HIPAA Privacy Rules: The Future Impact for Physicians?
By Michael J. Schoppmann, Esq.
Controversial standards, mandated by the Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) and adopted by the U.S. Department of Health and Human Services (“HHS”) are now applicable to individually identifiable health information created or received by a covered entity (including health care providers who transmit claims electronically). They define the circumstances in which an entity may use and disclose covered health information; establish individual rights with respect to the information; and require covered entities to adopt safeguards to protect the confidentiality of the information, with civil and criminal penalties for noncompliance.
In announcing that HHS will immediately begin the process of implementing the patient privacy rule, Secretary Thompson promised that HHS would seek to keep in mind the more than 24,000 comments received as it also continues to “make sure patients receive the highest quality care and begin the process of issuing guidelines on how this rule should be implemented.” Thompson says such guidelines will allow clarification of some of the confusion regarding the impact the rule might have on health care delivery and access and that HHS will consider necessary modifications to ensure that quality of care does not suffer inadvertently from the rule. As we await the issuance of these guidelines, the core rule does provide insight into the likely impact upon physicians nationwide.
By design, the guidelines or modifications will seek to ensure that: doctors and hospitals will have access to necessary medical information about a patient they are treating and will be able to consult with other physicians and specialists regarding a patient’s care; patient care till be delivered in a timely and efficient manner and not be unduly hampered by the confusing requirements surrounding consent forms; and parents will have access to information about the health and well-being of their children, including information about mental health, substance abuse or abortion.
By function, the regulations will forever change the concept of control in the realm of medical information. The virtual fiefdom physicians have enjoyed over medical records has been forcibly extinguished as HIPAA empowers patients to an unprecedented level and dictates the imposition of strict standards in an arena heretofore virtually unregulated by the federal government.
In so doing, the standards do not preempt more stringent state laws. Most states have worked toward designing rules establishing uniform health care enrollment and claim forms and requiring that information and materials obtained or used for the administration of health care transactions by health care payers, providers, their agents and vendors, comply with privacy requirements. Now that the federal rules are final, most—if not all—states will most probably seek to revisit the privacy provisions of any present or proposed rules.
In practical terms, the proposed standards prohibit a “covered entity” from using or disclosing “individually identifiable health information” without an individual’s consent, except as expressly permitted in the regulations. “Covered entities” are defined as health care providers (physicians, hospitals, nursing homes, clinical laboratories, DME suppliers and pharmacies), health plans, health care clearinghouses and their “business partners.” A “business partner” is anyone who receives protected information in order to carry out and assist with specific activities, including attorneys, accountants/consultants, third party administrators and data processing/billing firms.
In meeting the rigorous privacy standards of HIPAA, physicians must develop and implement a “HIPAA Privacy Compliance Plan.” Such a “compliance plan,” while not a mirror version of the compliance plan envisioned by the Office of Inspector General— pertaining to Fraud and Abuse— carries striking similarities, including:
- Designating a “privacy officer” responsible for the development and implementation of privacy protection policies and procedures;
- Safeguarding and limiting access to protected health information;
- Training staff on privacy rules;
- Establishing sanctions for staff who break the rules;
- Maintaining a log of disclosures
- Adopting a complaint process that identifies a contact person for complaints;
- Developing procedures to permit individuals to inspect, copy and/or amend their own records; furnishing patients with notice of privacy practices and patient rights; and
- Executing or revising contracts with business partners to obtain assurance of their compliance with the regulations.
As the specifics of the HHS guidelines are awaited, an unquestionable, and perhaps primary, impact for every practicing physician will be the increased intrusion of the federal government. No longer will physicians handle issues concerning medical records with little or no review. No longer will the absence of standards be a refuge for those who encounter issues or experience disputes relevant to medical records. HIPAA not only creates a new arena for federal review, it mandates investigations for compliance and dictates prosecution for physicians deemed to be in violation.
To ensure physicians are compelled to meet the rigors of the HIPAA privacy standards, the Secretary of HHS has been granted the authority to impose civil monetary penalties against covered entities in the amount of $100 per person per violation – up to $25,000.00 per person, per calendar year for each standard that is violated. Moreover, HIPAA provides for the imposition of criminal penalties ranging from penalties for “simple disclosure” of a maximum fine of $50,000 and/or one year imprisonment, through a maximum fine of $100,00 and/or five years imprisonment for “disclosure under false pretenses” to a maximum fine of $25,000 and/or 10 years imprisonment for “disclosure with intent to sell or use.”
An immediate impact for every physician is that he or she must closely monitor the actual implementation of the HIPAA privacy regulation. Changes in office policies, the creation of new forms of documentation and monitoring of ongoing compliance must now become the routine instead of the exception. Toward that end, once the “guidelines” for the HIPAA Privacy Rules, as promised by HHS Secretary Thompson, are actually provided, additional information will be distributed through The Bulletin.