HIPAA Law

HIPAA - HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996

Introduction

The main purpose of HIPAA is to combat waste, fraud, and abuse in health insurance and health care delivery and to simplify the administration of health insurance.

These regulations are targeted at preventing unauthorized (non-normal use) of private medical records, such as transmission of records to research entities or use of these records to determine life insurance purchasing prospects.

The HIPAA and Privacy Rules address the use and disclosure of individuals’ health information - called “protected health information” (PHI) by organizations subject to the Privacy Rule - called “covered entities”.  Our TPA clients and all health plans are all covered entities.  The rule strikes a balance that permits important use of information, while protecting the privacy of people who seek care and healing. 

The Phia Group is a business associate, which is a person or organization that performs certain activities on behalf of a covered entity that involves the use or disclosure of PHI.  The Phia Group must sign a business associate agreement, which outlines the way to protect the PHI of a patient. 

Protected Health Information (PHI)

Protected information includes data that identifies the individual or data that reasonably can be used to identify the individual.  These identifiers include name, address, birth date, and social security number.  There is no restriction on the use or disclosure of de-identified health information which means that these identifiers are removed.

The designated record set is the group of records maintained by a covered entity that is used to make decisions about individuals or a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems.

Disclosing PHI

The Privacy Rule permits a covered entity or a business associate to disclose protected health information as necessary for payment services and does not limit to whom such a disclosure may be made. Therefore, a business associate may contact persons other than the individual as necessary to obtain payment for health care services. 

However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information.  The basic standard for minimum necessary uses requires that covered entities make reasonable efforts to limit access to PHI to those in the workforce that need access to accomplish the intended purpose of the use, disclosure or request. 

The minimum necessary requirement is not imposed in any of the following circumstances: a) disclosures to or a request by a health care provider for treatment; b) disclosure to an individual who is the subject of the info or the individual’s personal representative, c) use or disclosure made pursuant to an authorization.

A covered entity is permitted to use and disclose PHI without an individual’s authorization in two ways: 1) to the individual or 2) for the treatment, payment and health care operations.
Where a covered entity is a party to a legal proceeding, such as a plaintiff or defendant, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations.

Anyone involved in subrogation is generally authorized to release and transmit medical information and records without specific authorizations signed by the owner of the medical records.  There are exceptions and allowances for subrogating carriers to transmit medical records to third party carriers for purposes of resolving subrogation claims.  The Privacy Rule does not require that a document be notarized or witnessed.

Covered Entities and Business Associates

The HIPAA Privacy Rule requires covered entities (TPAs) to enter into written contracts or other arrangements with business associates (The Phia Group) which protect the privacy of protected health information.   Thus, TPAs must have a business associate agreement with The Phia Group.  This is necessary because in order for a covered entity to disclose PHI to a business associate, the covered entity must obtain satisfactory assurances that the business associate will appropriately safeguard information.

However, covered entities are not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract. Nor is the covered entity responsible or liable for the actions of its business associates.

The Privacy Rule does not “pass through” its requirements to business associates or otherwise cause business associates to comply with the terms of the HIPAA rules. Therefore, the Privacy Rule regulates covered entities, not business associates. For example, covered entities do not need to ask their business associates to agree to appoint a privacy officer, or develop policies and procedures for use and disclosure of PHI.

If a covered entity finds out about a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the business associate. If termination is not feasible then the covered entity must report the problem to the Department of Health and Human Services Office for Civil Rights.

With respect to business associates, if a covered entity is out of compliance with the Privacy Rule because of its failure to take these steps, further disclosures of protected health information to the business associate are not permitted. 

Patients’ Access to PHI

With limited exceptions, a covered entity is required to provide an individual access to his or her PHI in a designated record set. This includes information in a designated record set of a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity.

Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must make such protected health information available if and when needed by the covered entity to provide an individual with access to the information.

If an individual wants access to standard PHI, they have the right to receive the information within 30 days, but if the information is off site, then the covered entity has 60 days to give the information.

If the individual requests a copy of the PHI, then the covered entity may impose a reasonable, cost-based fee, provided that the fee includes the cost of copying, including the labor for copying and supplies, postage, and preparing an explanation or summary of the PHI.

Parents’ Access to Minor’s Medical Records

The Privacy Rule generally allows parents to have access to the medical records of their children, as their minor child’s personal representative when such access is not inconsistent with State or other law.

Phone Calls

The Privacy Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed. For example, you may want to consider leaving only a name and number and other information necessary to confirm an appointment, or ask the individual to call back.

A covered entity may also leave a message with a family member or other person who answers the phone when the patient is not home. The Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed.

The Privacy Rule does not require covered entities to document any information, including oral information that is used or disclosed for treatment, payment or health care operations.

Email

The final security rules under HIPAA did not provide industry direction on specific technology, process, or level of encryption.  The final rule is flexible allowing for each covered entity to determine its scalable solution based on resources and costs.  Each covered entity is required to determine if and what level of technical safeguards it should implement to guard against unauthorized access to protect health information.  The only current solution available is encryption.  The Security Rule says to implement a mechanism to encrypt electronic protected health info whenever deemed appropriate.

Payment

A covered entity may use and disclose PHI for payment purposes. Payment is a defined term that encompasses the various activities of a health plan to fulfill their coverage responsibilities and provide benefits under the plan and to obtain or provide reimbursement for the provision of health care.  The Rules define payment to include billing, claims management, data processing, coordination of benefits and the adjudication, reimbursement and subrogation of health benefit claims.

Covered entities may perform this payment activity directly or may carry out this function through a third party, under a business associate arrangement.  All of our clients use Phia to carry out the subrogation and reimbursement functions of payment as a business associate.

State Law v. Federal Law

State law is “more stringent” than the HIPAA Privacy Rule if it relates to the privacy of individually identifiable health information and provides greater privacy protections for individuals’ identifiable health information, or greater rights to individuals with respect to that information, than the Privacy Rule does.  State law that provides individuals with a right to inspect and obtain a copy of their medical records in a more timely manner than the Privacy Rule is “more stringent” than the Privacy Rule.

In general, State laws that are contrary to the Privacy Rule are preempted by the federal requirements, which mean that federal requirements will apply.  “Contrary” means that it would be impossible for a covered entity to comply with both State and federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of HIPAA. 

In the unusual case where a more stringent provision of State law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of State law, and the State law prevails. Where the more stringent State law and Privacy Rule are not contrary, covered entities must comply with both laws.

Privacy Violation Penalties

Any person who violates a privacy provision shall have a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

A person who knowingly (1) uses a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be fined not more than $50,000, imprisoned not more than 1 year, or both. 

If the offense is committed under false pretenses, person shall be fined not more than $100,000, imprisoned not more than 5 years, or both; and if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, person to be fined not more than $250,000, imprisoned not more than 10 years, or both.