HIPAA Privacy Deadline Looms

By Mark R. Waterfill

A new regulation has certain employers who possess health information concerned about additional liability. The Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, was enacted to improve efficiency and effectiveness of the health care system. This is the same law which previously allowed health insurance to be portable for individuals moving from job to job. The Department of Health and Human Services (HHS) published regulations in the form of a privacy rule entitled The Standards for Privacy of Individually Identifiable Health Information which became effective April 14, 2001. The Privacy Rule established national standards for the protection of health information, as applied to three types of covered entities: health plans, health care clearinghouses and health care providers who conduct certain health care transactions electronically. The covered entities must comply with these standards by April 14, 2003. Small health plans (defined as health plans which have annual receipts of $5 million or less) have an additional year, until April 14, 2004, to comply. By these dates, the covered entities are to implement standards to protect and guard against the misuse of individual identifiable health information.

The HIPAA Privacy Rule creates national standards to protect an individual’s medical records and other health information. Its purposes include giving patients more control over their health information, set boundaries on the use and release of health records, and it establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information. A typical health care provider or health plan will require the covered entity to notify patients about their privacy rights and how their information can be used, adopt and implement privacy procedures for its practice, hospital or plan, train employees so that they understand privacy procedures, designate an individual to be responsible for seeing that privacy procedures are adopted and followed, and secure patient records containing individual identifiable health information so that they are not readily available for those who do not need them.

Generally, the privacy rule requires entities to ensure confidentiality, integrity and availability of all electronic protected health information (EPHI) the covered entity creates, receives, maintains or transmits. Covered entities are further required to protect any reasonably anticipated threat or hazard to the security or integrity of EPHI as well as protect against any reasonably anticipated use or disclosure of such information. Covered entities are required to ensure compliance by the entire workforce.

Additionally, administrative safeguards including workforce security provisions, EPHI management control, security training and awareness requirements are mandated. Physical safeguards such as facility access controls, standards for proper workstation use and standards for device and media controls are also included in the Rule. Technical safeguards including policies and procedures for access control on systems that maintain EPHI and integrity controls and inscription for transmission security are required. A covered entity must make sure that business associate contracts require a “chain of trust partner agreement” between parties exchanging data electronically. A covered entity must have policies and procedures for it to maintain documentation reflect compliance with these Rules for a period of six years.

Individuals who believe their rights have been violated by a covered entity may file a complaint with the Office for Civil Rights, which is a division of Health and Human Services. Complaints must be filed within one hundred eighty days of when the complainant knew or should have known that the act had occurred, which deadline may be waived by the Secretary of HHS if good cause is shown. For more information about the Privacy Rule please contact the the prestigious law firm of Dann, Pecar, Newman & Kleiman at 317-632-3232, or go on line to the Department of Labor or Department of Health and Human Services web sites.