Preliminary Analysis of HIPAA Privacy Regulations:  Information Privacy and Processes

JOHN CHRISTIANSEN

Stoel Rives llp

E-mail: jrchristiansen@stoel.com

January 2, 2001

        I.  Overview

On December 28, 2000 the U.S. Department of Health and Human Services (“DHHS”) officially published the long-awaited Final Rule on the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) in the Federal Register.[1] The Privacy Rule is one of several DHHS is required to publish under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). For most organizations the Privacy Rule will probably be the most difficult and complex HIPAA rule to implement, and certainly poses the most liability risks.

A truly meaningful analysis of what it means to comply with the Privacy Rule will have to await publication of the companion Final Rule on the HIPAA Security Standard, which is anticipated some time in January or February 2001, though there is currently no official publication date.[2]  It is nonetheless possible to make a preliminary analysis of the implications of the Privacy Rule, which contains some significant changes from the draft version.

The general rule is that those required to comply with the HIPAA regulations must do so two years after the date a rule is published. Compliance with the Privacy Rule will therefore be mandatory as of December 28, 2002. Two years is not much time for the health care sector to figure out the implications of the new rules, re-engineer processes and procedures and revise forms of documentation appropriately.

This memo is a very preliminary, very sketchy review of only some of the salient points of the Privacy Rule. I assume the reader is already somewhat familiar with HIPAA’s basic terms and principles. I will publish more detailed analyses and develop or contribute to materials which may be of more substantial use to some organizations over the next several months. In particular, I anticipate:

·        The publication of second, updated edition of Electronic Health Information: Privacy and Security Compliance Under HIPAA (American Health Lawyers Association 2000)(“Electronic Health Information”).

·        The publication of a comprehensive template business associate agreement, including comments, a matrix mapping provisions to legal requirements and alternative drafting suggestions, in the HealthKey program (information available at http://www.healthkey.org ).

·        The publication of the Washington State Health Information Management Association’s (WSHIMA) updated Release of Information Manual.

I will also continue to be involved in the quarterly Washington State HIPAA Readiness Forum (information available at http://www.chita.org, and Washington State Society of Healthcare Attorneys (WSSHA) Practical HIPAA Compliance series (information available at http://www.wssha.org), as well as the Oregon Medical Association HIPAA Forum. I anticipate presenting in other appropriate conferences or events as opportunities arise. Please feel free to contact me (e-mail or phone is fine) if you would like me to keep you informed, or have any questions or comments. 

II.  General Comments

Whatever your feelings about the practicality or legitimacy of any given element of the Privacy Rule, it is a remarkable piece of work, and in many ways a great improvement on the draft rule. DHHS received tens of thousands of comments on the draft, the Preamble is nearly fifteen hundred pages long, and the operative portions of the Privacy Rule occupy over one hundred fifty pages. The final Privacy Rule makes substantial changes to the draft which reflect considerable thought about many of the comments, though it would not have been possible to respond to all.

From my point of view the most fundamental change has been the clarification of individual rights in information, and processes for their protection as the fundamental organizing principles for compliance with the rule. Health care is too large and complex a sector to be successfully regulated by any “one size fits all” prescription. This is especially true for rules controlling the protection of information, since information about individual health care needs, treatments, outcomes and payments, and secondary data derived from such information is necessary to many, many legitimate and beneficial activities.

Perhaps inevitably, then, a rule which is intended to protect individual rights in such information can only work by defining the scope of those rights, and the general processes and procedures organizations must implement to protect them. In the final analysis, if an organization (and its officers) diligently takes these elements into account in establishing its privacy protection processes, they should face minimal or no liability if protected information is nonetheless improperly used or disclosed.[3]

A.  Patient Consent and the Triumph of Privacy over Confidentiality.

The drafters of the privacy rule faced a problematic, if not necessarily articulated choice between confidentiality and privacy as alternative approaches to the protection of information. These are different but related concepts, and the choice of one over the other leads to important practical consequences.

“Confidentiality” is an obligation to protect information from disclosure which arises from a relationship between parties, the literally classic example in health care being the physician’s obligation of confidentiality arising from the professional relationship to the patient. In practical terms, the election to rely on this principle in the draft privacy rule meant that patient consent was not considered necessary for the use or disclosure of information by and among health care providers.[4] As seen below, this has changed in the final rule.

“Privacy,” by contrast, is (in this context) an individual’s right to control the disclosure of information. The right to privacy and remedies for its violation are problematic in American law, but a consensus seems to be emerging which recognizes such a right based upon (1) published notice of information collection, use and disclosure practices to affected individuals by organizations, (2) some degree of individual choice whether or not to participate in activities in which information is gathered about them, and (3) civil liability to individuals, and in some cases penal liability for failure to comply with published notices. These are sometimes called “fair information practices,”[5] and while the details may vary and some methods of implementation may be controversial, they are becoming the norm in the European Union, and in the financial and e-commerce sectors. This is also the primary orientation of the final rule.

The adoption of a more “privacy”-oriented position is probably more significant to health care providers than health plans or other Covered Entities, which did not benefit from a presumption of confidentiality in the draft rule. Perhaps in part because the issue was forced with respect to providers, the Privacy Rule clarified requirements for all Covered Entities. These include the following processes and their associated documentation:

·        The publication of notices of privacy and information use and disclosure practices. This requirement was also present in the draft rule.

·        The individual’s written, informed consent prior to the use or disclosure of information for treatment, payment or health care operations, which may be required as a condition to treatment or enrollment in a health plan. This is perhaps the biggest change from the draft rule, which did not require consent for such purposes.

·        The individual’s written, specifically informed authorization for almost any other use or disclosure, which may not be made a condition to treatment, payment, health plan enrollment or eligibility for benefits, and (excepting only consent to participation in research involving treatment of the individual) may not be included with the consent which may be required as a condition to such activities. This standard is consistent with, though more stringent than the draft rule.

·        The organization’s limited entitlement to provide promotional information to individuals, complemented by the individual’s right to “opt out” of such contacts. This is a clarification which should be helpful under many circumstances; a strict reading of the draft rule would have led to a blanket prohibition on many kinds of communications which have legitimate value, as well as blatantly exploitative uses.

·        The individual’s right to see, copy and seek amendment of information, which is fundamentally consistent with the processes proposed in the draft rule.

As in the draft rule, consent is not required for disclosures required by law, for a variety of public health and health oversight purposes, and the like. Likewise, properly anonymized information is not subject to the rule.

Compliance with these requirements will mean reviewing and revising patient and enrollee intake and relations procedures, and formalized management of more documentation. Presumably, as in other sectors a failure to comply with published privacy notices will expose organizations to civil liability.[6] It will be very desirable to develop standardized forms for consents and authorizations, both to minimize costs and to avoid liability arising from an organization’s deviation from a norm ascertained by comparison of its practices to those of its peers by DHHS or a court after the fact.

B.  Protected Health Information: The Rule Swallows the Exceptions.

 One unanswered question under HIPAA is the precise scope of DHHS’ authority to regulate organizational practices regarding information. The statute itself speaks generally of “individually identifiable health information” as the protected category. In the draft privacy and security regulations DHHS took a perhaps conservative view, that due to HIPAA’s purpose of promoting electronic transactions orientation DHHS should elect to regulate only individually identifiable health information which was “in or derived from” electronic forms (a category called “Protected Health Information”).[7] The regulations could also be read to indicate that under some conditions health care providers could avoid the regulation of certain categories of individually identifiable health information in their records systems (electronic or otherwise) by maintaining separate systems for claims processing (subject to HIPAA) and other applications (not subject to HIPAA).[8]

In the final Privacy Rule DHHS abandoned the conservative approach and elected a definition of “Protected Health Information” as individually identifiable health information “transmitted or maintained” in any medium. The definition is structured to permit this expanded definition to be struck down without affecting a narrower definition of Protected Health Information consistent with the conservative draft definition, anticipating a possible court ruling that this regulatory extension exceeded DHHS authority.

The processes required for HIPAA compliance therefore now cover all records transmission and maintenance functions of Covered Entities. This is generally the simpler, more prudent approach anyway, given the practical difficulties of maintaining more than one standard across multiple records.[9] It nonetheless is likely to prove controversial and difficult to swallow for some organizations, and will require perhaps costly analyses of and revisions to document flows in all work environments, not just electronic systems.

C.  Covered Entities: Regulatory Recognition of Organizational Complexity.

The health care sector is characterized by a bewildering array of entities which receive, create, use, disclose, analyze and manage Protected Health Information in many, many ways. Some organizations bundle almost all health care operations under a single umbrella; others outsource to truly independent companies, or to “captive” affiliates formed to manage liability and operational competence within a larger enterprise. Ownership and control of any given organization is impossible to determine a priori, and the sector is subject to mergers, acquisitions, divestitures and alliances for real or imagined advantage.[10]

The draft privacy regulations did not really address this issue, instead simply identifying “Covered Entities” according to highly generalized functions as health care providers, plans or clearinghouses.[11] Other kinds of organizations providing services to Covered Entities were brought under the rule indirectly, by definition as “business partners” to which Covered Entities could only disclose protected information subject to a “business partner contract.”

The problem with this approach is that it confuses function with corporate form. For example, health care delivered at a hospital may include diagnostic and treatment services from a number of health care providers (physicians, nurses, laboratories), financing from one or more health plans, and many ancillary services from a variety of sources. All of these may depend upon the disclosure or use of some form of Protected Health Information, and these services may be delivered by one or two corporate entities (as in a staff model HMO), or perhaps more typically are provided by several different specialized entities.

If each separate entity performing a covered function were required to comply separately with the Privacy Rule with respect to each individual, patients as well as entities would face a blizzard of redundant paperwork. The final rule deals with this kind of problem by taking a more functional approach, and allowing organizations to establish unified processes and procedures which better suit their needs. It also clarifies that organizations can segregate functions, and avoid having to comply with the Privacy Rule in all activities just because one component performs a function which causes the organization to meet the definition of “Covered Entity.”

1.  Parsing the Enterprise: “Organized Health Care Arrangments,””Common Ownership or Control,”“Hybrid Entities” and “Covered Functions.”

The Privacy Rule makes the following functional distinctions among Covered Entities:

·        The rule recognizes “Organized Health Care Arrangements,” which can be either (1) a “clinically integrated care setting in which individuals typically receive health care from more than one health care provider,” or (2) an arrangement including one or more Covered Entities which “hold themselves out to the public as participating in a joint arrangement” to provide various health care services and includes various health care-related activities.

Organized Health Care Arrangements can adopt “joint consents” and publish “joint notices” of their privacy practices. This might be a particularly useful category to use for HMOs, hospitals and complex clinical settings. Unless affiliated at the corporate level (see below), participants would still need to have Business Partner Contracts in place. 

·        Comparatively, legally separate but affiliated Covered Entities may designate themselves as a single Covered Entity for purposes of Protected Health Information use and disclosure. In order to fit this categories the participants must be either under common ownership (possession of an ownership or equity interest of over five percent) or common control (the “power, directly or indirectly, significantly to influence the actions or policies of another entity”).

Such a designation would permit, for example, the disclosure or use of Protected Health Information among many components of a complex health care delivery and financing enterprise without multiple consents and Business Associate Contracts.[12] Presumably in many cases such affiliated entities might also qualify as participants in an Organized Health Care Arrangement.

·        On the other hand, the rule establishes the category of “Hybrid Entity,” which is “a single legal entity that is a covered entity and whose covered functions are not its primary functions.” The Privacy Rule information use and disclosure requirements apply only to the “Health Care Components” of the Hybrid Entity, and the provisions which apply depend upon whether the “components” are performing the functions of health care provider, health plan or health care clearinghouse.

These distinctions may be helpful in developing integrated compliance strategies for health care enterprises. They will not be simple to apply, and will require detailed analysis of corporate structures and relationships in health care enterprises. For some organizations, such analysis might suggest some beneficial form of reorganization. 

2.  Business Associates.

The “Business Partners” of the draft rule have become “Business Associates” in the final rule. The final version clarifies that a Business Associate relationship exists not only when a Covered Entity discloses Protected Health Information to another entity to conduct activities on its behalf, but also when it allows such an entity to “create or receive” Protected Health Information for it. As in the draft rule, Covered Entities in a relationship with a Business Associate must obtain “satisfactory assurance” the associate will properly protect the information, in the form of a “Business Associate Contract.”[13]

DHHS has made two major improvements over the draft regulation with respect to Business Associate Contracts. The controversial “third party beneficiary provision” requirement, which would have allowed subject individuals to sue parties to the contract if it was breached, has been dropped.[14] Likewise, instead of a requirement that all Protected Health Information be “returned or destroyed” by a business partner upon termination of the contract, a requirement which would probably have been unworkable or impractical under many circumstances,[15] a Business Associate may be permitted to retain such information if destruction or return “is not feasible.” If information is retained, the protections of the contract and limitations on uses and disclosures of the information must continue.

Otherwise, the Business Associate provisions in the final rule are consistent with the business partner provisions of the draft rule. Business Associate Contracts are required for all situations where Protected Health Information is disclosed for use on behalf of, or is created or received on behalf of a Covered Entity, excepting only:

·        Disclosures concerning health care treatment made to a health care provider. This is a different standard from that of the draft rule, which allowed such disclosures without a contract for “consultation or referral” purposes,[16] and is probably easier to interpret (since it uses a term defined under the rule) and somewhat broader. The Privacy Rule also specifies that an “indirect treatment relationship” exists when a health care provider provides diagnosis or testing-related services with respect to an individual based on the orders of and reporting to another provider, suggesting that Business Associate Contracts should not be needed for routine laboratory testing, etc.

·        Disclosures of “summary health information” from a group health plan, health insurance issuer or HMO with respect to a group health plan, to the “plan sponsor” upon request for purposes of obtaining bids or modifying, amending or terminating the group health plan. However, plan sponsors are required to have equivalent provisions in their plan documents (see Employers, Health Plans and Benefits Administration, below.)

·        Disclosures by health plans which are governmental programs providing public benefits to other agencies which determine eligibility or enrollment in the health plan.

4.  Employers, Health Plans and Benefits Administration.

One of the more useful clarifications in the final rule is the clarification of the relationships between health plans, employers and benefits administration. Employers as health benefits purchasers have legitimate needs to review information relevant to that function.[17]

The Privacy Rule provides that an employer or other “plan sponsor” is entitled to receive “Summary Plan Information” from group health plans, to assist in purchasing decisions and to perform limited “Plan Administration Functions.” “Summary Plan Information” is claims history, type and expense information, and may include Protected Health Information which has been substantially anonymized.[18] Prior to making such a disclosure, the group health plan is required to confirm that the plan documents provide for satisfactory protection of information.[19]

III. Conclusion.

The final Privacy Rule contains many other clearly evident, and some subtle but important changes from the draft version. It will take time and analysis to draw many of these out. This memo has only scratched the surface, and should only be used as a very general introduction to the directions analysis should take.