HIPAA. It’s Not Just for Doctors Anymore

HIPAA. That term is on the lips of virtually every healthcare provider and has been a constant area of concern over the last few years. Reviled by many providers and unknown to most individuals, HIPAA is poised to change the way the healthcare industry does business. HIPAA establishes, among other things, the first national standard for the protection of personal health information. While many providers have been protecting personal health information as a routine part of business, HIPAA is endeavoring to make the protections more noticeable to patients and more consistent nationally.

HIPAA. That term is on the lips of virtually every healthcare provider and has been a constant area of concern over the last few years. Reviled by many providers and unknown to most individuals, HIPAA is poised to change the way the healthcare industry does business. HIPAA establishes, among other things, the first national standard for the protection of personal health information. While many providers have been protecting personal health information as a routine part of business, HIPAA is endeavoring to make the protections more noticeable to patients and more consistent nationally.

But while most providers know about HIPAA, the general public has taken very little notice. The first time many individuals will encounter HIPAA is when their physician hands them a multi-page notice of the uses of, and protections that will be offered to, their personal information. But HIPAA affects a great number of people other than healthcare providers. Employers that offer group health plans and any business or individual that provides services to physicians, healthcare providers, hospitals and insurance companies may also be affected by HIPAA. Companies and individuals that offer services to healthcare providers will also find that their business practices will be greatly affected by HIPAA.

What Is HIPAA?

The Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA, was enacted by Congress to improve access to health insurance, to promote standardization and efficiency in the healthcare industry, and to offer nationally standardized protections for individual health information. While each issue is important to various healthcare industry groups, this article will focus on the single issue of HIPAA that affects everyone — the Privacy Rule.

The HIPAA Privacy Rule

The HIPAA Privacy Rule was created to limit the release of a patient’s protected health information without authorization. The privacy rule restricts any “covered entity” from releasing protected health information to third parties unless there is a valid authorization signed by the patient or the release of information fits within one of the regulatory exceptions. In general, protected health information is information that identifies a patient, or can be used to identify a patient, and relates to (1) a person’s past, present or future health condition, (2) the provision of healthcare, or (3) the payment for the provision of healthcare. Protected information can include such things as names, addresses, birthdates, Social Security numbers and the records from a patient’s visit to a provider.

HIPAA requires a physician or health plan to receive a signed authorization from individuals before disclosing their information to other parties. However, the HIPAA Privacy Rule contains exceptions to the requirement for authorizations in a limited set of circumstances that either benefit the public good or where an authorization would hinder the physician or health plan from offering quality healthcare services. Some examples of these exceptions include communications between physicians who are both treating a patient, disclosures needed by health plans to resolve billing questions, physician certification and peer review activities, and other similar situations.

Who Does HIPAA Affect?

The Department of Health and Human Services can only enforce HIPAA-related penalties against “covered entities” as they are defined by the regulations. The regulations define covered entities as healthcare providers, health plans and healthcare clearinghouses who engage in any number of electronic transactions. A healthcare provider under HIPAA is a person or company that furnishes, bills or is paid for health care. This definition is fairly broad and encompasses not only hospitals and physicians, but also includes chiropractors, dentists, optometrists, hospitals, schools, nonprofit organizations that provide some healthcare services, and even government agencies. However, the true scope of parties that are affected by HIPAA does not end there.

A number of employers have also found that they are covered entities under HIPAA because of their activities running a group health plan for their employees. Typically, these employers are electing to be treated as “hybrid entities” to limit the effect of HIPAA’s restrictions to the specific section of their organization that runs the health plan. However, even as a hybrid entity, these employers must undergo all of the typical HIPAA preparation activities, and this can be an expensive proposition.

Finally, there are many companies or individuals that provide services to covered entities that require the use of protected health information. These companies or individuals are called business associates. While they are not liable for penalties under HIPAA, they will find that many business contracts will have to be renegotiated and business practices changed to reflect the privacy requirements.

Covered Entities. What Am I Required to Do?

Any covered entity described above should already have undergone a number of activities to be compliant with the HIPAA Privacy Rule that went into effect in April 2003. All covered entities are required to have drafted a Notice of Privacy Policies to be distributed to individuals describing how their information will be used and protected. Next, the covered entity must create written office policies for the protection of information and train employees. Finally, authorization forms and other HIPAA-required documents will need to be drafted for patients to sign for any disclosures not allowed under the Privacy Rule.

The deadline has already passed for physicians and other covered entities to be in compliance with the HIPAA Privacy Rule. However, it is not too late for physicians or other companies who have not prepared for HIPAA. The first steps to be taken by a covered entity trying to become compliant are to draft the forms to be handed to patients: the Notice of Privacy Policies and optional Authorization Forms. As the HIPAA Privacy Rule will be enforced based on patient complaints only, it is important to provide the proper forms to the patients. Once those forms are finished, time can be spent developing policies and training employees. A good healthcare attorney will have standard forms and can help any physician or company get a quick start on HIPAA compliance.

While covered entities may consider themselves compliant with HIPAA requirements, some subtle issues often have been overlooked. Most covered entities are aware that they must distribute Notice of Privacy Policies to individuals and post the notice on the wall in their office. However, many covered entities have not realized that they also must post the entire notice on any Web site that details the professional healthcare services offered by the covered entity.

Another subtle issue is the retraining or retesting of employees to improve HIPAA compliance. While most covered entities understand that they must train all employees on the HIPAA Privacy Rule, many covered entities have nothing in place to ensure that the employees retain the training. Retraining and retesting are not explicitly required by the HIPAA Privacy Rule; however, we consider it to be important to provide proof of continued compliance. We recommend an annual or biannual retraining exercise for all employees. This can be either a brief presentation reminding all employees of crucial HIPAA requirements or a multiple-choice questionnaire that identifies employees who need retraining.

Business Associates. Am I a Business Associate?

Also affected by HIPAA are “business associates” of covered entities. A business associate under the HIPAA Privacy Rule is a person or organization that uses or creates protected health information on behalf of a covered entity while performing certain functions or activities. These activities can include such things as claims processing, billing activities, legal services, accounting services, consulting services, administrative services, and even software or hardware support. Some companies have incorrectly assumed that just because they provide services for a covered entity that they are a business associate, but this is not always the case. The key fact to examine is whether the presumed business associate ever handles or gains access to protected health information. This is very much a case-by-case determination, and it will be decided on the specific actions each company takes.

The good news for business associates just becoming aware of HIPAA is that the deadline for putting into place a HIPAA business associate agreement has not passed. While the rest of the HIPAA Privacy Rule went into effect in April of this year, business associate agreements have a one-year rolling deadline that ends on April 14, 2004. Any new contractual agreements or renewals of existing services contracts between a covered entity and a business associate that are negotiated after April 14, 2003, must include the HIPAA-required business associate language. By no later than April 14, 2004, all contracts between covered entities and business associates must have the required business associate provisions.

Business Associates. What Am I Required to Do?

HIPAA only directly regulates covered entities. However, the regulation does manage to exert great power over business associates as well. Any disclosure of protected information made by a covered entity to a business associate without a business associate agreement in place violates the HIPAA Privacy Rule. Through the ability to prosecute covered entities for disclosures that are not made subject to a business associate agreement, the HIPAA Privacy Rule exerts pressure on both parties to enter into a business associate agreement. Without an agreement in place, the covered entity cannot make the necessary disclosures that the business associate requires to provide the contracted services. The only decision left to the business associate is to agree to all of the HIPAA-required contractual provisions or terminate the business relationship. It is not surprising, given these choices, that most business associates are choosing to subject themselves to the HIPAA requirements.

So what are the requirements that HIPAA places on business associates? Generally, business associates cannot use protected information except when necessary to provide the contracted services to the covered entity. Further, the business associate is restricted from disclosing any protected information to third parties in any manner that would be a HIPAA violation for a covered entity. This means, for example, that a business associate would not be able to sell customer lists and addresses unless there has been an authorization signed for these purposes. These principles are embodied in the required provisions of a business associate agreement.

Business Associate Agreements. Drafting Duties

A common question that business associates ask is which party should be responsible for taking the initiative to draft a business associate agreement. The answer depends on the size and nature of the business associate and the covered entity. Because large companies, both as business associates and covered entities, may negotiate hundreds or even thousands of these agreements, these large companies are typically taking the initiative to draft their own forms. This allows a company with a significant number of agreements to put the agreements in place more efficiently. Depending on its size and relative power, the business associate or covered entity may state that the agreement form is nonnegotiable. The duty to ensure that an agreement is in place, however, lies with the covered entities. Thus, every covered entity must evaluate all services contracts and ensure that there is a business associate agreement where required.

Business Associate Agreements. Required Elements

The HIPAA Privacy Rule contains a number of provisions that are required to be included in every business associate agreement. The absence of any required provisions will cause the government to deem the contract invalid, and it will leave the covered entity open to government prosecution for all disclosures made to the business associate. When drafting or reviewing a business associate agreement, it is crucial to distinguish between these required provisions and any additional nonrequired provisions that can be negotiated. The following items are examples of required provisions for all business associate agreements:

  • Descriptions of permitted and required uses of protected information by the covered entity. Typically, the contract will allow only those permitted and required uses set forth in the underlying services contract.
  • A provision preventing the business associate from disclosing the protected information other than as permitted or required by the law or the agreement.
  • Requirement that the business associate use “appropriate safeguards” to prevent uses or disclosures of information not allowed by the agreement. Although some agreements may try to clarify the safeguards required through a written plan submitted by the business associate, all that is required by HIPAA is that the business associate promise to implement “appropriate safeguards.”
  • A provision requiring the business associate to report to the covered entity any uses or disclosures of information that violate the agreement. Many agreements may set a strict time limit (e.g., seven days) for the business associate to make this report, but there is no required time limit.
  • A provision requiring the business associate to get adequate assurance from any subagents or subcontractors that they will also protect any information disclosed.
  • A provision allowing any individual to receive a copy of all of the individual’s protected information on file with the business associate upon request.
  • A provision to make amendments and changes to protected information when appropriate as requested by an individual. Often, covered entities may reserve the right to decide what amendments are appropriate for the business associate.
  • A provision allowing the Department of Health and Human Services full access to all books and records to determine the validity of any HIPAA-based complaints.
  • A provision requiring the business associate to return or destroy all protected information under their control upon the termination of the business relationship.
  • A provision authorizing the immediate termination of the contract by the covered entity upon a “material violation” of the agreement by the business associate. Many business associates are successfully negotiating a prior notice requirement and period for mitigation. As the HIPAA Privacy Rule allows the covered entity to provide an opportunity to cure and resolve, to the extent possible, any breaches of the contract, this does not seem to be an unreasonable addition.

Business Associate Agreements. Negotiating Points.

One of the biggest issues that has come up in the drafting of business associate agreements is the attempt by some companies to use these agreements to renegotiate the underlying services contracts. Often the drafting party is including additional provisions not required under the HIPAA Privacy Rule in an attempt to grab additional power or rights. When reviewing business associate agreements, it is important to identify all nonrequired provisions and evaluate the overall effect of those provisions.

The most common, and most controversial, nonrequired provision is an indemnity clause. Many covered entities are attempting to obtain full indemnity from damages caused by a business associate’s breach of the agreement. The HIPAA Privacy Rule does not require, or even discuss, indemnity clauses or damages due to disclosures of protected information. The effect or legal validity of these indemnity clauses is unclear, as the HIPAA Privacy Rule is still too new to have spawned civil lawsuits. The evaluation of these indemnity agreements is no different for a business associate agreement than for any other business contract.

Another common provision that is not required under the HIPAA Privacy Rule is a provision allowing a covered entity to examine the books and premises of the business associate for satisfaction that the information will be protected. There is no requirement for this type of examination in the HIPAA Privacy Rule, and a covered entity has no duty to ensure the protection of information by the business associate beyond entering into a business associate agreement. This provision has typically been requested by large and powerful covered entities, and it is unclear at this point whether any of the covered entities have an intention to undertake a thorough investigation. We have recommended that business associates not agree to this type of provision, but the analysis will depend on how comfortable the business associate is with allowing a business partner to examine its books and premises.

Another interesting provision that has been included in some agreements specifies that the covered entity retains all property rights to the protected information disclosed to the business associate. This may be especially important to groups that have a patient database that would be desirable to third-party marketers. Some business associates have maintained that they have the right to strip the individually identifiable information from the protected information and sell the collective “de-identified” data to a third party. HIPAA does create a process for de-identifying protected information for unfettered use by a covered entity, but the regulation is unclear as to whether a business associate has a similar right. Nonetheless, by retaining property rights to the protected information, some covered entities are protecting themselves and their patients from such uses.

HIPAA Enforcement. Penalties for Covered Entities & Business Associates

The most common question about HIPAA asked by both covered entities and business associates is what are the potential penalties for violations. For a covered entity, the statute authorizes monetary fines of $1,000 per violation up to an annual maximum of $25,000. For criminal violations, the fines can be as much as $250,000 and 10 years in prison. Business associates cannot be prosecuted under HIPAA; however, the penalty for a business associate can also be substantial. For a business associate, a violation of the business associate agreement can lead to immediate termination of all contracts. Additionally, it is likely that we will see civil lawsuits for damages filed by individuals harmed by unauthorized disclosures of protected information.

The Department of Health and Human Services’ Office of Civil Rights has been given the authority to enforce the HIPAA Privacy Rule. It has stated that its first goal is to encourage compliance with the rule rather than immediately fining covered entities. For this reason, we have encouraged clients to have written documents showing a timeline for compliance with the HIPAA Privacy Rule. By showing a plan for compliance, it is likely that the covered entity will be allowed to work with the Office of Civil Rights towards compliance on a first offense.

The HIPAA Privacy Rule has already evolved over the past few years, and we expect that the requirements and suggested practices to comply with HIPAA will continue to evolve in the future based upon the enforcement activity of the Office of Civil Rights.