Medical Records and Privacy

HIPAA - 12th hour Rules on Patient Privacy Raise Concerns for Providers

On December 20th, 2000, President Clinton announced sweeping new rules regulating the release and transfer of patient records held by health care providers.  (click here for the rule) Authorized by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), these rules were promulgated by Health and Human Services.  The proposed rule was issued October 1999 and received more than 50,000 comments, divided between privacy advocates, who wanted to make it almost impossible for health care providers to release patient medical information, and health care providers, who felt that the rules would interfere with patient care and would dramatically increase the cost of health care.  The split between providers and privacy advocates is exacerbated by the secondary agenda of the privacy advocates, which is to prevent individual rating of insurance by denying insurers information about a patient's medical condition.  The final rule announced on December 20th addresses the comments on the proposed rule, but deviates from that rule in one profound way:

"We proposed in the NPRM to apply the requirements of the rule to individually identifiable health information that is or has been electronically transmitted or maintained by a covered entity.  The provisions would have applied to the information itself, referred to as protected health information in the rule, and not to the particular records in which the information is contained.  We proposed that once information was maintained or transmitted electronically by a covered entity, the protections would follow the information in whatever form, including paper records, in which it exists while held by a covered entity. The proposal would not have applied to information that was never electronically maintained or transmitted by a covered entity.

In the final rule, we extend the scope of protections to all individually identifiable health information in any form, electronic or non-electronic, that is held or transmitted by a covered entity.  This includes individually identifiable health information in paper records that never has been electronically stored or transmitted."

Thus the comments were made on a rule that applied to electronic records, but the final rule applies to all records.  This raises a significant administrative law question about whether the rule was properly promulgated, or whether it should be resubmitted for comments.  The administration justifies this change as a logical extension of the proposed rule, one that only slightly increases the universe of covered records, with some estimates that 90% of records falling into the proposed rule's sweep of records that are transmitted electronically or had their origin in electronic records.  This might be the case if current billing records are the only records considered, but the rule includes any medical information held by a designated provider.  Even today, the vast bulk of medical information is on paper and is not transferred electronically, except perhaps by fax.  When the Office of Inspector General conducts an investigation into the document of federally paid medical care, it arrives with a moving van to carry off records because most primary medical documentation is on paper with no electric counterpart.  More critically, hospitals and clinics must keep medical records for periods ranging from a few years to more than 50 years.  These records are all on paper or microform, and were untouched by the proposed rule, but are covered by the final rule.  Since health care organization have already asked President-Elect Bush to withdraw the rule, it is expected that the validity of the rule will be challenged in court.

The text of the rule as released runs more than 1500 pages, and will be published in the December 28, 2000 Federal Register.  The rule will be analyzed in more detail in later issues of LMP.  The following information about the scope of the rule was provided as official commentary on the rule.

COVERED ENTITIES
As required by HIPAA, the final regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., electronic billing and funds transfers) electronically.

INFORMATION PROTECED
All medical records and other individually identifiable health information held or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally, is covered by the final regulation.

COMPONENTS OF THE FINAL RULE
The rule is the result of the Department's careful consideration of every comment and reflects a balance between accommodating practical uses of individually identifiable health information and rendering maximum privacy protection of that information.

CONSUMER CONTROL OVER HEALTH INFORMATION
Under this final rule, patients have significant new rights to understand and control how their health information is used.

Patient education on privacy protections
Providers and health plans are required to give patients a clear written explanation of how they can use, keep, and disclose their health information.

Ensuring patient access to their medical records.
Patients must be able to see and get copies of their records, and request amendments. In addition, a history of most disclosures must be made accessible to patients.

Receiving patient consent before information is released.
Patient authorization to disclose information must meet specific requirements. Health care providers who see patients are required to obtain patient consent before sharing their information for treatment, payment, and health care operations purposes. In addition, specific patient consent must be sought and granted for non-routine uses and most non-health care purposes, such as releasing information to financial institutions determining mortgages and other loans or selling mailing lists to interested parties such as life insurers. Patients have the right to request restrictions on the uses and disclosures of their information.

Ensuring that consent is not coerced.
Providers and health plans generally cannot condition treatment on a patient's agreement to disclose health information for non-routine uses.

Providing recourse if privacy protections are violated.
People have the right to complain to a covered provider or health plan, or to the Secretary, about violations of the provisions of this rule or the policies and procedures of the covered entity.

BOUNDARIES ON MEDICAL RECORD USE AND RELEASE
With few exceptions, an individual's health information can be used for health purposes only.

Ensuring that health information is not used for non-health purposes.
Patient information can be used or disclosed by a health plan, provider or clearinghouse only for purposes of health care treatment, payment and operations. Health information cannot be used for purposes not related to health care - such as use by employers to make personnel decisions, or use by financial institutions - without explicit authorization from the individual.

Providing the minimum amount of information necessary.
Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure. However, this provision does not apply to the transfer of medical records for purposes of treatment, since physicians, specialists, and other providers need access to the full record to provide best quality care.

Ensuring informed and voluntary consent.
Non-routine disclosures with patient authorization must meet standards that ensure the authorization is truly informed and voluntary.

ENSURE THE SECURITY OF PERSONAL HEALTH INFORMATION
The regulation establishes the privacy safeguard standards that covered entities must meet, but it leaves detailed policies and procedures for meeting these standards to the discretion of each covered entity. In this way, implementation of the standards will be flexible and scalable, to account for the nature of each entity's business, and its size and resources. Covered entities must:

Adopt written privacy procedures.
These must include who has access to protected information, how it will be used within the entity, and when the information would or would not be disclosed to others. They must also takes steps to ensure that their business associates protect the privacy of health information.

Train employees and designate a privacy officer.
Covered entities must provide sufficient training so that their employees understand the new privacy protections procedures, and designate an individual to be responsible for ensuring the procedures are followed.

Establish grievance processes.
Covered entities must provide a means for patients to make inquiries or complaints regarding the privacy of their records.

ESTABLISH ACCOUNTABILITY FOR MEDICAL RECORDS USE AND RELEASE
Penalties for covered entities that misuse personal health information are provided in HIPAA.

Civil penalties.
Health plans, providers and clearinghouses that violate these standards would be subject to civil liability. Civil money penalties are $100 per incident, up to $25,000 per person, per year, per standard.

Federal criminal penalties.
There would be federal criminal penalties for health plans, providers and clearinghouses that knowingly and improperly disclose information or obtain information under false pretenses. Penalties would be higher for actions designed to generate monetary gain. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

BALANCING PUBLIC RESPONSIBILITY WITH PRIVACY PROTECTIONS
After balancing privacy and other social values, HHS is establishing rules that would permit certain existing disclosures of health information without individual authorization for the following national priority activities and for activities that allow the health care system to operate more smoothly. All of these disclosures have been permitted under existing laws and regulations. Within certain guidelines found in the regulation, covered entities may disclose information for:

Oversight of the health care system, including quality assurance activities

Public health

Research, generally limited to when a waiver of authorization is independently approved by a privacy board or Institutional Review Board

Judicial and administrative proceedings

Limited law enforcement activities

Emergency circumstances

For identification of the body of a deceased person, or the cause of death

For facility patient directories

For activities related to national defense and security

The rule permits, but does not require these types of disclosures. If there is no other law requiring that information be disclosed, physicians and hospitals will still have to make judgments about whether to disclose information, in light of their own policies and ethical principles.

SPECIAL PROTECTION FOR PSYCHOTHERAPY NOTES
Psychotherapy notes (used only by a psychotherapist) are held to a higher standard of protection because they are not part of the medical record and never intended to be shared with anyone else. All other health information is considered to be sensitive and treated consistently under this rule.

EQUIVALENT TREATMENT OF PUBLIC AND PRIVATE SECTOR HEALTH PLANS AND PROVIDERS. The provisions of the final rule generally apply equally to private sector and public sector entities. For example, both private hospitals and government agency medical units must comply with the full range of requirements, such as providing notice, access rights, requiring consent before disclosure for routine uses, establishing contracts with business associates, among others.

CHANGES FROM THE PROPOSED REGULATION

Providing coverage to personal medical records in all forms.
The proposed regulation had applied only to electronic records and to any paper records that had at some point existed in electronic form. The final regulation extends protection to all types of personal health information created or held by covered entities, including oral communications and paper records that have not existed in electronic form. This creates a privacy system that covers virtually all health information held by hospitals, providers, health plans and health insurers.

Requiring consent for routine disclosures.
The final rule requires most providers to obtain patient consent for routine disclosure of health records, in addition to requiring special patient authorization for non-routine disclosures. The earlier version had proposed allowing these routine disclosures without advance consent for purposes of treatment, payment and health care operations (such as internal data gathering by a provider or health care plan). However, most individuals commenting on this provision, including many physicians, believed consent for these purposes should be obtained in advance, as is typically done today. The final rule retains the new requirement that patients must also be provided detailed written information on privacy rights and how their information will be used.

Allowing disclosure of the full medical record to providers for purposes of treatment.
For most disclosures, such as information submitted with bills, covered entities are required to send only the minimum information needed for the purpose of the disclosure. However, for purposes of treatment, providers need to be able to transmit fuller information. The final rule gives providers full discretion in determining what personal health information to include when sending patients' medical records to other providers for treatment purposes.

Protecting against unauthorized use of medical records for employment purposes.
Companies that sponsor health plans will not be able to access the personal health information held by the plan for employment-related purposes, without authorization from the patient.

COST OF IMPLEMENTATION
Recognizing the savings and cost potential of standardizing electronic claims processing and protecting privacy and security, the Congress provided in HIPAA 1996 that the overall financial impact of the HIPAA regulations reduce costs. As such, the financial assessment of the privacy regulation includes the ten-year $29.9 billion savings HHS projects for the recently released electronic claims regulation and the projected $17.6 billion in costs projected for the privacy regulation. This produces a net savings of approximately $12.3 billion for the health care delivery system while improving the efficiency of health care as well as privacy protection.

PRESERVING EXISTING, STRONG STATE CONFIDENTIALITY LAWS
Stronger state laws (like those covering mental health, HIV infection, and AIDS information) continue to apply. These confidentiality protections are cumulative; the final rule sets a national "floor" of privacy standards that protect all Americans, but in some states individuals enjoy additional protection. In circumstances where states have decided through law to require certain disclosures of health information for civic purposes, we do not preempt these mandates. The result is to give individuals the benefit of all laws providing confidentiality protection as well as to honor state priorities.

THE NEED FOR FURTHER CONGRESSIONAL ACTION
HIPAA limits the application of our rule to the covered entities. It does not provide authority for the rule to reach many persons and businesses that work for covered entities or otherwise receive health information from them. So the rule cannot put in place appropriate restrictions on how such recipients of protected health information may use and re-disclose such information. There is no statutory authority for a private right of action for individuals to enforce their privacy rights. We need Congressional action to fill these gaps in patient privacy protections.

IMPLEMENTATION OF THE FINAL REGULATION
The final regulation will come into full effect in two years. The regulation will be enforced by HHS' Office for Civil Rights, which will provide assistance to providers, plans and health clearinghouses in meeting the requirements of the regulation - including a toll free line to help answer questions: 1-866-OCR-PRIV (1-866-627-7748). The TTY number is 1-866-788-4989. A Web site on the new regulation will also be available at http://www.hhs.gov/ocr.