Health Insurance Portability and Accountability Act of 1996

To address the need for a national patient record privacy standard, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA is best known for creating a health insurance safety net for individuals moving from one job to another. Lesser known is the Act’s sweeping mandates concerning the standardization of health information.

Under HIPAA’s Administrative Simplification provision, either Congress or (in the absence of congressional action by August, 1999), the Department of Health and Human Services (DHHS) was required to develop a series of national standards for administrative and financial electronic data transactions. These transactions would include areas such as electronic transaction standards for electronic exchange of health information for administrative purposes; a national provider identifier; and an employer identifier and secure electronic signatures. Additionally, the Act mandated either Congress or DHHS to develop regulations to protect the security and privacy of individually identifiable health information transmitted in any format by covered entities.

In the absence of congressional action within the mandated deadline, DHHS was required to publish proposed HIPAA privacy rules in 1999 and final rules by February, 2000. On December 28, 2000, DHHS released the final HIPAA privacy rules in the Federal Register. Initially, the Administration delayed implementation because of an administrative error but later DHHS Secretary Tommy Thompson announced that the rules would take effect on April 14, 2001. Consequently, most covered entities must implement the HIPAA privacy rule provisions by April, 2003. DHHS has since released a DHHS Fact Sheet on HIPAA rules (DHHS, May 2001) as well as recent HIPAA Guidelines with common questions and answers on July 6, 2001 (DHHS, July 2001).

Who and What is Covered?

HIPAA privacy rules pertain to the following Covered Entities:

• Health plans, e.g., insurers, managed care organizations, and federal health programs
• Health clearinghouses that which unify data in standardized formats
• Health care providers who engage, directly or through contractual arrangements, in HIPAA standard electronic transactions, e.g., computer to computer transmission of healthcare claims, payment and remittance, benefit information, and/or health plan eligibility information

HIPAA rules also pertain to the following information:

• Personal Health Information (PHI), individually identifiable health information transmitted in any format (electronic, paper or oral) by covered entities

Additionally, covered entities are responsible for the actions of their third party business partners. That is, HIPAA privacy standards apply indirectly to business associates because a covered entity must develop a legal agreement with their business partners to safeguard individual health information obtained from the covered entity. For example, a hospital will need to develop a patient privacy agreement with its billing company or its outside data management company or any third party business associate that receives patient information from the hospital. Moreover, the covered entity must address situations when business associates fail to comply with their privacy obligations. According to DHHS’ July 2001 guidelines, a business associate is:

a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI. A business associate is not a member of the health care provider, health plan, or other covered entity's workforce. A health care provider, health plan, or other covered entity can also be a business associate to another covered entity. The rule includes exceptions. The business associate requirements do not apply to covered entities who disclose PHI to providers for treatment purposes - for example, information exchanges between a hospital and physicians with admitting privileges at the hospital (DHHS, Office/Civil Rights, 2001).

Patients’ Rights

HIPAA privacy rules emphasize the importance of patient privacy rights.

HIPAA privacy rules emphasize the importance of patient privacy rights.

Covered entities must inform individuals about how their health information is used and disclosed and ensure them access to their information. Written authorization from patients for the use and disclosure of health information for most purposes is required with the exception of health care treatment, payment, operations, and for certain national priority purposes. The DHHS Fact Sheet (May, 2001) on HIPPA outlines important patient rights as shown below:

• Patient education on privacy protections: Providers and health plans will be required to give patients a clear written explanation of how the covered entity may use and disclose their health information.
• Ensuring patient access to their medical records: Patients will be able to see, get copies of their records, and request amendments. In addition, a history of non-routine disclosures must be made accessible to patients. (Non-routine disclosures might include the disclosure of a cardiac patient’s mental health records to determine if medication for the treatment of mental health had possible side effects on high blood pressure).
• Receiving patient consent before information is released: Health care providers who see patients will be required to obtain patient consent before sharing their information for treatment, payment, and health care operations. In addition,separate patient authorization must be obtained for non-routine disclosures and most non-health care purposes. Patients will have the right to request restrictions on the uses and disclosures of their information.
• Providing recourse if privacy protections are violated. People will have the right to file a formal complaint with a covered provider or health plan, or with HHS, about violations of the provisions of this rule or the policies and procedures of the covered entity.

General Compliance

Covered Entities must protect individually identifiable health information against deliberate or inadvertent misuse or disclosure. Consequently, health plans and providers must maintain administrative and physical safeguards to protect the confidentiality of health information as well as protect against unauthorized access. HIPAA final rules explicitly mention the following actions:

• Adopt written privacy procedures.
• Train employees about security.
• Designate a privacy officer.
• Develop legal agreements that extend privacy protections to third party business associates.
• Obtain patient consent for most disclosures of protected health information.
• Provide the minimum amount of information necessary.

Those that misuse personal health information can be punished. The DHHS Office for Civil Rights, which is responsible for implementing the Privacy rules, can impose civil monetary penalties and criminal penalties for certain wrongful disclosures of protected information. Civil penalties can be imposed up to $25,000 per year and criminal penalties can range from $50,000 and one year in prison to $250,000 and ten years in prison.

Telemedicine and Telehealth Compliance

Telemedicine and Telehealth practitioners may face unique problems as they undertake compliance with HIPAA and other privacy rules. One issue that may greatly affect telemedicine providers is Federal preemption of state law under HIPAA.

HIPAA rules preempt state laws that are in conflict with or provide less stringent privacy protections than Federal regulatory requirements. Those states that have more stringent privacy laws would preempt Federal law. Under these circumstances, telemedicine practitioners could be faced with a patchwork of state privacy standards. For example, a telemedicine specialist in state A teleconsults with telemedicine practitioners in states B, C and D. Which state privacy laws take precedence over others, if all three state laws are more stringent than Federal law? What if they are in conflict? Which state would have legal jurisdiction if a patient decided to sue one of the practitioners? All states have laws governing the use and disclosure of health information with a wide variety of protections. The Georgetown University Health Privacy Project (Pritts, Goldman, Hudson, Berenson, & Hadley, 1999) has assembled a comprehensive summary of these state laws that highlights their complexity and diversity at their website: http://www.healthprivacy.org.

Given the challenging privacy issues facing its telemedicine grantees, the Office for the Advancement of Telehealth, (OAT), part of the DHHS, Health Resources and Services Administration, has joined with the Office of the Assistant Secretary for Planning and Evaluation, DHHS, to fund the Advanced Technology Institute’s (ATI) study of privacy concerns unique to telemedicine practitioners. According to the ATI's preliminary research, using input from OAT grantees, other unique privacy concerns for telemedicine practitioners may include:

• The presence of outsiders or non-clinical persons in teleconsultations, such as non-clinical technicians, camera people and schedulers located on either side of a telemedicine consultation or at the site of a service provider, either physically or via the technology they support.
• Clinical Personnel who may not be visible or observable by the patient may also be involved in a teleconsultation.
• Patient information routinely stored electronically and/or physically at each site may not be protected by policies or procedures as effectively as information used in on-site encounters.

For telemedicine practitioners, electronic transmission of patient health information in various formats is part of their every day job. For example, store-and-forward applications are quite common. This means that a telemedicine practitioner at a remote rural site can examine a patient and send a video clip or a photographic scan of the patient, along with the patient's medical, record by E-mail via the Internet or dedicated line to a distant consulting practitioner. In a live interactive videoconference session, a patient may sit in the same room as a health presenter, video camera man and technician. The consulting practitioner, who appears on the video monitor, may also have non-medical staff in his or her room. What should be done with the videotape of the consultation? How should Internet transmissions of identifiable information be handled? What types of privacy contracts should be made between the non-health staff and the practitioner? Can E-mail information be de-identified when part of the file includes scanned photos or video? Many of these types of privacy questions are unique to the practice of telemedicine.