THE HIPAA PRIVACY REGULATIONS: IGNORING THE HIPAA IN YOUR LIVING ROOM COULD LEAD TO BIG TROUBLE (Part I of II)
THE HIPAA PRIVACY REGULATIONS:
IGNORING THE HIPAA IN YOUR LIVING ROOM COULD LEAD TO BIG TROUBLE
(Part I of II)
Oregon Lodging Association’s "Lodging News"
January 2003
You’ve heard of it, but you don’t know quite what it is. It has something to do with health care, you think, so you are planning on ignoring it. After all, you run a lodging facility and have better things to do than to find out about this "hippo law." Bad idea! Regulations are in place. Deadlines are approaching. It is time that you learned whether your business will be affected. Even if your business is not directly affected, these new regulations contain some very important and interesting information for you as an individual. Learning more about HIPAA will be well worth your time and effort.
As early as April 14, 2003, your business may be required to come into compliance with the new privacy regulations that have been passed by the federal government under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). This article, the first of a two-part series, will introduce you to the general requirements set forth in federal law established to protect the privacy of so-called "personal health information." The second article will address important details related to employee authorization to disclose personal health information, policies to have in place to protect and safeguard this information, the rights of employees to detailed accountings of exactly when, where, and to whom such information was disclosed, and other details necessary to help ensure compliance with the law and to avoid possible civil and criminal penalties. However, given the fact-intensive analysis necessary to determine the applicability of the law to any particular employer, it is up to you to seek the assistance of legal counsel or your health care benefits advisor to best protect your business interests.
By way of background, it is important to understand why these regulations were passed. HIPAA addresses Congressional concerns about the unauthorized sharing and disclosure of what is now known under the regulations as "personal health information." Congress found that many health care providers, insurance companies, pharmaceutical companies, and related businesses would share an individual’s personal health information for various reasons unrelated to the continuing medical treatment of that individual. For example, a doctor’s office might sell patient lists, along with each patient’s medical history, to a pharmaceutical company which would then target its marketing efforts directly to patients depending on their particular ailments. Needless to say, most of us do not like the thought of our personal medical problems being shared with anyone without our consent. Hence, the United States Department of Health and Human Services passed these regulations under the authority of the federal law known as HIPAA.
Now that we understand why the HIPAA privacy regulations were passed, we need to address whether your business needs to comply with the regulations before discussing how to comply. So-called "covered entities" include health care providers, health care clearinghouses, and "health plans." You are probably thinking, "how in the world could my business be considered one of these covered entities?" Well, subject to certain limitations and exceptions, your business may very well be considered a "covered entity" if you provide a health care plan to your employees. In other words, when you arrange for medical insurance for your employees and pay some or all of the premiums for that health insurance, or even if you simply provide some form of reimbursement for medical expenses, your business will meet the extremely broad definition of a "health plan" contained in the regulations.
Ok, so what? What does this mean for you? Recall that the HIPAA privacy regulations were enacted primarily to protect personal health information from unauthorized disclosure. As an employer, you very likely obtain personal health information about your employees. The good news is that the regulations contain a big fat exclusion in the definition of "personal health information" for "individually identifiable health information contained in employment records held by a covered entity in its role as employer." Therefore, to the extent that you, as an employer, have information pertaining to an employee’s eligibility for the company health plan and other information necessary to the employee-employer relationship, this information is typically not considered "personal health information" and you will be under no obligation to take the steps required under the regulations to protect that information from unauthorized disclosure. Of course, regardless of whether information in your employer files is considered "personal health information" under HIPAA, prudence dictates that you take concrete steps to preserve the privacy of your employees.
The problems begin when you learn of personal health information for purposes unrelated to an employee’s continuing employment relationship. While there is no clear guidance on this issue, an employer obtaining personal health information related to an employee’s claim under the federal and Oregon Family and Medical Leave Acts, the Americans with Disabilities Act, the federal and state versions of the Occupational Safety and Health Act, and other employment laws, will likely not be considered "employee records" that are excluded from the definition of "personal health information." Therefore, it is important to generally understand what steps you will need to take to protect any such "personal health information" that you obtain from unauthorized disclosure.
One step is that "covered entities" are required to obtain authorization from the "patient" for the disclosure of information for purposes other than treatment, payment or health care operations. This means that if information is passed from your primary care physician to a specialist for purposes of continuing treatment of a particular condition, no prior authorization is needed since the transfer of this information is directly related to your continuing treatment. The same generally follows for billing matters and what are called "health care operations." However, if information needs to be transferred to, say, an insurance company for other than billing purposes, the "covered entity" will need to enter into what is known as a "business associate contract." Both the patient authorization and the business associate contract will need to be in strict compliance with the HIPAA privacy regulations and will be discussed in more detail in the second part of this article.
Another step is that "covered entities" will need to develop policies which show how the entity will protect and safeguard personal health information from unauthorized disclosure. Here, it is important to understand that if a fellow employee learns of certain information, and then communicates that information to another employee or someone outside the business, that disclosure could be determined to have violated a duty to protect this information and could lead to civil and possibly criminal penalties.
Assume your concierge, Donna, has a husband named Joe who has just been diagnosed with Cancer. Your office manager knows because Donna is taking time off to care for Joe. The office manager tells your night manager, Gina. You may be at risk if Gina then goes out and tells Joe’s secretary that she is sorry to hear of Joe’s illness, especially if Joe was trying to keep that fact quiet.
Unfortunately, the HIPAA privacy regulations are far too complex and ambiguous for one or two articles to answer all of your questions. The first and most important thing to take away from this article is that, depending upon your situation, you may very well be a "covered entity" even though you do not consider yourself to be in a health care related business. It is critical that you contact your attorney and/or your health care benefits advisor to obtain additional information on this issue. However, whether you are covered or not, nearly all employers will come into possession of "personal health information" at some point in time. Many legal experts are already predicting that the privacy standards contained in the regulations will eventually establish a "standard of care" by which you could be held responsible, perhaps under a negligence theory, if you fail to adequately protect and safeguard this type of information. Therefore, amidst all of the confusion, one thing is clear, you need to take the time to learn more about this issue for the long-term protection of your business interests.