One of the most important aspects of the Health Insurance Portability and Availability Act of 1996 (HIPAA) is its privacy protection. The law gave the U.S. Department of Health and Human Services the responsibility of adopting rules to help patients and other health care consumers keep as much of their personal information private as possible. The HIPAA privacy rule went into effect on April 14, 2003 for "covered entities", and even though employers are generally not covered entities, they are definitely affected by the rules applying to entities that are covered. The HIPAA privacy rule Web site from HHS has much guidance on the rule, including a very lengthy Q & A section that attempts to cover the privacy rule from the standpoint of covered entities, employers, health care consumers, health care providers, and other interested parties.
This article presents basic information about the HIPAA privacy rule in question and answer format and is specifically focused on the most important things that employers need to know about how the privacy rule will affect them.
What is the primary purpose of the HIPAA privacy rule?
The rule protects from unauthorized disclosure any personally-identifiable health information (protected health information, or PHI) that pertains to a consumer of health care services.
What is considered "personally-identifiable health information"?
Health information is considered to be personally identifiable if it relates to a specifically identifiable individual; it generally includes the following, whether in electronic, paper, or oral format:
- Health care claims or health care encounter information, such as documentation of doctor's visits and notes made by physicians and other provider staff;
- Health care payment and remittance advice;
- Coordination of health care benefits;
- Health care claim status;
- Enrollment and disenrollment in a health plan;
- Eligibility for a health plan;
- Health plan premium payments;
- Referral certifications and authorization;
- First report of injury;
- Health claims attachments.
What is a covered entity?
The privacy rule applies to health plans, health care clearinghouses, and health care providers. It applies to employers only to the extent that they somehow operate in one or more of those capacities. The same standards apply to covered entities in both the public and private sectors.
How might an employer be a covered entity?
Normally, an employer will only deal with covered entities, not actually be one. However, if an employer has any kind of health clinic operations available to employees, or provides a selfinsured health plan for employees, or acts as the intermediary between its employees and health care providers, it will find itself handling the kind of PHI that is protected by the HIPAA privacy rule.
What must covered entities do to protect consumers of health care?
Covered entities must adopt written PHI privacy procedures; designate a privacy officer;
require their business associates to sign agreements respecting the confidentiality of PHI; train
all of their employees in privacy rule requirements; give patients written notice of the covered
entities' privacy practices and access to their medical records; a chance to request
modifications to the records; a chance to request restrictions on the use or disclosure of their
information; a chance to request an accounting of any use to which the PHI has been put; and
a chance to request alternative methods of communicating information. They must also
establish a process for patients to use in filing complaints and for dealing with complaints.
Finally, they must take any measures necessary to see that PHI is not used for making
employment or benefits decisions, marketing, or fundraising.
What do the written privacy procedures include?
A covered entity's written privacy procedures must include safeguards for administration of PHI, physical security of such information, and electronic and other types of technical security. The procedures should include the designation of a privacy officer and an explanation of the complaint and resolution process.
When is patient authorization necessary?
Patient authorization is not necessary if a disclosure is made for purposes of treatment, securing payment, or in accordance with the operations of a health care provider. If PHI is to be disclosed for any other purpose, the patient's written authorization is mandatory.
When disclosing PHI, what must a covered entity do?
Whether the PHI must be authorized or does not need to be authorized, the covered entity must always release only as much information is necessary to address the need of the entity requesting the information (what the regulation refers to as the "minimum necessary" information to satisfy the inquiry).
What penalties apply to violations of privacy rule requirements?
There are civil penalties of $100 per violation, but the penalties can be "stacked" if there are multiple violations with respect to a single individual. The maximum civil penalties are $25,000 per year, per person, per standard. Thus, if two standards were violated with respect to one person, the potential penalties could mount to as much as $50,000. Criminal penalties (up to a $250,000 fine and ten years in prison) may be imposed for "knowingly and improperly" disclosing information or obtaining information under "false pretenses", with higher penalties reserved for violations designed for financial gain or "malicious harm". In addition, of course, state laws may impose additional penalties for the same offenses, and most states would also allow common-law suits for torts such as invasion of privacy and infliction of emotional distress, among other causes of action.
Are there any exceptions to the privacy rule?
It is possible to disclose PHI without authorization if there is a compelling need for disclosure, such as when the information is needed for public health situations, court and agency proceedings, law enforcement, emergencies, identification of deceased people, and national security-related situations.
What about state laws?
The HIPAA privacy rule establishes a national minimum standard. If a state law provides greater privacy protections, the state law must be observed.
