View PDF

The Office of Civil Rights (OCR) has issued guidance that provides valuable information relative to the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), established by the Department of Health and Human Services (HHS).

This Rule set national standards for the protection of health information, as applied to the three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers who conduct certain healthcare transactions electronically. By the compliance date of April 14, 2003 (April 14, 2004, for small health plans), covered entities must implement standards to protect and guard against the misuse of individually identifiable health information. Failure to timely implement these standards may, under certain circumstances, trigger the imposition of civil or criminal penalties.

The Privacy Rule establishes a foundation of Federal protections for the privacy of protected health information. The Rule does not replace Federal, State, or other laws that grant individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices.

Most health plans and healthcare providers that are covered by the new Rule must comply with the new requirements by April 14, 2003. The HIPAA Privacy Rule for the first time creates national standards to protect individuals' medical records and other personal health information. The following benefits are received by patients:

• It gives patients more control over their health information.
• It sets boundaries on the use and release of health records.
• It establishes appropriate safeguards that healthcare providers and others must achieve to protect the privacy of health information.
• It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients' privacy rights.
• And it strikes a balance when public responsibility supports disclosure of some forms of data — for example, to protect public health.
• It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
• It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
• It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
• It empowers individuals to control certain uses and disclosures of their health information.

Congress mandated the establishment of Federal standards for the privacy of individually identifiable health information. The Privacy Rule establishes a Federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections will continue to apply over and above the new Federal privacy standards.

The Privacy Rule requires the average healthcare provider or health plan to perform the following activities:

• Notifying patients about their privacy rights and how their data can be used.
• Adopting and implementing privacy procedures for its practice, hospital or plan.
• Training employees so that they understand the privacy procedures.
• Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
• Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

The following "covered entities" must adhere to the Privacy Rule:

• Health plans
• Healthcare clearinghouses — Includes Billing Companies
• Healthcare providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.

These "covered entities" are bound by the new privacy standards even if they contract with others (called "business associates") to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits.

Most covered entities have until April 14, 2003 to come into compliance with these standards, as modified by the August, 2002 final Rule. Small health plans will have an additional year, until April 14, 2004 to come into compliance.

Amper, Politziner & Mattia, LLP has a HIPAA Privacy Program Service (HPPS) available to assist our clients comply with the Privacy Standards. If you have any questions about this article or would like information about our HPPS, please call Michael McLafferty.

Michael McLafferty CPA, MBA, FACMPE, is a Senior Manager with the Healthcare Services Group at Amper. Mike has 20 years of healthcare experience and provides numerous business services to physician practices, hospitals and ambulatory organizations. You can contact Mike at 732-287-1000, ext. 284.