Why All the HOOPLAH About HIPAA?  
by Maria Rodriguez & Tracy Silver

You have probably heard or read about the various privacy debates which are occurring in Washington, D.C., and at the state level. Many privacy laws have been passed and we can expect more. Of course, businesses must beware of new and changing privacy requirements in order to avoid liability.

In response to growing problems with disclosure of individuals' private health information (“PHI”) and the patchwork of guidelines formerly governing the healthcare industry, the federal government passed the Health Insurance Portability and Accountability Act (“HIPAA” or “the Act”) in 1996. HIPAA required the Department of Health and Human Services (“HHS”), which has jurisdiction over the Act, to create the regulations. In December of 2002, the Secretary of Health and Human Services released final regulations governing the use and disclosure of PHI. (PHI or Covered Information) includes medical records and other individually identifiable health information held or disclosed by a Covered Entity in any form, whether communicated electronically, on paper or orally.1) Multi-layered and complex, the Act requires a keen awareness of relevant issues and mandates a strict (some argue over-burdensome) standard of compliance. HIPAA’s breadth is the subject of heated discussion among lawyers and business people. Confusion exists over who must comply with HIPAA and how. Nevertheless, it is clear that the Act directly affects the healthcare industry and many employers.

By now you are probably asking how HIPAA affects your company. In order to determine the correct answer to this question, you will need to understand whether your business is a Covered Entity or Non-Covered Entity under the Act. An explanation of who is a Covered Entity will follow our discussion of how Non-Covered Entities are affected.

We have yet to truly appreciate the effect of HIPAA’s reach with respect to Non-Covered Entities, or businesses not directly engaged in the healthcare industry. We are certain, however, that a limited number of HIPAA regulations apply to businesses which sponsor a group health insurance plan (“Plan Sponsors”). Therefore, HIPAA reaches nearly all businesses that employ personnel. In short, if your company sponsors an employee healthcare insurance benefit plan or if it receives PHI for any reason at all, your business will be impacted by HIPAA, and you should take measures to comply with the Act. Although employers or Plan Sponsors are not subject to the overwhelming requirements which apply to Covered Entities, a particular goal of HIPAA was to prevent employers from using PHI to make employment decisions. Thus, the legislature intended that employers who are Plan Sponsors be governed by the Act.

Employers are affected by HIPAA in several ways. Plan Sponsors must agree to use and disclose PHI only as allowed or required under the Act. For instance, Plan Sponsors may use PHI only for administrative functions performed on behalf of a group health plan, and as articulated in group health plan documents. Plan Sponsors must also revise group health plan documents to incorporate certain required provisions. Plan Sponsors may be required to distribute a “Notice of Privacy Practices,” which contains specific language. Additionally, HIPAA requires some form of a general release in nearly all cases of PHI disclosure.

Special circumstances will require employers to take additional action. For instance, in certain cases HIPPA requires an employer to obtain a limited employee release authorizing specific disclosures.2 Employers who request medical information about an employee to make a determination of eligibility for leave or accommodations under the Family Medical Leave Act (FMLA), California Family Rights Act (CFRA), Pregnancy Disability Leave Act (PDL) or Americans with Disabilities Act (ADA) will need to take special precautions and secure lawful releases for the disclosure of any applicable PHI. A release for such a disclosure must be signed by the subject employee, and must meet specific standards outlined in the Act, which are meant to ensure that the release of PHI is informed and voluntary.

HIPAA will also undoubtedly be yet another basis for whistleblower claims. We therefore warn you to take every internal complaint about your company's compliance seriously, and we suggest that you train supervisors to properly relay complaints up the company ladder.

Whereas Non-Covered Entities have limited responsibilities under the Act, Covered Entities such as hospitals, medical and dental offices, surgical centers, health and rehabilitation centers and other healthcare providers must satisfy intense requirements.

The following types of businesses are Covered Entities under HIPAA:

1. Health plans, which are any individual or group plans that provide or pay the cost of medical care;
2. Healthcare clearinghouses (not employers); and
3. Healthcare providers (whether they provide healthcare directly or through contracts) who engage in HIPAA standard electronic transactions.

HIPAA requires Covered Entities to:

• Develop and implement privacy policies and procedures, including who has access to covered information, how it will be used within the entity and when the information would or would not be disclosed;
• Maintain those policies and procedures in written or electronic form;
• Take steps to ensure that business associates protect covered information:
• Designate a privacy officer:
• Designate an individual responsible for enforcement of the procedures;
• Train employees regarding HIPAA's requirements and the entity's policies and procedures under HIPAA;
• Develop and apply appropriate penalties against employees who fail to comply with applicable policies and procedures;
• Produce and provide written notice to individuals containing the entity's privacy practices
• Establish a grievance procedure under which patients can make inquiries or complaints regarding their private information;
• Not retaliate against anyone who asserts his or her rights or assists another to assert his or her rights under the regulations;
• Not require individuals to waive their rights to file a complaint with the Secretary of HHS;
• Maintain electronic or written copies and records of all communications required by the regulation and of any action or activity required by HIPAA; and
• Implement technological safeguards for PHI.3

Although HIPAA outlines the standards Covered Entities must meet to guarantee that individuals’ privacy is safeguarded; the details regarding how Covered Entities must meet these standards is left to the discretion of the Covered Entity. As a result, implementation of the standards is expected to be flexible and scalable, and will take into account the nature of the entity's business, its size and its resources. Most Covered Entities were required to comply with HIPAA by April 14, 2003, however “Small Health Plans” as defined under the Act will have until April 14, 2004 to comply.

As we touched upon earlier, HIPAA also mandates the circumstances under which Covered Information may be disclosed by both Non-Covered and Covered Entities. Under the Act, Covered Entities may create “De-identified Information,” which is unidentifiable, aggregate information compiled from Covered Information. De-identified Information is not subject to HIPAA. HIPAA sets forth procedures for “de-identifying” information; however, if an entity does not comport with these procedures, PHI will remain subject to the Act.

Pay Attention! Civil and criminal penalties may apply for non-compliance with HIPAA. Violators are subject to civil liability ranging from $100 per incident up to $25,000 per person, per year, per standard. Federal criminal penalties may also apply to entities that knowingly and improperly disclose PHI or obtain it under false pretenses. Criminal penalties range anywhere between $50,000 and one year in prison, to $250,000 and ten years in prison, depending on the nature and severity of the violation.

If you are impacted by these regulations and have not begun to prepare, begin immediately. If you are unsure as to whether you must comply with HIPAA, consult an attorney for guidance.

Further information about HIPAA may be found at www.hhs.gov.