By John R. Washlick. Esq.

Published February 2000

• React to this article in the Discussion Forum.

The HHS regulations were mandated by Congress under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) if Congress failed to pass national privacy legislation by August 1999 to protect against inappropriate use of individually identifiable health information. The proposed regulations, which are expected to become final as early as March 2000, will have a significant impact on many health care organizations and providers. HHS had asked for public comments regarding its proposed regulations by January 3, 2000, but has since extended this deadline for an additional 45 days to February 17, 2000.

The regulations, when final, will prohibit "covered entities" from using or disclosing "protected health information" without the patient's authorization, except as otherwise permitted by the regulations. Any covered entity that fails to comply with the regulations (or fails to have its business partner comply with the regulations) can face significant civil and criminal penalties, including steep fines and imprisonment.

As defined in the proposed regulations, "covered entities" include health plans, health care data clearinghouses, and health care providers who transmit health information in electronic form. The definition of each of these entities is broadly interpreted to include many health care organizations and providers. A "health care provider" is defined as anyone who provides certain medical or health services defined under the Social Security Act, and anyone who furnishes, bills or is paid for health care services or supplies in the normal course of business. The term as used in the proposed regulations encompasses all licensed or certified health care practitioners or organizations such as physicians, hospitals, pharmacies, nursing homes, technicians and therapists.

The regulations do not directly cover many of the persons that covered entities hire to perform administrative, legal, accounting and similar services on their behalf. HHS tried to fill this gap by requiring covered entities to apply many of the provisions of the regulations to any "business partner" who aids a covered entity in carrying out the performance of its activities, or acts on behalf of the covered entity.

Under the proposed regulations, a covered entity would be prohibited from disclosing protected health information to a business partner, other than between health care providers for purposes incident to a consultation or referral for treatment, without obtaining from the business partner "satisfactory assurance" that it will appropriately safeguard the information. At a minimum, "satisfactory assurance" requires a written contract between the covered entity and the business partner that must contain certain representations, warranties and covenants on the part of the business partner.

Moreover, the contract required by the regulations must state that the individuals whose protected health information is disclosed under the contract are intended third party beneficiaries under the contract and it must authorize the covered entity to terminate the contract, if the covered entity determines that the business partner has violated a material term of the contract.

In consequence, although neither HIPAA nor the proposed regulations provides individuals with a private cause of action, as a third-party beneficiary under the contract between a covered entity and business partner, individuals may have a separate cause of action under the contract itself for any misuse of protected health information. This means that business partners, while not covered directly by the regulations, will have to take the same security precautions and create administrative safeguards similar to those required of covered entities under the regulations (as discussed below).

"Protected health information" is "individually identifiable health information" created by a health care provider, health plan, public health agency, employer, life insurer, school or university or health care clearinghouse that relates to an individual's physical or mental health or condition, as well as the provision or payment of care, and that identifies the individual or creates a reasonable basis to believe the information can be used to identify the individual. The privacy standards of the regulations do not apply to information that does not identify the individual or to information which has been "de-identified."

It is important to note that the regulations cover only protected health information that is electronically transmitted or stored by a covered entity. Thus, any covered entity that maintains a solely paper information system would not be subject to these regulations. However, any paper records that are or have been electronically transmitted and converted back to paper will fall within the scope of these new regulations. Once information has been maintained or transmitted electronically by a covered entity, the protections of the regulations follow the information in whatever form, including paper records, in which it exists while it is held by a covered entity.

The regulations intend to make patient authorization for treatment, payment and health care operation purposes unnecessary. However, some states may continue to require such authorization. In such cases, the Federal regulations would not supersede any state requirements generally, but would impose a new requirement that such state-mandated authorization must be separate from the authorization provisions of the new regulations.

After balancing privacy and other social values, HHS has identified a number of other circumstances that would permit the disclosure and use of protected health information for purposes other than treatment, payment or health care operations, without individual authorization. These permitted circumstances are intended to allow the disclosure of health information to support certain national priority activities, such as reducing health care fraud, improving the quality of treatment through research, law enforcement, public health and responding to emergency situations.

A covered entity may also use protected health information that has been "de-identified" by removing, coding, encrypting, or otherwise eliminating or concealing the information that individually identifies such information. Information is presumed not to be individually identifiable (de-identified) if certain information has been removed or otherwise concealed, such as name, address, birth date, names of relatives or employers, telephone and fax numbers, e-mail address and other identifying numbers, characteristics, or codes that the covered entity has reason to believe may be used by an anticipated recipient of the information to identify the individual.

The proposed regulations identify a number of circumstances that require individual authorization before protected health information may be used or disclosed. The regulations contain different conditions depending on whether the proposed use or disclosure falls within two specific situations. The first situation involves an individual initiating the authorization because he or she wants the covered entity to disclose his or her health information. The second situation pertains to a covered entity asking an individual for authorization to disclose or use information for purposes other than treatment, payment, health care operations or as otherwise discussed above.

In those circumstances in which the regulations require patient authorization before protected health information is disclosed, the regulations' intent is to ensure that an individual's authorization is truly voluntary. For instance, the regulations prohibit covered entities from conditioning treatment or payment on the individual agreeing to disclose information for other purposes. In addition, the necessary authorization must clearly and specifically describe the information to be disclosed. If an authorization is sought so that a covered entity may sell, barter, or otherwise exchange the information for purposes other than treatment, payment or health care operations, the covered entity must disclose this fact on the authorization form. Any authorization granted by an individual is revocable. The proposed regulations provide a model authorization form.

The regulations afford individuals a number of basic rights with respect to their protected health information. First, individuals are permitted to inspect and obtain copies of such information. Second, individuals are required to receive written notice of information practices and security safeguards of the covered entity. Third, individuals would have the right to request an amendment or correction of protected health information that is inaccurate or incomplete. Fourth, notice to be provided to individuals will also inform each individual that, if they have any complaints regarding the use or disclosure of their health information, they can complain to either the covered entity or HHS. Finally, upon request, an individual is entitled to information with respect to the actual uses and disclosure of his or her health information.

As already mentioned, one of the shortcomings of the regulations is that they do not create any separate cause of action for any individual who is harmed by the misuse of protected health information by a covered entity. Nevertheless, an individual may be entitled to a separate cause of action under appropriate state laws, or in the case of a business partner arrangement, pursuant to his or her third-party rights under the contract.

The regulations require all covered entities to develop certain safeguard policies and procedures to comply with the new regulations and to notify their patients of such policies; educate their workforces on the proper implementation of these programs; and put in place an administrative structure for dealing with protected health information and monitor such programs to ensure compliance, including designating a privacy official and training and credentialling every employee who handles protected health information.

Covered entities must begin now to develop these safeguards. Most covered entities, including physicians and other health care providers, must be compliant with the new regulations by 2002, twenty-four months after the effective date of the final regulations. Therefore, physicians and other covered entities must begin now to develop the infrastructure for these safeguards.

John R. Washlick, Esq., is a partner with Morgan, Lewis & Bockius in Philadelphia, Pa. He directs the firm's commercial health care practice.