Wachler & Associates, PC | Serving healthcare providers nationwide for over 20 years

 

Home
Firm Overview
Practice Areas
Stark
Medicare Audits and Appeals & RAC Audits
HIPAA
Specialty Pages
Attorney Profiles
Publications
Newsletters
Seminars
Research Links
Office Directions
Contact Us

 

 

The Health Lawyers: We Focus on the BUSINESS of Healthcare

Publications

COMPLEX PRIVACY REGULATIONS HAVE FAR REACHING IMPACT

By: Andrew B. Wachler and Phyllis A. Avery Wachler & Associates, P.C. Royal Oak, Michigan

In December, the Department of Health and Human Services ("HHS") issued final privacy regulations that will dramatically change the way health care information is handled. 65 Fed. Reg. 82462 (Dec. 28, 2000). Ironically, the lengthy, highly complex, and intrusive regulations are the result of a larger mandate in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") aimed at "administration simplification." The privacy regulations are anything but simple. Compliance with the regulations is likely to result in greater inefficiencies and higher costs, not to mention the potential detrimental impact on vital health care research. Such impacts must be weighed against the personal privacy interests protected by the rule.

The final privacy regulations are the second set of regulations to be finalized in connection with HIPAA's administrative simplification mandate. In August, HHS published a final rule setting forth standards for electronic transactions involving health care information. 65 Fed. Reg. 50312 (Aug. 17, 2000). Regulations addressing HIPAA enforcement, including enforcement of the final privacy rule, will be published in the future. Additional final regulations involving, for example, detailed security standards for the electronic transmission of health care information are expected in the near future.

Protecting Individual Privacy

The goal of the privacy regulations is to protect individuals' right to privacy in matters involving their health care. As the preamble to the final rule claims, the need for privacy protection stems from the rapid growth in the electronic exchange of information and recent advances in scientific technology. In an era where the widespread dissemination of information can occur almost instantaneously and advances in genetic research may allow for accurate predictions of an individual's future medical conditions, there is concern that an individual's right to privacy is at risk. HHS explains that individuals are concerned that health information accessed by employers and insurers will be used against them. There is also a concern that individuals' private health care information is being sold to entities interested in direct marketing of health care and other products. Individuals also fear that information concerning certain stigmatized conditions, such as AIDS and mental illness, will not be kept private. These concerns are noted to have an additional detrimental effect. Individuals worried about the privacy of their health care information may withhold important information from their health care providers which is necessary for their care.

HHS explains that the privacy regulations seek to balance the need to protect privacy against the societal benefits to be gained by the free flow of information. The preamble to the final privacy rule explains the importance of the electronic transmission of health information in providing effective care and conducting vital research. It also describes how enhanced communications are instrumental in the efficient processing of claims and the detection of fraud and abuse. While the Secretary declares that the final privacy regulations find this balance, others disagree. In testimony presented to the Senate Committee on Health, Education, Labor and Pensions on February 8, 2001, Dr. G. Richard Smith, on behalf of the Association of American Medical Colleges, detailed serious problems created by the final rule. Dr. Smith explained the negative impact the privacy rule, as crafted, will have on epidemiological, health services and public health research, as well as studies involving the effectiveness and safety of drugs and devices. While recognizing the need for balance between individual privacy and societal good, Dr. Smith succinctly states that the privacy rule simply "fails" to find the right balance. Echoing Dr. Smith's concerns, John Houston, on behalf of the American Hospital Association, also testified to the failure of the final rule to create a workable uniform privacy standard that balances privacy with the delivery of high-quality health care.

Complexity of the Rule and Compliance Deadlines

HIPAA required HHS to submit recommendations for national privacy standards to Congress with the intent that Congress would pass privacy standards within three years of HIPAA's 1996 enactment. HHS submitted recommendations in September 1997, but Congress was never able to agree upon privacy standards. Foreseeing this possibility, HIPAA provided that if privacy standards were not enacted by August 1999, HHS was required to promulgate final regulations no later than February 2000. HHS published proposed privacy regulations in November 1999. 64 Fed. Reg. 59918 (Nov. 3, 1999). In response to the proposed privacy rule, interested parties submitted nearly 52,000 comments. 65 Fed. Reg. at 82566. This final rule and prefatory remarks, which take up nearly 400 pages in the Federal Register, respond to those comments and make numerous changes to the proposed rule, many of which are significant.

HHS recognizes that the standards it has created are highly complex. It justifies the level of complexity as necessitated by the complexity of the health care marketplace. In the preamble, HHS explains that the effort to balance personal privacy interests and public interests in a workable health care system creates this level of complexity. HHS believes that since current health care information practices are complex, it was better to create a complex rule reflecting those practices than a simpler rule that could disturb important information flows. 65 Fed. Reg. at 82472. While some may criticize HHS's efforts, it should be remembered that Congress had three years to enact national privacy standards, and could not get it done.

Due in part to the complexity of the final privacy rule, most covered entities are not required to comply with the requirements for two years. Small health plans have an additional year to come into compliance with the regulations. 45 CFR §164.534. Due to a technical omission in the publication of the final rule, the rule's effective date has been moved to April 14, 2001. As a result, the compliance dates also changed. For most covered entities, the compliance date is now April 14, 2003. Small health plans have until April 14, 2004 to comply. While two years may seem like a good deal of time, many are already saying that it will be difficult, if not impossible, to come into compliance by the deadline.

As a result of the technical omission, the final rule has been opened for comments. Comments may be submitted until March 30, 2001. Due to the controversial and far reaching nature of the privacy rule, attorneys may want to work with their clients to submit comments regarding aspects of the rule that prove most troubling. Comments can be mailed or hand delivered to: U.S. Department of Health and Human Services, Attention: Privacy I, Room 801, Hubert Humphrey Building, 200 Independence Ave., S.W., Washington, DC 20201. Electronic comments can be submitted at: http://aspe.hhs.gov/admnsimp/. Telefax and email comments will not be accepted. It is possible that the comments could result in some changes to the final rule. There is also the possibility that the effective date and the compliance dates could be changed again.

The following discussion provides a "big picture" view of the privacy regulation and seeks to act as an introductory guide for health care attorneys who will have to contend with this monster regulation. It does not address all aspects and nuances of this extremely lengthy and complex rule. Health care attorneys may have to counsel clients on what health information can be disclosed, to whom it can be disclosed, and under what circumstances it may be disclosed. They will also have to contend with the privacy rule's many requirements regarding notices, consents, and authorizations, business associate contracts, privacy policies and procedures, mandatory workforce training, accounting of disclosures, complaints, compliance reports, and compliance reviews. The result may be a nightmare or a dream, depending on your point of view.

Rule Prohibits Use and Disclosure of Protected Information

The focal point of the privacy rule is the general prohibition on the dissemination of health care information pertaining to individuals. Unless a conveyance of health care information is permitted under the privacy rule, it is prohibited. Specifically, the privacy rule states that "[a] covered entity may not use or disclose protected health information except as permitted or required" by the rule. 45 CFR §164.502. In order to analyze the rule, one must first examine the key terms of the prohibition.

Covered Entities

The prohibition applies to "covered entities." The rule defines covered entities to include health plans, health care clearinghouses, and health care providers who transmit certain health information electronically. 45 CFR §160.103. Health care providers who transmit electronically any of the following information are "covered entities": health care claims or equivalent encounter information, health care payment and remittance advice, coordination of benefits, health care claim status, enrollment and disenrollment in a health plan, eligibility for a health plan, health plan premiums, referral certification and authorization, first report of injury, and health claims attachments. 42 CFR §160.103. Thus, health care providers who submit only paper copy claim forms and do not transmit any of the other noted information electronically are not covered by the rule. Do note that the rule provides that a health care provider cannot avoid the rule simply by hiring an outsider to transmit the information electronically. 65 Fed. Reg. at 82477.

The rule defines "health plans" as an individual or group plan that provides or pays for the cost of medical care. 42 CFR §160.103. Under the rule, health plans include, for example, most group plans, health insurance issuers, HMOs, Medicare, Medicaid, employee welfare benefit plans, and CHAMPUS. The rule also specifies that health plans do not encompass workers' compensation programs, automobile insurance carriers, and other property and casualty carriers. 65 Fed. Reg. at 82479. As a result, these programs which do not qualify as "health plans" are not required to comply with the privacy rule. 65 Fed. Reg. at 82576.

A "health care clearinghouse," as defined in the final rule, means a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and "value-added" networks and switches, that performs either of the following functions: (a) processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; or (b) receives a standard transaction from another entity and processes or facilitates the processing of information into nonstandard format or nonstandard data elements for a receiving entity. 45 CFR §160.103. In order to be considered a health care clearinghouse, the covered entity must perform the clearinghouse function on health information that it receives from another entity. Therefore, a department or component of a health plan or health care provider is not considered a clearinghouse unless it performs these functions for another covered entity. 65 Fed. Reg. at 82477.

A "health care provider," as defined in the final rule, means a provider of services, a provider of medical or other health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. 45 CFR §160.103. Thus, a health care provider under the privacy rule includes suppliers such as durable medical equipment companies.

Use and Disclosure

The rule prohibits "use" and "disclosure" of protected health information. In laymen's terms, health information is "used" when it is shared within the entity that holds the information and "disclosed" when it is shared outside the entity. The definition of "use" in the rule states that it is the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within the entity that maintains the information. "Disclosure" is defined as the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. 45 CFR §164.501.

Protected Health Information

"Protected health information" is defined as "individually identifiable health information" that is transmitted electronically, maintained electronically, or transmitted or maintained in any other form or medium. 45 CFR §164.501. In so defining protected health information, the final rule greatly expands upon the proposed rule which was limited to information transmitted electronically. By including all forms of transmission or maintenance of information, the final rule includes information that has never been stored or transmitted electronically. It includes not only paper records but oral statements as well. Thus, a physician's conversation with another physician about a patient constitutes protected health information. The preamble reflects the expectation that this expansion of authority may result in legal challenges. It states that should a court disagree and find that the rule is limited to information that has been transmitted electronically, the rule has been structured in such a way to accommodate the limitation. 65 Fed. Reg. at 82496.

In order to qualify as protected health information, the health information must be individually identifiable. "Individually identifiable health information" is health information, including demographic information, which identifies or reasonably can be used to identify the individual and relates to: (1) the past, present or future physical, mental health, or condition of a person; (2) the provision of health care to the individual; or (3) the past, present or future payment for the provision of health care. 45 CFR §164.501. Notably, health information that has been "de-identified" is no longer subject to the privacy rules. 45 CFR §164.502(d)(2); 45 CFR §164.514(a); 65 Fed. Reg. at 82499. Information is considered de-identified if it meets one of the following requirements: (1) a person with appropriate statistical and scientific expertise determines and documents that the risk of identification is very small; or (2) where the covered entity removes all of a list of enumerated identifiers (such as name, dates, geographic designations, phone/fax numbers, email, etc.). 45 CFR §164.514(b).

Privacy Rights of the Individual

The final rule gives individuals a great deal of rights that are designed to allow them to understand and control how their health information is used and disclosed. These rights include the right to request a restriction on uses and disclosures. Covered entities are not obligated to honor that request. If they do, however, they are obligated to adhere to it. 45 CFR §164.522(a). The individual is also provided the right to request confidential communications. An individual can request that communication of protected health information be made by alternative means, such as sending correspondence to the individual's office instead of the individual's home. Covered entities must accommodate reasonable requests. 45 CFR §164.522(b).

With limited exception, individuals have the right to inspect and obtain a copy of their own protected health information. Individuals do not have the right to access psychotherapy notes. Nor can they access information compiled in reasonable anticipation of, or for use in a civil, criminal, or administrative proceeding. In order to avoid conflict with the Clinical Laboratory Improvement Amendments ("CLIA"), individuals cannot access clinical laboratory information subject to or exempt from CLIA. There are certain circumstances set forth in the final rule under which a covered entity may deny access to protected health information and the individual has no right to review of this denial. In other instances, an individual can seek to have a denial of access reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official. The covered entity must comply with the determination of the reviewing official. 45 CFR §164.524.

Subject to certain exceptions, an individual has a right to amend protected health information about themselves. A covered entity can deny the person's request for amendment for reasons set forth in the rule, including that the protected health information is accurate and complete. If the covered entity denies the request, it must do so in a writing which advises the individual of the right to file a complaint with the Secretary. 45 CFR §164.526. In what may be one of the more onerous mandates of the final rule, individuals are granted the right to receive an accounting of all disclosures made by the covered entity in the previous six years. The accounting does not have to include disclosures related to treatment, payment, or health care operations as these terms are defined below in the discussion pertaining to consents. Nor must the accounting include disclosures to the individual, for the facility directory, to persons involved in the individual's care, for national security or intelligence purposes, to correctional institutions or law enforcement officials, or that occurred prior to the rule's compliance date. 45 CFR §164.528.

Privacy Notice

The privacy rule requires that covered entities provide a "notice" to individuals that is written in plain language. The rule requires that each notice contain a header with specific language stating that the notice describes how medical information about the individual may be used and disclosed and how the individual can gain access to the information. The notice must contain additional detailed information. For example, it must set forth the uses and disclosures of protected health information that may be made. It must provide descriptions of the individual's rights and the covered entity's duties with respect to protected health information. Among other requirements, the notice must advise individuals of their right to file a complaint. 45 CFR §164.520(a) and (b). Revisions to the notice must be made promptly and distributed whenever there is a material change in the entity's privacy practices. The material change may not be implemented, except where required by law, prior to the effective date of the revised notice. 45 CFR §164.520(b)(3).

In addition, the privacy notice may not be combined in a single document with a consent as described below. 45 CFR §164.506(b)(3). Nonetheless, a privacy notice may be combined in a single document with an authorization. 45 CFR §164.508(f). Covered entities must retain a copy of all notices issued to individuals to demonstrate compliance. 45 CFR §164.520(e).

Consents and Authorizations

Separate and apart from the notice requirement, covered entities will need to obtain consents and authorizations from individuals to use and disclose protected health information. While the terms "consent" and "authorization" are often thought of synonymously, in the privacy rule these terms differ substantially. 65 Fed. Reg. at 82509. In general, a covered health care provider must obtain a "consent" from the individual to use and disclose protected health information for purposes of treatment, payment and health care operations. 45 CFR §164.502(a)(1); 45 CFR §164.506. For the most part, other covered entities are not required to obtain a consent to use or disclose protected health information to carry out treatment, payment, or health care operations. 65 Fed. Reg. at 82498. All covered entities, however, must obtain an "authorization" from the individual in order to use and disclose protected health information for other purposes. 45 CFR §164.502(a)(1); 45 CFR §164.508. Thus, a "consent" and an "authorization" will not overlap. The requirement to obtain a consent applies in different circumstances than the requirement to obtain an authorization. 65 Fed. Reg. at 82509.

Prior to using protected health information for treatment, payment or health care operations, a covered health care provider must obtain a written consent from the individual. 45 CFR §164.506(a)(1). Pursuant to the privacy rule, a covered health care provider may condition treatment on the provision by the individual of a consent. 45 CFR §164.506(b). There are circumstances set forth in the rule under which a covered health care provider does not need prior consent to use or disclose protected health information. For example, providers can treat a person in an emergency situation without obtaining a prior written consent, but are required to attempt to obtain the consent as soon as reasonably practicable thereafter. 45 CFR §164.506(a)(3). In addition, providers who do not have a direct treatment relationship with the individual are not required to obtain a consent. An indirect treatment relationship exists when a health care provider delivers health care to an individual based on the orders of another provider and the health care provider typically provides services or products, or diagnostic reports or results, directly to another provider, who then provides the services, products or reports to the patient. 45 CFR §164.501.

As noted, consents are required when protected health information is used for "treatment." Treatment is defined in the final rule as the "provision, coordination, or management of health care and related services by one or more health care providers, including the coordination and management of health care by a health care provider with a third party." Treatment also includes consultations among health care providers or referrals of patients from one health care provider to another for health care. 45 CFR §164.501.

Consents are also required when protected health information is used for "payment." The final rule defines payment as activities by a health plan to obtain premiums or to determine or fulfill obligations for coverage and the provision of benefits. Payment also includes activities by either a provider or a health plan to obtain or provide reimbursement for the provision of health care. Specific examples set forth in the rule include, among others, determinations of eligibility or coverage, risk adjusting amounts due, billing, claims management, collection activities, medical necessity reviews and utilization review activities. 45 CFR §164.501.

Finally, consents are required when protected health information is used for "health care operations." Health care operations include any of the following activities: quality assessment and improvement activities; competence and performance reviews, training, accreditation, certification, licensing, credentialing or other related activities; underwriting and other insurance related activities; medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; business planning and development; and business management and general administrative activities. 45 CFR §164.501.

The consent form itself may be written in general terms, but must inform the patient that protected health information may be used for treatment, payment, or health care operations. It must also advise that the patient has the right to review the privacy notice prior to signing the consent. The consent must state that the entity has reserved the right to change its privacy practice, if applicable. It must indicate that the patient has the right to request a restriction on the use of protected health information, but that the covered entity is not required to honor the request. If the covered entity agrees to the request, the request is binding on the covered entity. The consent must state that the person has a right to revoke the consent in writing, except to the extent that action has been taken in reliance on the consent. 45 CFR §164.506(c); 65 Fed. Reg. at 82509.

In order to use and disclose protected health information for purposes other than treatment, payment or health care operations, a covered entity must obtain an "authorization." 45 CFR §164.508(a)(1). An authorization must be written in more specific terms than a consent. 65 Fed. Reg. at 82510. A covered entity may not condition treatment, payment, enrollment in a health plan, or eligibility for benefits upon an individual signing an authorization, with certain exceptions. 45 CFR §164.508(a)(4). An individual is permitted to revoke an authorization at any time, provided it is in writing, except to the extent that the authorization was relied on or was a condition of obtaining insurance coverage. 45 CFR §164.508(a)(5). Authorizations are required for marketing, fundraising, pre-enrollment underwriting, employment determinations, and disclosure of psychotherapy notes.

In order to be valid, the authorization must have, at a minimum, all the core elements set forth in the rule. The core elements include, but are not limited to, the following: (1) a description of information to be used or disclosed; (2) identification of who is authorized to make the requested use or disclosure; (3) identification of who the authorized use or disclosure will be made to; (4) the date or event upon which the authorization will expire; (5) a statement of the right to revoke the authorization in writing and exceptions to that right; and (6) a statement that information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer be protected by the rule. 45 CFR §164.508(c). Additional elements are required for authorizations that are requested by the covered entity for its own uses and disclosures, that are requested by the covered entity for disclosure by others, and that are created by the covered entity for research that includes treatment. 45 CFR §164.506(d) - (f). Unlike the proposed rule, the final rule does not include a model authorization, although further guidance is promised prior to the compliance deadline. 65 Fed. Reg. at 82517-82518.

"Minimum Necessary" Requirement

When a covered entity is using, disclosing or requesting protected health information from another covered entity, the covered entity must undertake "reasonable efforts" to limit the amount of protected health information it uses, discloses or requests to the minimum necessary to accomplish the purpose for which the use, disclosure or request is made. 45 CFR §164.502(b)(1). However, the "minimum necessary" requirement does not apply to uses or disclosures by a health care provider for treatment. It also does not apply to uses or disclosures to the individual who the information relates to. Nor does it apply to disclosures to HHS in its enforcement and compliance activities, or to uses or disclosures required by law. 45 CFR §164.502(b)(2).

Personal Representatives

The rule provides that covered entities should treat personal representatives as the individual for the purpose of the privacy rule. 45 CFR §164.502(g). There are exceptions involving unemancipated minors and victims of violence. For example, the covered entity may elect not to treat a person as a personal representative if the entity has a reasonable belief that patient has been or may be subjected to abuse, domestic violence or neglect by the person, or treating the person as a personal representative could endanger the patient. The covered entity may also elect not to treat a person as the personal representative if in the exercise of professional judgment, it is not in the best interest of the patient. 45 CFR §164.502(g)(5).

Covered Entities Must Assure That Business Associates Safeguard Health Information

Under the rule, a covered entity may disclose protected health information to a "business associate" and allow that business associate to create and receive protected health information on its behalf only after the covered entity receives "satisfactory assurance" that the business associate will safeguard the information. 45 CFR §164.502(e)(1). As reflected below, business associates include lawyers providing legal services to covered entities.

A person may be a "business associate" of a covered entity under either of two circumstances. First, a person is a business associate if the person, on behalf of a covered entity (or on behalf of an organized health care arrangement in which a covered entity participates) performs, or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information. These functions and activities include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and re-pricing. 45 CFR §160.l03. The key is determining whether the person is acting "on behalf of" the covered entity. An example set forth in the preamble highlights this fact. It explains that when a health care provider discloses protected health information to a health plan for payment purposes, no business associate relationship is established. Although the provider may have an agreement with the plan to accept discounted fees for services provided to plan members, neither entity is acting on behalf of or providing service to the other. 65 Fed. Reg. at 82476.

Second, a person is a business associate of a covered entity if the person provides (other than in the capacity of a member of the workforce of such covered entity) legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity (or to of for an organized health care arrangement in which the covered entity participates), where the provision of the services involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person. 45 CFR §160.l03. Thus, health care attorneys who receive individually identifiable health information from their clients are business associates under the privacy rules.

As stated above, a covered entity may only disclose protected health information to a business associate once it receives "satisfactory assurance" that the business associate will safeguard the information. The rule requires that covered entities must document these satisfactory assurances "through a written contract or other written agreement or arrangement" with the business associate. 45 CFR §164.502(e)(2). The agreement must contain certain elements, which include among others, the required uses and disclosures of protected health information and permissible other uses as allowed in the rule. The agreement must contain certain other requirements relating to safeguards, use of agents, patient rights, record keeping and the disposition of protected health information. 45 CFR §164.504(e)(2). The agreement must also provide for the termination of the contract if the covered entity determines that the business associate has violated a material term of the contract. 45 CFR §164.504(e)(2). In general, the agreement must require the business associate to maintain the confidentiality of the protected health information it receives from the covered entity and disclose the information only for the purposes for which it was provided. 65 Fed. Reg. at 82507.

If a covered entity that is also a business associate violates its obligations under its business associate agreement, it is directly liable for the violation. 45 CFR §164.502(e)(1)(iii). Otherwise, if a business associate violates the privacy rules, the violation may be attributable to the covered entity on whose behalf the business associate is acting or to whom the business associate is providing services. The final rule relaxes the responsibilities of covered entities somewhat regarding violations committed by the covered entity's business associates. The covered entity is only subject to sanctions if it knew of the wrongful activity and fails to take action to address it. 45 CFR §164.504(e)(1)(ii); 65 Fed. Reg. at 82505. The rule reduces the amount of monitoring activities the covered entity must undertake with its business partners and requires the covered entity to take reasonable steps to cure a breach or terminate the contract only if it knows of a material violation. The covered entity will be deemed to have knowledge of the violation if it has substantial and credible evidence of a violation. 45 CFR §164.504(e)(1)(ii); 65 Fed. Reg. at 82505.

The final rule also removed the provision which required that a business associate contract expressly make individuals whose protected health information is being disclosed third party beneficiaries to the agreement. The removal of this provision from the rule eliminates the private right of action that would have existed under the proposed rule. 65 Fed. Reg. at 82506.

Preemption of State Law

According to the final rule, all State laws that are contrary to the rule are preempted unless one of four (4) conditions are met. 45 CFR §160.203. Under the first condition, a State law is not preempted if HHS determines that the state law: is necessary to prevent fraud and abuse, to regulate insurance or health plans, is for reporting health care delivery or costs, or is serving a compelling need related to health, safety and welfare; or has as its principal purpose the regulation of controlled substances. 45 CFR §160.203(a). Second, a State law is not preempted if the State law is more stringent than the privacy rules. 45 CFR §160.203(b). Third, a State law is not preempted if it provides for the reporting of disease, injury, child abuse, birth, or death. It is not preempted if it provides for the conduct of public health surveillance, investigation, or intervention. 45 CFR §160.203(c). Finally, a State law is not preempted if it requires a health plan to report, or provide access to, information for management or financial audits, program monitoring and evaluation, or the licensure or certification of people or facilities. 45 CFR §160.203(d).

The advisory opinion process relating to preemption issues originally set forth in the proposed rule has been eliminated in the final rule. 65 FR 82481. A State may request an exception to prevent preemption of State law. 45 CFR §160.204(a). Until HHS makes a determination with respect to a request for an exception, the provisions of the privacy rule remain in effect. 45 CFR §160.204(b). If HHS determines that a state law should not be preempted, the exception shall remain in effect until: (1) either the Federal or State requirements are materially changed such that the grounds for the exception no longer exist; or (2) HHS revokes the exception. 45 CFR §160.205.

Other Federal Laws

While uniform national privacy standards may not have existed before publication of the final privacy rule, many Federal laws include privacy elements. Where other Federal laws relate to areas designated in the privacy rule, the covered entity still must comply with those laws. 65 Fed. Reg. at 82481. Obviously, situations may arise where these other Federal laws conflict with the privacy rules. The drafters of the final rule suggest that the implied repeal analysis used by courts should be applied when Federal regulations may conflict. This analysis would require first attempting to construe the regulations to give each effect. Next, express language should be looked for in the later regulation to determine if it was intended to repeal the earlier regulation. If this does not resolve the matter, the more specific Federal regulation would apply. 65 Fed. Reg. at 82481. It is unclear from the preamble, who HHS expects will perform this analysis and with what authority.

Compliance and Enforcement

Covered entities are required to appoint a "privacy official" who is responsible for the development and implementation of privacy policies and procedures of the covered entity. Covered entities are also required to designated a contact person or office who is responsible for receiving complaints and who will respond to inquiries about matters contained in the privacy notice. 45 CFR §164.530(a)(1).

The final rule requires covered entities to provide and document privacy training of its workforce (including unpaid volunteers). Privacy training must educate the workforce regarding the covered entity's policies and procedures relating to protected health information. 45 CFR §164.530(b)(1). The covered entity must also have in place appropriate administrative, technical and physical safeguards for the protection of protected health information. 45 CFR §164.530(c).

The final rule sets forth that HHS will attempt to seek the cooperation of covered entities in achieving compliance with the rules. In furtherance of that goal, HHS may provide technical assistance to help covered entities come into compliance. 45 CFR §160.304. The covered entity must submit records and compliance reports as deemed necessary by HHS to allow the Secretary to determine whether the covered entity is in compliance with the rule. 45 CFR §160.310.

In a change from the proposed rule, any person may file a complaint with HHS alleging non-compliance. 45 CFR §160.306(a). Under the proposed rule only the person who was the subject of the individually identifiable health information would have been permitted to file a compliant. 65 Fed. Reg. at 82487. A complaint must be filed in writing, which includes electronic filing, no later than 180 days after the complainant "knew or should have known" of the occurrence of an act or omission in violation of the rule. 45 CFR §160.306(b). The covered entity must have in place a procedure for receiving complaints, documenting complaints, and sanctions for non-compliance. 45 CFR §164.530(d)-(e).

While individuals are granted the right to file a complaint, neither HIPAA nor the privacy rule creates a private right of action to sue for violation of the privacy standards. 65 Fed. Reg. at 82566. The preamble does indicate that HHS believes that individuals should have a private right of action for actual damages and equitable relief. 65 Fed. Reg. at 82605.

If the covered entity is being investigated or is subject to a compliance review, the covered entity must cooperate with HHS and provide access to information. 45 CFR §160.310. If a complaint investigation or compliance review indicates that a covered entity is not in compliance, the covered entity is entitled to notice in writing and HHS will first attempt to resolve the matter through informal means. If the matter cannot be resolve through informal means, HHS may issue written findings documenting non-compliance. 45 CFR §160.312(a).

Enforcement and Penalties

The Secretary has selected the DHHS Office of Civil Rights (OCR) to enforce the regulations. OCR will be responsible for working with covered entities to secure voluntary compliance through the provision of technical guidance, responding to questions and providing interpretations and guidance, responding to Sate requests for preemption exceptions, investigating complaints and conducting compliance review, and referral for criminal prosecutions. 65 Fed. Reg. at 82472. Rules relating to enforcement will be released a future date. The enforcement regulations will address the imposition of civil monetary penalties and the referral for criminal prosecutions where there has been a violation of the privacy rule. 65 Fed. Reg. at 82487.

In the meantime, reference to the statutory penalty provisions reflects that HIPAA imposes both civil and criminal penalties for violation of the statute. Civil monetary penalties of not more than $100 per person per violation may be imposed. Civil monetary penalties of up to $25,000 per person per violation of an identical requirement or prohibition may be imposed in a calendar year. 65 Fed. Reg. at 82470. The preamble to the regulations comments that HHS believes the penalties are too small. HHS has urged Congress to adopt more stringent penalties legislatively. 65 Fed. Reg. at 82605.

HIPAA does set forth that civil monetary penalties may not be imposed if a person did not know, and by exercising reasonable diligence would not have know, that there was a violation. Further, HIPAA provides that no penalty may be imposed if the failure to comply was due to a reasonable cause, was not the result of willful neglect, and the failure is corrected within 30 days of the date the person knew, or by exercising reasonable diligence would have know, that the failure to comply had occurred.

Criminal penalties may be imposed if any person obtains or discloses individually identifiable health information in violation of HIPAA. A fine of not more than $50,000 and/or imprisonment of not more than 1 year can be imposed on violators. If the offense is under "false pretenses," a fine of not more than $100,000 and/or imprisonment of not more than 5 years may be imposed. Finally, if the offense is with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years may result. 65 Fed. Reg. at 82470.

The Cost of Compliance

The underlying rationale behind the administrative simplification provisions of HIPAA was to facilitate efficiencies and cost savings for the health care industry made possible by the increasing utilization of electronic technology. The potential efficiencies and costs savings are tempered by the implementation of national privacy standards. 65 Fed. Reg. at 82469, 82474. Indeed, critics are claiming that the Secretary has greatly underestimated the cost of compliance with these privacy rules. Depending on the degree of underestimation, costs spent on privacy and security protections may end up outweighing expected cost savings resulting from standardization.

Conclusion

Compliance with the privacy standards will be onerous for large and small entities alike. Privacy compliance efforts should be incorporated into the health care compliance programs being adopted and implemented by many members of the health care industry. Attorneys working with health care clients will have to be knowledgeable of the privacy rule's requirements in addition to the other existing and future regulations implementing HIPAA's administrative simplification standards. Due to the complexity of the privacy rules, efforts should begin now to bring covered entities into compliance with the rules. Attorneys will want to be able to assist their clients in developing and drafting policies and procedures aimed at compliance, preparing for training and other educational efforts, and working within the privacy requirements while trying to limit adverse impacts on patient care and relations.

Aba.privacy revised