Julia Draznin Maltzman, MD and Bruce D. Armon, Esquire
Last Modified: February 1, 2004
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton in 1996. HIPAA stressed three major points: 1) Ensure continuity of health insurance coverage; 2) combat fraud and abuse; and 3) simplify health insurance administration. At the time of HIPAA's enactment, the third point, administrative simplification, received little media attention. The goal of administrative simplification was relatively straightforward: the creation of an electronic data exchange in health care, including protections for the privacy and security of individuals.
The U.S. Department of Health and Human Services was responsible for developing regulations to clarify how administrative simplification should be structured. One of the regulations implemented, the so-called Privacy Rule, creates national standards to protect individuals' medical records and other personal health information. Of the HIPAA regulations implemented to date, the Privacy Rule has received the most media attention and is still the subject of confusion among patients, providers and other parties in the health care system. The Privacy Rule went into effect on April 14, 2003.
The Privacy Rule impacts all patients, including those who are battling cancer. After receiving a cancer diagnosis, patients face many arduous tasks and choices. In addition to the psychological and personal adjustments, a cancer patient may search for an appropriate physician to care for him or her, seek to better understand the diagnosis and the accompanying medical jargon, learn about a multitude of possible medical tests and their implications, and, be aware of the rules and regulations that govern the relationship with the physician, as well as the individual patient's rights.
OncoLink can help with each of these tasks. This week, we will explain the impact of the HIPAA Privacy Rule and how it may affect their patient/doctor relationship.
We have asked Bruce D. Armon, Esquire, a prominent attorney from Saul Ewing LLP in Philadelphia who practices health care corporate law to help us understand HIPAA and the Privacy Rule. OncoLink reminds its readers that Mr. Armon's statements are intended for general information purposes and do not constitute, and should not be construed as, legal advice or legal opinion on any specific facts or circumstances.
OncoLink: Mr. Armon, you have spent much time and effort thinking about HIPAA and its implications and assisting your clients, could you explain the primary purpose of the HIPAA Privacy Rule.
Mr. Armon: Prior to HIPAA, there was a patchwork of federal and state standards protecting the confidentiality of an individual's health information. The laws varied from state to state and generally only affected parts of the health care delivery system. Before its enactment, members of Congress read various media reports and heard "horror stories" from consumer advocates of patient medical records being disposed in public trash receptacles and of personal medical information being disclosed to third parties without the patient's consent.
The U.S. Department of Health and Human Services was sensitive to these concerns when drafting the Privacy Rule. Accordingly, the regulators identified three primary purposes of the Privacy Rule. The goals include: 1) to protect the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information; 2) to improve the quality of health care in the U.S. by restoring trust in the health care system among consumers and health care professionals; and, 3) To improve the efficiency and effectiveness of health care delivery.
Unlike most federal regulations, the Privacy Rule establishes a "floor" to protect the confidentiality of an individual's medical information. State laws that are more stringent than the Privacy Rule remain in effect.
The Privacy Rule takes on increased importance given the rapid change from paper to electronic delivery of medical information among various stakeholders in the health care delivery system.
The Privacy Rule directly regulates the conduct of three entities: 1) a health care provider (e.g., a physician) who transmits any health information in electronic form; 2) a health plan; and 3) a health care clearinghouse. Collectively, these are considered "covered entities" according to the Privacy Rule.
OncoLink: What rights does the Privacy Rule give to individuals?
Mr. Armon: The focus of the Privacy Rule is the use and disclosure of "protected health information", or PHI. PHI is individually identifiable health information (IIHI) that is transmitted or maintained in electronic or any other form or medium. IIHI is health information that identifies an individual. The Privacy Rule identifies the elements that are considered IIHI, including, name, telephone number, email address, social security number, and birth date.
As of April 14, 2003, when an individual is treated by a health care provider compliant with HIPAA, that individual should receive notice of privacy practices. This document describes the uses and disclosures of protected health information that may be made by the provider. The notice should also explain the individual's rights and the health care provider's legal duties with respect to the protected health information.
From the perspective of the U.S. Department of Health and Human Services, the Privacy Rule gives patients more control over their protected health information than ever before and sets appropriate boundaries on the use and release of medical records.
With certain exceptions, the Privacy Rule gives individuals a right to inspect and/or obtain a copy of the their own health information. The patient also has the right to request an amendment of his or her protected health information.
Importantly, the Privacy Rule also permits the patient to receive an account of certain disclosures made by the health care provider in the six years prior to the date on which this account is requested. This allows the patient to gain a better understanding of the other parties that received his or her protected health information from that particular provider.
Finally, like most statutes, HIPAA has provisions for civil and criminal penalties that can be imposed by the federal government if the statute is violated by a doctor.
OncoLink: How does HIPAA affect patient medical care and the patient/physician relationship?
Mr. Armon: The Privacy Rule should ensure ease of communications between health care professionals without adversely impacting the privacy of an individual's PHI. The Privacy Rule permits the health care provider to use or disclose an individual's PHI for purposes of "treatment", "payment" and "health care operations" – each of these terms are explicitly defined in the Privacy Rule. For instance, a patient's primary care physician can share the medical history of the patient's oncologist, or vice-versa, for purposes of treatment. Similarly, a physician or hospital could share an individual's PHI for purposes of obtaining payment from a health plan for services rendered.
By contrast, a doctor cannot disclose an individual's PHI for reasons other than treatment, payment or health care operations without the individual executing an "authorization" that is compliant with the Privacy Rule.
Bruce D. Armon, Esquire can be reached at email@example.com or 1-800-355-7777, x7985. For additional information regarding the Privacy Rule, you may access the U.S. Department of Health and Human Services webpage at www.hhs.gov/ocr/hipaa/.