HIPAA Compliance Lawyers
Health care providers and entities that are business associates of health care providers must handle volumes of patient medical information and must do so in a manner that does not violate the Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws. HIPAA is a complicated regulatory scheme with many requirements that must be met. We can help you understand these complicated rules and can develop policies and procedures to help your entity become compliant with the regulations. Once the initial policies are in place, many of our clients continue to use us as a resource for training their employees and assisting with difficult HIPAA compliance scenarios that come up from time to time. Our HIPAA clients include physician practices, academic medical centers, health plans and other health care entities.
At Wachler & Associates, P.C., we have been counseling providers and other covered entities of all sizes regarding the HIPAA Privacy and Security Rules since the inception of the Rules over 10 years ago. When the regulations first came out, provider organizations called on us to explain the regulations and address the regulations in a common sense, practical manner. Over the years, we have drafted workbooks on both HIPAA Privacy and Security and presented at seminars educating provider organizations across the country, including the Federated Ambulatory Surgery Association, the American Orthotics and Prosthetics Association, the Michigan Osteopathic Association and the Michigan Orthotics and Prosthetics Association. We have analyzed the HIPAA Privacy and Security Rules, as well as the Breach Notification Rules for major publications, including the American Bar Association’s publication, The Health Lawyer. Our attorneys continue to keep up to date with new HIPAA developments and write and speak on HIPAA issues across the country.
In 1996, Congress passed the Health Insurance Portability and Accountability Act (“HIPAA”) to address multiple health care issues including administrative simplification. The “administrative simplification” provisions of HIPAA mandate compliance in three key areas: (1) privacy; (2) security; and (3) electronic transactions.
All healthcare providers who submit claims electronically (even if a billing company submits the claims for them) are required to comply with the HIPAA rules. Health plans and clearinghouses are also required to comply with HIPAA.
The HIPAA Privacy Rule provides restrictions on uses and disclosures of “protected health information”. Almost all of the information maintained or created by a health care provider or supplier will be considered “protected health information” (PHI) for HIPAA purposes. The HIPAA Privacy rule sets forth the instances in which protected patient information can be used within the provider’s practice or disclosed by the provider to outside parties. In general, “protected health information” can only be used for treatment, payment and health care operations – all of which have specific meanings in the regulations. For uses other than treatment, payment and operations, health care providers must have the patient sign an authorization which complies with all of the requirements set forth in the HIPAA Privacy Regulations. There are certain exceptions to the HIPAA Privacy Rule where “protected health information” can be disclosed without a patient’s authorization even if the disclosure is not for treatment, payment or operations. For example, protected health information may be disclosed where required by law. The HIPAA Privacy Rule also gives individual patients certain rights including the right to inspect and copy their records, the right to request that the information be amended, the right to request certain restrictions on the use and disclosure of a patient’s protected health information, the right to file written complaints with the entity and the government, and the right to receive notice of a covered entity’s privacy policies.
In order to be compliant with the HIPAA Privacy Rule, all covered entities must appoint a HIPAA Privacy Officer to oversee HIPAA compliance within the entity. It is also mandatory that all covered entities maintain written HIPAA Policies and Procedures and train all employees on these policies. The HIPAA Privacy Rule also requires covered entities to enter into a “business associate agreement” with any individual or entity that provides services on behalf of the covered entity, to the extent such services involve the use of the covered entity’s “protected health information.”
The HIPAA Security Rule protects “protected health information” that is in electronic form. Such protected health information is also known as “electronic protected health information” or EPHI. Many health care providers have EPHI in electronic form either in electronic health records (EHRs) or through billing or laboratory systems. The HIPAA Security Rule has a technological component as well as an administrative component. Therefore, even if you purchase an EHR or other system that is marketed as “HIPAA compliant” there are other steps that must be taken. As with the HIPAA Privacy Rule, the HIPAA Security Rule requires someone from the covered entity to take responsibility for compliance and the development and oversight of written policies and procedures. This person is called the HIPAA Security Officer and may or may not also serve the role of HIPAA Privacy Officer. Like the HIPAA Privacy Rule, the HIPAA Security Rule also requires creation and maintenance of written policies and procedures and employee training. One of the key components of the HIPAA Security Rule is the Security Risk Analysis which requires covered entities to identify and address risks within their entity. It is important for all physicians to understand that when they apply for “meaningful use” incentives associated with the use of an EHR, they are required to attest to the fact that they have conducted a HIPAA Security Risk Analysis and corrected any shortcomings identified in the Risk Analysis.
The HITECH Act
The Health Information Technology for Economic Clinical Health Act ("the HITECH Act") was enacted as part of the American Recovery and Reinvestment Act of 2009 ("ARRA") on February 17, 2009. The HITECH Act created the “meaningful use” incentive program and also directed the promulgation of additional regulations intended to strengthen the HIPAA Privacy and Security Rules. The HITECH Act increased penalties for noncompliance and required periodic audits of health care providers (instead of relying on the complaint driven process that was originally used to enforce HIPAA). As a result of the mandates of the HITECH Act, the Office of Civil Rights (OCR) is also training state attorney generals to bring actions to enforce HIPAA and eventually harmed individuals will be able to share in the penalties assessed for HIPAA.
The HITECH Act also created direct responsibility for business associates with regard to the HIPAA Privacy and Security Rules. Now business associates will be held to the same standards as covered entities regarding HIPAA Privacy and Security Compliance and will be assessed the same penalties for noncompliance.
The HITECH Act also resulted in regulations that will require more extensive “accounting of disclosures” for covered entities that maintain an EHR and revised the marketing provisions of HIPAA to prohibit certain communications to be subsidized by third parties without giving patients notification or the right to opt out of such communications. Regulations promulgated pursuant to the HITECH Act will also eventually require covered entities to provide electronic copies of medical records upon request.
Based on changes in the HITECH Act, a covered entity must now comply with an individual's request that information not be disclosed to a health plan, if the disclosure is not for the purpose of treatment and the services at issue have already been paid in full out of pocket.
The Breach Notification Rule
One of the most important revisions to HIPAA resulting from the HITECH Act is the addition of the Breach Notification Rule – which is an interim final rule issued in August of 2009. The Breach Notification Rule generally requires covered entities to report breaches of the HIPAA Privacy and Security Rules to individuals, the government and the media on some occasions.
For purposes of the interim final rule, an inappropriate disclosure of protected health information will only be considered a “breach” if a determination is made that “there is a significant risk of financial, reputational or other harm to the individual.” In making this determination, the following factors should be taken into account: (1) The identity of the entity or individual that impermissibly used the information or to whom the information was impermissibly disclosed; (2) The steps that were taken to mitigate harm and the immediacy with which such steps were taken; (3) Whether the information was returned before being accessed; and (4) The type and amount of information disclosed.
If a covered entity determines that the inappropriate use or disclosure of protected health information was a “breach” each affected individual must be contacted personally without unreasonable delay, but no later than 60 days after discovering the incident. The notice must be written in plain language and include specific information as directed by the regulations. :
In the event that the contact information for an affected individual or a group of affected individuals is insufficient or out-of-date so as to make the individual notice described above impossible, a covered entity must make substitute notice in accordance with the following procedures:
If there are less than 10 affected individuals for whom there is insufficient or out-of-date contact information, substitute notice can be made to these individuals by telephone notice or by any other means.
If there are more than 10 affected individuals for whom there is insufficient or out-of-date contact information, the practice must either post notice of the breach on its website homepage or publish notice in a print or broadcast medium that is a major media outlet for the geographical area. Such notice must remain posted for at least 90 days and must include a toll-free telephone number that individuals may call for information.
If a breach involves more than 500 individuals, the covered entity must publish notice of the breach in a prominent media outlet no less than 60 days after the discovery of the incident. The notice must include all of the information contained in an individual notice. Regardless of the number of individuals involved, all breaches must be aggregated and reported via the Office of Civil Rights website within 60 days after the end of the calendar year.
Frequently Asked Questions
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a legislative act that was passed in 1996. HIPAA addressed many other topics including the portability of health insurance. However, HIPAA tends to be most well-known for its Privacy and Security requirements. In 2009, the HIPAA Privacy and Security provisions were revised as part of the Health Information Technology for Economic Clinical Health Act ("the HITECH Act”) which was enacted as part of the American Recovery and Reinvestment Act of 2009 ("ARRA").
Who must comply with HIPAA?
The HIPAA Privacy and Security Rules apply to all “covered entities”. Covered entities generally include all healthcare plans, healthcare providers who transmit healthcare information in electronic form (using a standard transaction), and healthcare clearinghouses (including billing companies). These groups are referred to in the regulations as "covered entities." However, the HITECH Act expanded the reach of HIPAA to business associates of these covered entities.
What kind of information is protected by HIPAA?
"Protected health information" is defined by the Privacy Rule as "individually identifiable health information" that is transmitted in any format. All information pertaining to an individual and held by a covered entity is considered “protected health information” unless it has been “de-identified” pursuant to the regulations.
The Security Rule governs "electronic protected health information," and requires covered entities to ensure the confidentiality, integrity, and availability of all protected health information that is created, received, maintained or transmitted by the covered entity in electronic form.
What rights do individuals have under HIPAA?
In general, the HIPAA Privacy Rule gives individuals the right to request a restriction on uses and disclosures of their protected health information. The individual is also provided the right to request confidential communications or that a communication of protected health information be made by alternative means, such as sending correspondence to the individual's office instead of the individual's home.
With limited exceptions, individuals also have the right to inspect and obtain a copy of their own protected health information and to request amendments of their protected health information.
What do healthcare providers and other "covered entities" need to do in order to comply with the HIPAA Privacy Rule?
Examples of the issues that covered entities will need to address in order to comply with the Privacy Rule are: appointment of a privacy officer and contact person to receive complaints, development of consent, notice and authorization forms for patients, development of numerous required privacy policies and procedures, drafting of agreements with all business associates, and training of staff on privacy issues.
What does the HIPAA security rule require?
The rule requires covered entities to conduct a risk analysis to identify any risks to electronic protected health information and to address such risks. In general, covered entities are also required to implement administrative procedures, physical safeguards, and technical security services to guard the integrity, confidentiality, and availability of patient data. The HIPAA Security Rule also requires covered entities to implement technical security mechanisms to prevent unauthorized access to patient data.
For more information on the HIPAA Privacy and Security Rules, please see the Health and Human Services Office of Civil Rights HIPAA website at: http://www.hhs.gov/ocr/privacy/
For information specific to the Breach Notification Rule, including links to instructions and links for submitting notification of HIPAA breaches to the Secretary of HHS see the HHS Breach Notification page at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
For additional guidance regarding the HIPAA Security Rule from the National Institute of Standards and Technology (NIST) visit the NIST Health Information Technology Website at http://www.nist.gov/healthcare/security/hipaasecurity.cfm
If you have any questions regarding the HIPAA Privacy Rule, the HIPAA Security Rule, the HITECH Act or the Breach Notification Rules, please contact Andrew Wachler at 248-544-0888 or through our website.
Wachler & Associates has written extensively on HIPAA and related issues. For a complete list of Wachler & Associates articles, please click here.
The attorneys of Wachler & Associates have spoken frequently on HIPAA issues. For a complete list of Wachler & Associates speaking engagements, please click here.