thus, the final rule clearly covers paper, not just electronic, records as well as oral statements.
Consent and Authorization Requirements
The final rule establishes a number of different methods and requirements
for obtaining patient permission to use or disclose protected information,
depending on the proposed use or disclosure.
1. "Consent" Required for Treatment, Payment or Health Care Operations
In an abrupt departure from the proposed rule, the final privacy rule
permits the use or disclosure of individually identifiable information
by a covered health care provider for treatment, payment, or health care
operations only with the protected individual's written "consent." The
consent must comply with certain content requirements, including the
requirement to notify the individual that individually identifiable
information may be used for treatment, payment, or health care
operations. The consent can be combined with other consents, such as
informed consent to treatment, provided a number of conditions are
satisfied.
A covered health care provider may require the patient to give consent
as a condition of treatment.
The final rule delineates a few specific instances when consent is not
required, such as in an emergency or when the covered health care
provider has an "indirect treatment relationship" with the individual.
An indirect treatment relationship exists (1) when the health care
provider delivers care to the individual based on the orders of another
health care provider, and (2) the health care provider typically
provides services, products or reports results directly to another
health care provider, who in turn provides the services, products or
reports to the individual. An indirect treatment relationship might
arise, for example, between a radiologist or pathologist and a patient.
The final rule also permits covered entities that participate in an
"organized health care arrangement" to have a joint consent. An
organized health care arrangement is defined to include specific
integrated delivery or payment arrangements between providers or payors.
2. "Authorization" Needed for Most Other Uses and Disclosures
With some exceptions (discussed further below), uses and disclosures other than for treatment, payment or health care operations require a written "authorization." In addition, an authorization is generally required for the use or disclosure of psychotherapy notes. In contrast to a consent, a covered entity in most cases may not condition the provision of treatment, payment or enrollment in a health plan on the provision of an authorization. The final rule includes content requirements for authorizations, which vary depending upon the proposed use or the disclosure of the information.

3. Opportunity to "Agree" or "Object"
For some categories of uses and disclosures, the covered entity may
proceed without a consent or authorization if the covered entity gives
the patient the opportunity to restrict or prohibit some or all of the proposed
uses or disclosures. These categories include uses and disclosures for purposes of maintaining a healthcare facility's patient directory, for disaster relief purposes, and to persons (e.g., family, friends) involved in the patient's care.
4. When Consent and Authorization is Not Required
In certain limited situations and subject to specific requirements, covered entities may use or disclose individually identifiable information without a consent or authorization. These include uses and disclosures:
  • related to the public health and welfare, such as the reporting of
    abuse, neglect or domestic violence;
  • required by law;
  • for healthcare oversight;
  • for judicial and administrative proceedings;
  • for law enforcement purposes; and
  • for workers' compensation.
5. Uses and Disclosures of Information Obtained Prior to Compliance Date
of Rule
The final rule addresses to some degree the practical problem of
how to handle uses and disclosures of information created or received
before the compliance date of the final rule. Covered entities may rely
on previously obtained consents, authorizations or other legal
permissions to use or disclose information created or received prior to
the compliance date of the final rule.
Minimum Necessary Uses and Disclosure
The final rule requires covered entities to make reasonable efforts to
ensure only the minimum necessary protected health information is
used, disclosed or requested by the covered entity. The rule outlines
the procedures and actions the covered entity must undertake to ensure
the minimum necessary requirements are met. For routine and recurring
disclosures, the covered entity must implement policies and procedures
that limit the protected health information disclosed to the amount reasonably
necessary to achieve the purpose of the disclosure. However, for all other disclosures, the covered entity must conduct an individualized review in accordance with pre-determined criteria designed to limit disclosure of protected health information to that which is reasonably necessary to accomplish the purpose for which the disclosure is sought.

Notably, the final rule clarifies that the minimum necessary
requirements do not apply to, among other things, disclosures to or
requests by a health care provider for treatment purposes. This
clarification alleviates concerns raised by many health care providers
that the minimum necessary requirements might impair patient care by
limiting access to relevant treatment information.
Marketing and Fundraising
The final rule permits certain marketing and fundraising activities
without a specific authorization by including some types of marketing
and fundraising activities within the definition of "health care operations."
Accordingly, if a covered health care provider, for example, obtains the
individual's consent to use or disclose individually identifiable information
for treatment, payment or health care operations, it may use the information
for certain marketing and fundraising activities. These activities include face-to-face marketing of products or marketing of services of nominal value. In addition, marketing is considered part of the entity's health care operations if the communication:
  • identifies the covered entity as the party making the communication;
  • prominently states if the covered entity has or will receive any direct
    or indirect remuneration for making the communication; and
  • tells individuals how they may opt out of receiving future
    communications.
(The opt-out notification is not required when the communication is part
of a newsletter or similar general publication distributed to a broad
cross-section of individuals.)
If the proposed marketing or fundraising targets an individual based on
the individual's health status or condition, the covered entity must
also:
  • make a determination prior to making the communication that the marketed product or service may be beneficial to the health of the type or class of individual targeted; and
  • explain in the communication why the individual has been targeted and
    how the product or service relates to the health of the individual.
The rule also allows a covered entity, as part of its health care
operations, to use or disclose to a business associate or to an
institutionally related foundation certain limited information for the
covered entity's own benefit. However, the covered entity must provide a
statement in its privacy notice (discussed below) that the covered
entity may contact the individual to raise funds for the covered entity.
In addition, the fundraising materials must include a description of how
the individual may opt out of receiving any further fundraising
communications.
Notice of Privacy Practices and Administrative Requirements
The final rule includes numerous specific notice and administrative requirements. Covered entities are required to give individuals notice of (1) the entity's information use and disclosure practices; (2) the entity's legal responsibilities with respect to protected health information; and
(3) the individual's rights. The final rule describes in detail the various content requirements of the notice.
In addition, most of the "administrative requirements" contained in the
proposed rule remain in the final rule. These include workforce training
requirements, designation of a privacy official, implementation of a
complaint process, and development of policies and procedures addressing
implemen-tation of and compliance with the various HIPAA privacy
requirements.
Individual Rights
Consistent with the proposed rule, the final rule grants a variety of individual rights to patients with respect to their protected health information. In addition to the right to receive a notice of privacy practices, in some cases individuals have the right to request restrictions on use and disclosures of protected health information. The final rule also gives individuals the following rights:
  • Right to have access to, and to copy, their protected health
    information;
  • Right to request amendments to their protected health information;
  • Right to an accounting of disclosures of their protected health
    information made by the covered entity.
The final rule contains detailed requirements for the management and
implementation of these various rights.
Health Care Systems and Other Affiliated Entities
The final privacy rule introduces an important new provision that allows legally separate covered entities that are affiliated to designate themselves as a single covered entity for purposes of complying with HIPAA. To be affiliated entities, all of the entities must be under "common control" or "common ownership." "Common control" is defined as when an entity has the power,
directly or indirectly, to influence or direct the actions or policies of another entity. "Common ownership" is defined as when an entity or entities possess an ownership or equity interest of 5 percent or more in another entity.
This new provision may help health care systems and other affiliated
entities streamline resources expended in complying with the rule. For
example, affiliated entities may distribute a single shared notice of
information practices and consolidate certain other functions as a
single "covered entity."
"Hybrid Entities"
The final rule addresses requirements for covered entities that are part of a larger non-health care entity. The component of the larger entity that is a covered entity must comply with all applicable requirements of the privacy rule. In addition, the final rule requires these "hybrid entities," such as employers that self-administer a health plan, to erect firewalls between the entity's health care and non-health care components to protect against improper use or disclosure within the organization.
Effect on State Privacy Laws
HIPAA requires, and the final rule provides, that "more stringent" state
privacy law will remain in effect. The final rule also lists other state laws
that will remain in effect, such as those relating to the reporting of child
abuse and to certain public health and safety matters. Accordingly,
covered entities must implement information use and disclosure practices and policies that comply with both the HIPAA privacy requirements and applicable state laws. This will be particularly challenging for covered entities that conduct business across state lines. Covered entities must still pay careful attention to the patchwork of existing individual state privacy laws (and those that may be enacted in the wake of HIPAA) and must incorporate state-specific requirements into their information use and disclosure practices.
Notably, the final rule completely eliminates the advisory opinion
process outlined in the proposed rule. That process would have allowed
states to request, or HHS to issue on its own initiative, advisory
opinions as to whether a provision of state law remains in effect under
HIPAA.
Compliance and Enforcement
The final rule outlines primarily two methods for enforcing the privacy standards:
  • Filing of complaints to the Secretary of HHS by aggrieved individuals,
    with subsequent investigation by the Secretary;
  • Compliance reviews initiated by the Secretary of HHS.
The final rule further states that the Secretary may provide technical
assistance to covered entities to help them comply voluntarily with the
privacy requirements and suggests that the Secretary will attempt to
resolve non-compliance through informal means before formal action is
taken.
Delegation to Office for Civil Rights
The Secretary of HHS has officially delegated authority to administer,
interpret and implement the privacy standards to the Office for Civil Rights
("OCR"). OCR also has the authority to impose civil fines and to enforce the privacy standards. The Secretary published a notice in the Federal Register on December 28, 2000 announcing the delegation.
Penalties
Although the final privacy rule is silent regarding penalties
for noncompliance, HIPAA provides significant penalties for violations.
The Office of Civil Rights, acting under the authority of HHS, may
impose civil fines of up to $100.00 per violation with an annual $25,000
cap for violations of the same requirement. Criminal penalties are also
available with fines of up to $250,000 and imprisonment of up to 10
years, depending on the nature of the violation.
Recommended Action
The length of the final privacy rule highlights its complexity and the need for immediate action to begin to address its requirements. Covered entities will need to analyze all of their uses and disclosures of individually identifiable information and their relationships with business associates in light of the privacy standards and state law. They will also need to develop a wide array of policies, procedures, and forms, establish a mechanism for workforce education, and develop an ongoing compliance effort. All of this will need to be accomplished within the two-year implementation timeframe. State and national provider associations and other organizations may be good resources for sample policies and other guidance. Additionally, we recommend that providers and other covered entities take the following "action steps" as soon as possible:
1. Appoint a HIPAA leader or officer to spearhead compliance efforts.
2. Inventory current systems, and policies and procedures, and assess
against HIPAA requirements and state confidentiality laws.
3. Inventory contractual arrangements and develop a list of business
associates.
4. Develop a working plan and working groups to accomplish specific tasks. These tasks should include the development of business associate agreements, policies and procedures addressing all of the HIPAA requirements, a notice of information use and disclosure practices, a complaint process, and appropriate consents and authorization forms.
5. Develop workforce training programs and revise employee handbooks and policies to address HIPAA requirements.
6. Develop a HIPAA compliance plan or work HIPAA compliance into your existing corporate compliance program.
A more detailed discussion of recommended steps to take in achieving
HIPAA compliance is available on our web site at
www.wiggin.com.
Wiggin & Dana is an industry leader in both health care and information
technology (IT) law. Our Health Information Technology (HIT) practice
combines our health care regulatory and corporate practice with our IT
practice, including systems licensing, e-commerce and Internet issues,
as well as intellectual property matters to provide a sound, practical
understanding of IT legal and business issues that takes into account
each client's unique operational needs, goals and priorities, and the
applicable state and federal regulatory requirements. Our lawyers are
well-versed in the technical, regulatory, business and practical
considerations shaping health care in our IT world today. We advise
clients concerning the computerization of medical records and health
claims information, the collection and electronic transmission of highly
confidential patient information, Internet-based health services and
other health care e-commerce, the digitization of medical imaging, and
telemedicine.
Wiggin & Dana's HIT practice serves a diverse group of health care and
business clients: health care providers; systems and networks; health
care provider associations; health plans; e-commerce businesses;
software developers; data clearinghouses and networks; web designers, IT
vendors, suppliers, and consultants; technology companies; and
application service providers. Wiggin & Dana helps our health care and
business clients manage the business risks and legal issues associated
with IT systems and services, including the electronic exchange of
health information and data, e-commerce, and intranet and Internet
activities. Our HIT attorneys:
  • Develop policies, procedures, notices, contracts and other documentation
    required under state and federal law regarding security, privacy and
    other government requirements for health information management.
  • Audit processes, contractual arrangements, services and products for
    compliance with federal and state requirements.
  • Provide ongoing advice concerning health information technology issues
    by keeping abreast of legislative and regulatory changes and industry
    developments.
  • Assist in the development of information systems and in the creation and
    operation of databases and repositories.
  • Help structure Internet-based services and assist with e-commerce
    ventures and other entrees into the digital world.
  • Facilitate outsourcing arrangements for administrative and IT functions.
  • Draft, review and negotiate software development and licensing
    contracts.
  • Prepare written testimony and comments on legislative and regulatory
    issues, proposals and changes affecting our clients.
  • Provide in-service and other educational information and programs for
    our clients' staff, consultants, vendors, and customers.
The creation, storage, transmission, disclosure, ownership, use,
confidentiality and security of health information and data require
integrating many legal, regulatory and practical considerations. Use of
health information systems, the Internet and electronic connectivity for
health care service delivery and business ventures have also created new
business opportunities and legal challenges. We help our clients work
through the federal electronic transactions, security and privacy
requirements being implemented under the Health Insurance Portability
and Accountability Act of 1996 (HIPAA), comply with Federal Trade
Commission (FTC) and Food and Drug Administration (FDA) requirements,
and establish intellectual property protections in the new media being
used in these ventures, as well as help them develop long-term
strategies for using the Internet and other IT ventures to their
advantage.
We know that organizations involved in any aspect of health care
delivery need to respond rapidly to the Internet and IT marketplace, as
it changes at "Internet speed." Our lawyers help our clients find
creative and efficient ways to make the most of new IT opportunities,
while managing the associated legal and business issues with our
comprehensive knowledge of the health and technology sectors.
For more information about the Wiggin & Dana Health Information
Technology practice, please contact one of the following lawyers:
Jeanette Schreiber at 203.498.4334, or by e-mail at [email protected]
Mary Norris at 203.498.4377, or by e-mail at [email protected]