What is evident one year later is that there is still considerable misunderstanding surrounding the operation of the HIPAA privacy rules. Some of the confusion stems from popular myths, such as that a physician’s office cannot leave messages to remind a patient of an appointment. Most of the misconceptions, however, can be attributed to the fact that many covered entities simply do not understand the law. Still, much of the frustration experienced by many covered entities is the result of some rather complex interpretations under HIPAA involving, for example, the appropriate use and disclosure of protected health information (PHI) and who is a business associate.

The Office of Civil Rights (OCR) of the Centers for Medicare and Medicaid Services has been quite busy over the past year trying to debunk some of the myths. OCR has issued frequently asked questions (FAQs) on its Web site that offer helpful responses to questions raised by covered entities struggling with compliance. The varied subject matter addressed in these FAQs reflects the continued confusion of covered entities to grasp even some of the more basic concepts under the HIPAA privacy rules. These include explanations about when providers can make disclosures to family and friends, including discussing payment and treatment arrangements; how providers can disclose PHI for treatment purposes by phone, fax, email or other means; and what type of information can be maintained in a hospital directory.

Privacy officers and others involved in carrying out the privacy rules should regularly visit the OCR Web site at www.hhs.gov/ocr/hipaa. If you do refer to the FAQs, some caution must be exercised on relying on OCR’s responses as anything more than guidance and, if followed, as nothing more than an indication of a good faith attempt to comply with the law. Keep in mind that the responses may not be considered probative. It is arguable that a court of law would consider OCR’s FAQs as "interpretative rules," which are not binding on a court because they are not subject to the notice and comment procedures under federal law. Nevertheless, interpretive rules carry considerable weight with the courts. It is doubtful, however, that the FAQs go through the same internal scrutiny and review process to which interpretive rules are generally subject. On the other hand, while it would be difficult, it would not be impossible for CMS to hold a covered entity in violation of HIPAA for engaging in an activity that is squarely covered by a scenario described in a FAQ.

On the enforcement front, OCR has received thousands of complaints and has investigated and closed more than 40 percent of them, according to OCR accounts. One of the myths surrounding privacy compliance is that covered entities risk heavy-handed enforcement by OCR. Of the complaints cited, many have not been investigated because OCR lacks jurisdiction when the alleged violation does not implicate HIPAA. For example, a number of complaints involve a person’s health information being "the talk of the workplace" where the health information was disclosed by the employer, not the covered entity. Enforcement has been and will remain to be event-driven as well as complaint-driven. OCR’s enforcement position will continue to be concentrated on education and outreach, except for very egregious situations. Of course, a year from now OCR’s position will change as HIPAA becomes more fully implemented.

Now that the one-year anniversary has past, covered entities should perform an internal audit and review of their organization’s HIPAA compliance. The processes put in place to comply with HIPAA must not be static and should be flexible to accommodate change, therefore, compliance policies, procedures and operations must be reevaluated periodically. Because of the level of confusion that still seems to exist, additional rounds of organization-wide training and education should be considered.

Covered entities that transmit or maintain "electronic private health care information" (EPHI) must comply with the new security regulations by April 20, 2005. The new security rules are applicable only for those covered entities that transmit or maintain EPHI. This definition is much more limited than PHI, which includes paper and oral information. Thus, a physician who transacts health care transactions in paper form only is not subject to the HIPAA security regulations. However, while the security regulations do not apply to paper and oral information, covered entities are still required to keep such information secure under the "mini-security rule" of the privacy regulations. This rule requires covered entities to "maintain appropriate administrative, technical, and physical safeguards to protect the privacy of PHI."

The security regulations require covered entities to conduct a risk analysis to determine what the organization’s vulnerabilities are and assess any reasonably anticipated threats or hazards to the security or integrity of EPHI that could occur as a result of a security breach. While the April 2005 date may still seem like a long way off, let’s not forget how quickly the HIPAA privacy compliance date crept up. So, covered entities need to start now, if they have not already done so, to prepare for the security rules. Many covered entities can take some comfort if they conducted an appropriate GAP assessment in connection with complying with the HIPAA privacy rules. They may already have documented many areas that impact on the physical, technical and administrative requirements. The regulations do not prescribe how a covered entity should implement its security measures, but rather adopt a flexible approach. In determining what security measures to use, a covered entity must take into account its size, complexity and capabilities; its technical infrastructure, including hardware and software capabilities; costs of the security measures; and probability and criticality of potential risks to EPHI.

All business associate contracts, which comply with the privacy rules, should be in place by now. Keep in mind that if a covered entity has engaged a business associate to carry out certain functions on its behalf, the covered entity will not be permitted to share PHI with its business associate unless a business associate agreement has been executed between the parties and complies with the requirements set forth in the regulations. OCR has provided model language for business associate agreements. The new HIPAA security regulations contain additional provisions that must be incorporated into existing business associate contracts or new contracts with business associates entered into after April 20, 2005. These new provisions are required for all business associate contracts that involve the protection of EPHI. Covered entities that are subject to the security regulations should inventory their business associate arrangements and begin now to modify them to conform to the new rules.

New provisions that must be added to business associate contracts covering EPHI include the following

The business associate must commit to implementing administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of EPHI that it creates, receives, maintains or transmits on behalf of the covered entity.

The business associate must ensure that any agent, including subcontactors, to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect EPHI.

The business associate must be required to report to the covered entity any "security incident" of which it becomes aware. "Security incident" is defined broadly to include any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system.

With regard to these new provisions and PHI in general, physicians should consider reserving the right to monitor the security policies and procedures of their business associates, not just for HIPAA compliance purposes but also to protect their reputations in the event of an unlawful use or disclosure of PHI. Also, physicians might consider barring business associates from using agents or subcontractors without their written consent in order to control who in the chain will have access to the physicians’ PHI.

So where are we a year later? Progressing. No physician practice should consider its job complete. Privacy compliance should be reviewed and tested; security assessments need to be undertaken to determine what technical, physical and administrative safeguards are appropriate; and training and education should be on-going.