HIPAA
Administration Simplification (part 4)by A. Maureen Hanna
HIPAA
Administration Simplification (part 4)
by A. Maureen Hanna
In the last three months we provided you with an overview of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, specifically the section that is referred to as Administration Simplification. As of writing of this article, many of the details of this Act have not yet been released. However, the information below should provided providers with a summary of some of the rules and considerations that provider will need to keep in mind as the Act is implemented in the next year.
Proposed Standards for Privacy of Individually Identifiable Health Information ­ (continued)
Scalability - The privacy standards will need to be implemented by all covered entities, from the smallest provider to the largest, multi-state health plan. For this reason, the Secretary proposed the privacy principles and standards that covered entities must meet, but leave the detailed policies and procedures for meeting these standards to the discretion of each covered entity. They intended that implementation of these standards be flexible and scalable, to account for nature of each covered entity's business, as well as the covered entity's size and resources. Each covered entity would assess its own needs and devise and implement privacy policies appropriate to its size, its information practices, and its business requirements.
Uses and Disclosures with Individual
Authorization
The rule would require that covered entities have authorization
from individuals before using or disclosing their protected health
information for any purpose not otherwise recognized by the rule.
Authorizations are needed in a wide array of circumstances. For
example:
1. A potential employer may require health
information as part of a background check for security purposes,
or the patient may request a plan or provider to disclose information
to obtain eligibility for disability benefits or to an attorney
for use in a lawsuit.
2. Covered entities may also seek
such an authorization in order to use protected health information
for a purpose not otherwise permitted under this rule.
3. A health plan may wish to use a person's records for developing
a marketing strategy.
The rule would prohibit covered entities from conditioning treatment or payment on the individual agreeing to disclose information for other purposes. It would also require authorizations to clearly and specifically describe the information to be disclosed. If an authorization were sought so that a covered entity may sell, barter, or otherwise exchange the information for purposes other than treatment, payment, or health care operations, the covered entity would have to disclose this fact on the authorization form. The rule would also require authorizations to be revocable.
Uses and Disclosures for Treatment,
Payment and Health Care Operations
Covered entities with limited exceptions would be permitted
to use and disclose protected health information without individual
authorization for treatment and payment purposes such as health
care operations. The types of activities that would be considered
health care operations are defined in the rule.
Individual Rights
The rule proposes to establish several basic rights
for individuals with respect to their protected health information.
Individuals should be able to obtain access to protected health
information about them, which would include a right to inspect
and obtain a copy of such information. The right of access would
extend to an accounting of disclosures of the protected health
information for purposes other than treatment, payment, and health
care operations.
Administrative Requirements and Policy
Development and Documentation
In the Secretary recommendations, she calls for a federal
law that requires holders of identifiable health information to
implement safeguards to protect it from inappropriate access,
use or disclosure. Federal rules can and should require those
who hold identifiable health information to develop and implement
basic administrative procedures to protect that information and
protect the rights of the individual with respect to that information.
Preemption
The HIPAA provides that the rule promulgated by the
Secretary may not preempt state laws that are in conflict with
the regulatory requirements and that provide greater privacy protections.
The HIPAA also provides that standards issued by the Secretary
will not supercede certain other State laws, including: State
laws relating to reporting of disease or injury, child abuse,
birth or death, public health surveillance, or public health investigation
or intervention; State regulatory reporting; State laws which
the Secretary finds are necessary to prevent fraud and abuse,
to ensure appropriate State regulation of insurance, for State
reporting on health care delivery or costs, or for other purposes;
or, State laws which the Secretary finds address controlled substances.
Enforcement
The HIPAA grants the Secretary the authority to impose
civil monetary penalties against covered entities which fail to
comply with the requirements of this rule, and also establishes
criminal penalties for certain wrongful disclosures of protected
health information. The civil fines are capped at $25,000 for
each calendar year for each provision that is violated. The criminal
penalties are graduated, increasing if the offense is committed
under false pretenses, or with intent to sell the information
or reap other personal gain. The statute does not provide for
a private right of action for individuals.
Conclusion
By placing strict boundaries around the ways covered
entities could use and disclose information, the rules would protect
health information at its primary sources: health plans and health
care providers. By requiring covered entities to inform patients
about how their information is being used and shared, by requiring
covered entities to provide access to that information, and by
ensuring that authorizations would be truly voluntary, these rules
would provide patients with important new tools for understanding
and controlling information about them. By requiring covered entities
to document their privacy practices, this rule would focus attention
on the importance of privacy, and reduce the ways in which privacy
is compromised through inattention or misuse.
 |
 |
 |
 |
 |
 |
 |
 |