By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure – #HCdeJure
The constant discussions around the impact and operation of the regulations implementing the Health Insurance Portability and Accountability Act, or HIPAA (yes, there are 2 A’s and only 1 P) as it is more commonly referred to, have made it an interesting time to be a healthcare attorney and one focused a lot on the operation of HIPAA. Most of the time, reading articles or social media messages about HIPAA results in my palm smacking my forehead a lot in disbelief. As should be guessed, the numerous mentions of HIPAA result in a lot of misapplication of the law and regulations.
A root of the issue possibly arises from HIPAA being the healthcare equivalent of Miranda Rights in criminal situations. Many people have heard of HIPAA (or Miranda) from popular media and the general context of what it covers. However, accuracy and specifics are glossed over for dramatic effect or lack of time.
Given the nearly constant misunderstanding and misuse (which circumstance is not isolated to the general public), getting back to basics in explaining HIPAA will be helpful. Let the following, then, be a the start of a path to HIPAA understanding, or, at a minimum, a means of establishing general context and knowing when to ask questions. One disclaimer is necessary. The overview will only focus on the privacy and security aspects of HIPAA and not touch on what are actually the bigger parts of the law addressing insurance portability, common electronic transactions, and other pieces impacting operations within the healthcare industry.
Component Rules of HIPAA
When considering privacy and security, there are three sets of rules that drive and cover actions and activities. The rules (listed in the order set out in the regulations) are:
- The Security Rule;
- The Breach Notification Rule; and
- The Privacy Rule.
The name of each set of rules should give a good indication of what is covered by the particular rule. The Security Rule focuses on how to protect information. The Breach Notification Rule establishes what to do when information is compromised. The Privacy Rule explains how information can be used and disclosed along with creating individual rights. A little bit more detail on each rule will be provided later.
Who Does HIPAA Apply To?
HIPAA is a law designed to regulate the healthcare industry. It is not a broad, generally applicable privacy and security law. The hint above that the bigger pieces of HIPAA address insurance coverage and transactions by care delivery organizations help provide that context, which context is often overlooked. Being an industry specific law, HIPAA does not impose obligations or requirements on everyone who might interact or come into contact with healthcare information (we’ll get more specific on the scope of information covered by HIPAA in the next section). So, who must comply with HIPAA? Here is the exclusive list:
- Covered Entities – HIPAA creates three categories of Covered Entities, which are the only entities required to comply with HIPAA.
- Health Plans – Basically this means a health insurance plan, which includes Medicare and Medicaid, along with self-funded plans offered by employers. Health plans do not include other insurance like life insurance though.
- Health Care Clearinghouses – This is the most indistinct and least commonly encountered type of covered entity. A clearinghouse processes or facilitates the processing of data either from a nonstandard format to a standard format or in the other direction.
- Health Care Providers – This category is relatively clear because it covers physicians, hospitals, nursing homes, and really any other person or entity that provides healthcare services. However, there is regulatory nuance because HIPAA also requires the provider to electronically transmit health information in connection with a transaction covered by HIPAA (comes down to submitting electronically for payment). That nuance can be relied upon to arguably exempt certain providers, such as direct primary care, from compliance.
- Business Associates – A Business Associate provides services to a Covered Entity and works with Protected Health Information for or on behalf of the Covered Entity. The interaction with Protected Health Information should connect to the services and not just be incidental. Employees are not business associates.
- Subcontractors – Subcontractors are really business associates of a business associate. HIPAA establishes a downward chain of compliance and application to avoid the scenario of HIPAA falling off the radar just through disassociation with a Covered Entity.
That is the whole list of entities that need to comply with HIPAA. While the scope can become somewhat comprehensive, there are also a number of limitations in application built in. The limitations are emphasized by the ever increasing number of entities that create and interact with healthcare information outside the context of the traditional healthcare system. Additionally, HIPAA does not apply to individuals talking about or interacting with their own health information.
What Information is Covered By HIPAA?
The various requirements of HIPAA apply to Protected Health Information (often abbreviated to PHI. In scope, PHI encompasses identifiable health information about an individual relating to the individual’s past, present, or future physical or mental health, the provision of healthcare services, or payment for healthcare. The definition is quite expansive, but does have certain specific exemptions. PHI does not include information included in (i) education records protected by a different privacy law, (ii) employment records even if by a Covered Entity if in the employment context, or (iii) records of an individual who has been deceased for more than 50 years. PHI is a specific term of art for HIPAA and used throughout the regulations.
The Security Rule
The Security Rule generally establishes how to protect PHI along with policies and procedures to implement. The Security Rule requirements are broken into required and addressable elements. The required elements must be put into place and as contemplated by the Security Rule. The addressable elements are not optional, but instead potentially flexible depending upon the circumstances of each particular entity. Any decision to implement an addressable element in a way that is different from the specific statement in the rules should be documented with an explanation of why a different approach is being taken. Ultimately, the Security Rule is designed to be scalable and able to morph to different size operations.
The Security Rule is composed of three categories of safeguards: (i) Administrative, (ii) Physical, and (iii) Technical. Each category addresses different aspects of operations from the running of systems to control over access to office space to workforce interactions. It is important to understand all of the elements composing each safeguard category to ensure that comprehensive policies and procedures are put into place.
The Breach Notification Rule
The Breach Notification Rule defines what constitutes a breach under HIPAA and then what to do when a breach occurs. Essentially, a breach is a compromise of the privacy or security of PHI that happens as a result an acquisition, access, use, or disclosure. A key component of the rule is that it only applies to unsecure PHI, which goes to strongly encouraging good security practices. If a breach does happen, then the rule explains what details to include in a notification along with who must be notified at what time.
The Privacy Rule
The Privacy Rule broadly sets out how PHI can be used and disclosed along with granting certain rights to individuals. The uses and discloses can be quite comprehensive and, at a baseline, are not intended to interfere with everyday business operations. From that perspective, there are many permitted uses and disclosures that can occur in connection with treatment, payment, and healthcare operations (each a defined term). A deep understanding of the allowed permitted uses and and disclosures demonstrates that a number of seemingly objectionable actions are clearly not problematic.
Beyond the permitted uses and disclosures, there are also instances where uses and disclosure can occur if an individual does not object, provided that the opportunity to object has been offered. There are also a few instances (sale and marketing are the big ones) where an individual must provide consent.
It is essential to remember for all of the discussions about the use and disclosure of PHI, that the requirements only apply if the entity needs to comply with HIPAA. To reiterate, that only means Covered Entities, Business Associates, and Subcontractors of Business Associates.
The various individual rights created by the Privacy Rule are another area to understand. While the rights are not without exceptions or potential objections, benefit can still be derived. The specifics rights are:
- The right to request privacy protection;
- The right of access;
- The right to request an amendment of PHI; and
- The right to request an accounting of disclosures.
First Steps on the Path to Knowledge
The provided summaries are only the tip of the iceberg when it comes to all that HIPAA does. However, every journey must start somewhere. Hopefully, the journey will be continued and more will take the time to better understand exactly what HIPAA does. With understanding comes an appreciation for what the law does.
This article was originally published on The Pulse blog and is republished here with permission.