When handling patient information in the health care industry, many health care providers and entities that perform services for health care providers must comply with federal and state privacy laws aimed at protecting patient information.
Benkoff Health Law advises clients as to the applicability of HIPAA, 42 CFR Part 2 and state patient privacy laws and provides policies, forms, agreements, analyses and advice pertaining to compliance with these laws. Benkoff Health Law does not represent patients or patient advocates with regard to HIPAA, 42 CFR Part 2 or other patient privacy law matters.
What is HIPAA?
The Health Insurance Portability and Accountability Act (“HIPAA”) was passed by Congress in 1996 and addressed many topics related to healthcare. However, HIPAA is most often referenced with respect to its privacy and security requirements that address protection of patients’ individually identifiable health information. In addition, the Health Information Technology for Economic Clinical Health Act (“HITECH Act”) created the “meaningful use” incentive program and also resulted in the promulgation of additional HIPAA regulations pertaining to privacy, security, and breach notification.
The HIPAA Privacy Rule includes national standards for protecting certain patient health information, referred to as “protected health information” or “PHI.” The Privacy Rule addresses limitations on the use and disclosure of PHI by certain individuals and entities within the health care industry and balances protecting the privacy of PHI while permitting important uses of PHI to promote high quality health care. The Privacy Rule also requires certain safeguards to protect the privacy of PHI and provides patients with certain rights regarding their PHI, such as the right to access their health records and request corrections to such records.
The HIPAA Security Rule creates national standards to protect electronic PHI (“ePHI”) and requires various administrative, physical and technical safeguards to protect the security, integrity and confidentiality of ePHI. A goal of the Security Rule is to protect ePHI while allowing covered entities to the adopt new technologies to improve patient care. The Security Rule also requires covered entities to perform risk analyses to periodically evaluate the effectiveness of their security measures and also requires that they address any identified risks.
The HIPAA Breach Notification Rule requires covered entities to provide notification in the event of a breach of unsecured PHI. The determination of whether a breach, as defined under HIPAA, has occurred is paramount and there exist certain exceptions to the definition of a “breach” under HIPAA. The nature of the breach is determinative with respect to whether the covered entity must provide media notice in addition to both individual notice to the affected patients and notice to the Secretary of the U.S. Department of Health and Human Services (“HHS”).
HIPAA pertains to a broad range of health care providers as well as other individuals and entities in the health care industry. If HIPAA is implicated, those who are required to comply with HIPAA must undertake various activities and address numerous issues in order to comply with the law. For example, covered entities will need to implement policies and procedures to address HIPAA compliance, appoint a privacy officer and security officer, provide notice of privacy practices to patients, and develop and utilize various HIPAA-compliant forms and agreements. Further, covered entities and business associates often require ongoing advice pertaining to HIPAA compliance and issues that may arise and implicate HIPAA. Benkoff Health Law has extensive experience in drafting documents required to comply with HIPAA, assisting in HIPAA training efforts, providing ongoing advice regarding HIPAA compliance, and advising clients regarding potential HIPAA breaches and notifications. In addition, Benkoff Health Law regularly structures arrangements between health care providers and others in the health care industry (e.g., online platform and website developers) to ensure that such arrangements comply with HIPAA.
The HIPAA Privacy and Security Rules apply to “covered entities.” Covered entities, under HIPAA, include health plans (e.g., Medicare, Medicaid, HMOs, etc.), health care clearing houses (e.g., billing services), and health care providers who electronically transmit health information in connection with “standard transactions” (as defined under HIPAA). Thus, not all health care providers are subject to the HIPAA Privacy and Security Rules.
In addition to covered entities, “business associates” are also required to comply with the HIPAA Privacy and Security Rules. In general, business associates include persons and entities (other than members of the covered entity’s workforce) that perform certain functions or activities on behalf of, or to, a covered entity. Examples of business associate services include, without limitation, claims processing, data analysis, utilization review, billing, legal, actuarial, and accounting services. However, not all entities that perform services on behalf of covered entities are considered business associates for purposes of HIPAA. The Privacy Rule mandates that a covered entity and business associate have in place a business associate agreement that meets various HIPAA requirements.
Benkoff Health Law is highly experienced in analyzing our clients’ business relationships to determine whether HIPAA applies and structuring arrangements to comply with HIPAA.Further, Benkoff Health Law regularly drafts HIPAA-compliant policies, procedures, forms, notices of privacy practices, business associate agreements and similar documents, and Benkoff Health Law provides ongoing HIPAA-compliance advice and analyses to meet our clients’ business and legal needs.
HIPAA protects PHI, which includes individually identifiable health information that is held or transmitted by covered entities or business associates in any form or media (e.g., electronically, via paper, or orally). PHI does not include employment records or records subject to the Family Educational Rights and Privacy Act (FERPA). In addition, PHI does not include health information that has been “de-identified” in compliance with HIPAA’s regulations so that it neither identifies nor provides a reasonable basis to identify an individual.
Benkoff Health Law regularly advises clients as to whether the information involved in a health care arrangement constitutes PHI that is subject to HIPAA.
HHS’ Office for Civil Rights (“OCR”) is responsible for enforcing HIPAA’s Privacy and Security Rules and investigating complaints filed with it. With respect to possible criminal violations of HIPAA, OCR works in conjunction with, and sometimes refers cases to, the Department of Justice. Violators of HIPAA may be subject to civil money penalties, criminal fines, and/or exclusion from the Medicare program.
The Confidentiality of Substance Abuse Disorder Patient Records regulations, set forth in 42 CFR Part 2 protects, and prevents access to, patient records created by federally assisted substance abuse disorder (“SUD”) treatment programs. SUD is a defined term under 42 CFR Part 2, and includes cognitive, behavioral, and physiological symptoms indicating that an individual continues using a substance despite significant substance-related problems such as impaired control, social impairment, risky use, and pharmacological tolerance and withdrawal, but does not include tobacco or caffeine use.42 CFR Part 2 is limited in scope as it applies only to certain programs that treat SUD and receive federal assistance, as such terms are defined within 42 CFR Part 2.
42 CFR Part 2 was designed to protect SUD patient records so that patients would not be deterred from seeking SUD treatment. For that reason, 42 CFR Part 2 contains more restrictions with regard to the disclosure of patient records than HIPAA and general state privacy laws. For example, 42 CFR Part 2 is more restrictive with respect to SUD treatment programs’ ability to disclose patient information without consent for purposes that would otherwise be permitted under HIPAA.
The Substance Abuse and Mental Health Services Administration (“SAMHSA”) along with U.S. Attorney Generals are responsible for receiving reports of violations of 42 CFR Part 2 regulations. Violators of 42 CFR Part 2 may face criminal fines.
Benkoff Health Law has substantial expertise in advising health care providers who treat patients with substance abuse disorders as to whether their operations meet the definitional requirements that subject them to 42 CFR Part 2. In addition, Benkoff Health Law regularly drafts documents required to comply with 42 CFR Part 2 such as policies, procedures, forms and agreements, and provides clients with ongoing advice regarding 42 CFR Part 2 compliance.
States generally have patient privacy laws pertaining to health care professionals that prohibit those professionals from disclosing or using patient information under certain circumstances and that provide patients with certain rights pertaining to their health information and records. Some state laws are similar to HIPAA and others differ from HIPAA. State laws vary and can be more or less restrictive than HIPAA and 42 CFR Part 2.
In addition, state patient privacy laws may apply to a broader array of health care professionals than HIPAA applies to. State patient privacy laws often cast a wider net than HIPAA and may focus on certain areas such as mental health records.
The penalties for violating state patient privacy laws also vary and may include fines and penalties, jailtime, and loss of professional licensure. We recommend that a state patient privacy law analysis be conducted for any arrangement that involves health care professionals relative to patient information.
Benkoff Health Law successfully advises clients with respect to state patient privacy laws and the interplay between those laws and HIPAA and 42 CFR Part 2.