http://www.natsap.org/images/HIPAA-SpecialReport.pdfNATSAP NEWS Special Report
?HIPAA? is coming. Ready?!
D. Eugene Thorne, Ph.D., J.D., Discovery Academy
For some months now, I?ve been hearing bits and pieces, then choruses, about this new federal mandate for health care providers. It is called the Health Insurance Portability and Accountability Act? (HIPAA ? see 45 CFR Part 142). Now, I?m getting an even greater sense of urgency from these choruses. During a NATSAP Board meeting, I casually alerted our leaders. Alas, they asked that I ?write an article? about this new law and how it would impact our member institutions. No big deal, right? Wrong. I have
done a lot of searching study and still feel inadequate to provide definitive explanations and instructions.
But, ?striving to do my duty,? I have now attended several HIPAA-training sessions (given by attorneys and various health provider folks). I?ve read treatise on specific sections of the Act and several summaries from various professional organizations (e.g., APA). I have also read most of the Act itself (over 360 pages single-spaced), some of its early and recent legislative history, as well as the current efforts to revise it. There is now a movement under the HHS (?Health & Human Services?) allowing suggested revisions to be submitted during the period for NPRM (?Notice of Proposed Rule Making?) allowing, e.g., professionals and health provider organizations (such as NATSAP) to offer suggested changes before it is finally put into effect. Frankly, after seeing the complexity
and interaction between this Act and others, I suspect this Act will become a ?guaranteed full-employment Act? for attorneys!
As suggested, HIPAA is almost inexplicitly intertwined with other federal (e.g., ?FERPA?: Family Educational Right and Privacy Act, 20 U.S.C. 1232g, et seq.), state (e.g., Utah Mental Health Records Practices Act, UCA 58-60-102, et seq.), common law (case holdings; e.g., Tarrasoff v. Regents of the University of California, 529 P.2d 553 [1974]), etc.! I am now convinced that even a cursory review of this Act would require a ?covered entity? (i.e., any of our member institutions) a maximum-focused seminar lasting
a full-day or two by a ?HIPAA-expert.? And, I surely do not yet qualify as such an expert.
So, what is it that I can offer as a NATSAP NEWSLETTER ?article? that would at least be helpful to our membership?
Perhaps a few ?gems? that might awaken each of you to the importance of getting to know this legislation, and opportunity to allow our NATSAP Board to strongly recommend that you avail yourself of information that would help you begin to implement HIPAA specifics and nuances BEFORE this October 16th! So, here are a few ?tastes? of representative requirements and provisions for us
?health care providers.?
Though the Act actually became ?law? on April 14, this year (2002), it will not be imposed upon health care facilities and health care workers (similarly situated to our membership) until next year, April 14, 2003! Yet, each of our member institutions should seriously consider submitting to HHS (?Health & Human Services?) by October 16th, 2002 a ?compliance-plan? that will include how and when they are going to implement the Act?s provisions which would assure compliance by the ?03 deadline. Doing so may even qualify them for yet another one-year extension (April ?03 to ?04?), especially if they are a small health care provider (like a solo practitioner). HHS might also assist such entities with some of their critical preparations (e.g., forms, interpretations, etc.) so as to be HIPAA- qualified by its 2003 deadline.
Simply, HIPAA sets the floor of requirements for which health care providers use or disclose, ?protected health care information? (?PHI?) which is likely already protected to some degree from access, use, or disclosure in every state. HIPAA is essentially a privacy act, but it goes much further. For example, it appears, we will likely all be doing preemption analyses
whenever we consider providing access, use or disclosure of health care information. Such analyses must be individually and accurately exercised, (viz a viz, our unique settings and states). Sometimes, state law prevails, sometimes federal. At first blush, the key to preemption analysis seems to be: Does the Act restrict more disclosure and/or enable more patient access to PHI? If so, then the Act must prevail. And, this federal privacy rule provides for no use or disclosure of PHI unless it is permitted (see e.g., ?Consent? and ?Authorization? provisions) by the patient or certain circumstances enumerated within the Act.
When we receive a request for PHI, here are three general rules of thumb that help the decision whether to provide or permit access, use or disclosure: First, ?If its okay with the patient, its okay.? But, if we deem it is harmful to the patient, then great care and caution must be exercised before such access, use or disclosure. Err on the ?conservative side.? Second, Be sure to trace the authority of any and all persons (entities, etc.) even by way of subpoena, requesting access, use or disclosure of PHI. Some
subpoena?s are honored others are not. Third, ?If in doubt, check it out.? This is where the ?Guaranteed Attorney Employment Act? will likely come into play. Probably, we will all have to ?access? attorneys who should consult with, at least, our records staff, especially when questionable release or disclosure issues arise.
A greater latitude for use and disclosure of PHI emerges when the request is compatible with ?treatment, payment or health care operations? (TPO). One of the revisions urged in current NPRM (above) is to forego the requirement that ?covered entities? (e.g., health care providers) obtain signed patient consent before using or disclosing PHI, even in TPO situations. Exceptions would include emergencies, requests required by law, instances where the patient might not be able to communicate, (see other exceptions, e.g., 45 CFR sections 164.506).
HIPAA requires that we provide ?privacy notices? to all our patients (i.e., consumers of physical and mental health treatment, etc.). For example, as a ?header? for such notice, we might prominently display: ?THIS NOTICE DESCRIBES HOW
MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS
INFORMATION. PLEASE REVIEW IT CAREFULLY.? The notice would provide examples of the types of uses and disclosures (e.g., TPO?s), descriptions of other purposes, whether any particular purpose might be prohibited, and, if so, a description of why.
Moreover, the patient (i.e., the ?consumer?) would be apprised of the fact and manner that he/she can give and revoke his/her authorization for such uses and disclosures.
Such ?notices? will also require that we explain to the consumer his/her rights to restrict certain uses and disclosures (though there are instances where the health care provider might not actually be required to honor certain requested restrictions). Our consumers shall be further informed by said notice of his/her rights as to receiving ?confidential communications? (otherwise protected), to inspect and copy his/her PHI, to amend his/her PHI, and to receive an accounting of all disclosures of his/her PHI.
Along with patient/consumer notices of rights dealing with uses and disclosures of his/her PHI, the patient must also provide written patient authorization that complies with some rather burdensome HIPAA requirements. ?Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section? (45 CFR 164.508). For example, there are special authorizations required when it comes to psychotherapy notes.
These are important. Such notes must be kept apart from the regular PHI. They are accessible for carrying out most TPO, for training purposes (interns/externs, etc.), and even for defense in legal actions. Our members ought to become conversant with those provisions of this Act as they (also state laws, etc.) relate to psychotherapy notes (viz a viz other PHI information).
In the Act, ?psychotherapy notes means notes recorded ... by a health care provider who is a mental health professional documenting ... contents ... counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual?s medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms,
prognosis, and progress to date? (my emphases).
There are scads of other HIPAA provisions that our member institutions need to understand and implement. Space in a newsletter is far too sparse. Ultimately, each of us will need to implement aspects of this law, which also will require that we train relevant staff, install specified and reasonable safeguards, and outline for our consumers their ?rights? and the methods for their pursuing ?grievances,? etc. We need to train all members of our workforce regarding the stringent demands of PHI records and information. We should start by identifying our key records-related personnel, and we need to appoint and designate our institution?s privacy officer. The ?plan? (above) ought to so inform HHS (and others) who will take primary responsibility to know and assure compliance with 45 CFR Part 2. Forms for consent and authorization (HHS will provide some) for contracts with ?business
associates? also should be developed.
Much is riding on our quick learning and implementation! This Act provides for monetary penalties to those who are not in compliance or who violate compliance requirements. An organization or individual health provider can be fined ?... not more than $100 per person per violation and not more than $25,000 per person for violations of a single standard for a calendar year.? Scarier, criminal fines ?...of not more than $50,000 and/or imprisonment of not more than 1 year.., [and] if the offense is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more that $250,000 and/or imprisonment of not more than 10 years....? (my emphases). Hope I got your attention? Good luck!
Helpful references
1. Administrative Simplification (
www.aspe.hhs.gov/admnsimp/)
2. Also from,
http://www.apa.org/practice/th_2001.speech.html ?Safeguarding Privacy and Confidentiality in the Digital Age, Newman,
Russ. (Insert HIPAA in search)
3. Also, http;//www.hhs.gov/ocr/hipaa. ?National Standards to Protect the Privacy of Personal Health information.?
Doc:HIPAA-Natsap.article