HIPAA Overview

PARTNERS HUMAN RESEARCH COMMITTEE

Overview of the HIPAA Final Privacy Regulations

I. Background

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a broad federal law, only part of which is intended to protect the privacy of health care information. HIPAA required Congress to enact a health information privacy law by August 1999 and stated that if it did not act by then (as it did not), then the U.S. Department of Health and Human Services (DHHS) must develop privacy regulations. DHHS proposed regulations in November 1999, and following a public comment period in which it received more than 52,000 comments, published a final rule at the end of December 2000.

In January 2001, the Bush Administration put the Privacy Rule on hold and, in February, reopened it for public comment. President Bush then lifted the hold, indicating that changes would follow in response to the comments, but confirming the rule's effective date of April 14, 2001. The rule required compliance by April 14, 2003 (two years after the effective date).

Notably, DHHS proposed many changes to the rule in March 2002, and after further public comment, published a "new" final version on August 14, 2002. Despite those changes, the compliance deadline remained April 14, 2003.

Most recently, in January 2013, DHHS issued changes to the privacy regulations implementing the mandates of two federal laws, the Health Information Technology for Economic and Clinical Health Act of 2009 and the Genetic Information Nondiscrimination Act of 2008. The compliance date for these recent changes is September 23, 2013.

II. Why Was the Rule Issued?

The intent of the rule is to protect the privacy of individuals' health care information. It creates a federal "floor" of protection so that every person in this country has at least the same basic rights and protections, though some may have additional rights depending on state law.

III. Whom Does the Rule Cover?

A. Covered Entities
The Privacy Rule directly regulates three types of "covered entities": health care providers (including individuals and organizations), health plans (including insurers and other payors), and health care clearinghouses (entities, such as billing services, that process health information from nonstandard into standard forms or vice versa). Most components of and individuals within Partners HealthCare System, Inc. ("Partners") are health care providers; however, Partners itself and Partners Community HealthCare, Inc. ("PCHI") are considered clearinghouses because of certain billing-related functions they perform.

Importantly for Partners, the Privacy Rule allows separate covered entities that are under common ownership or control to designate themselves as one covered entity. Partners has elected this option, and therefore Partners, PCHI, and affiliated hospitals and providers are considered to be one affiliated covered entity. This option offers valuable efficiencies (such as use of common forms and policies, and easier sharing of health information for treatment and other purposes within the system). Significant coordination, however, is needed for compliance.

B. Business Associates
While the Privacy Rule covers only the aforementioned three entities, it expands the reach of its protections by requiring that covered entities obtain written confidentiality assurances from their business associates. Business associates are defined as individuals or entities outside of the Partners system that receive, create, or have access to individually identifiable health information and (1) perform a service on behalf of Partners or its affiliates, or (2) fit within the list of specific service providers (i.e., outside legal, actuarial, accounting, consulting, management, administrative, accreditation, data aggregation, and financial services).

The written assurance (which may be in a stand-alone agreement or part of a larger contract) must include several provisions: for example, restrictions on how the business associate may use or release identifiable health care information, promises to protect such information and to return or destroy it at the end of the contract, and assurances to make such information available for compliance purposes. If a covered entity knows that its business associate has violated these provisions, the covered entity must take reasonable steps to correct the problem and terminate the contract (in most cases) if such steps fail.

As a result of the most recent changes to the Privacy Rule, Business Associates are now directly regulated by the Rule and directly responsible for compliance with certain of its provisions.

IV. What Health Information Is Covered?

A. Protected Health Information (PHI)
The Privacy Rule protects individually identifiable health information that a covered entity creates or receives, whether in electronic, paper, or verbal form ("Protected Health Information" or "PHI"). The definition is broad and includes information relating to the past, present, or future physical or mental health of a person, the provision of health care to a person, and payment for health care. It also includes genetic information as defined in the federal Genetic Information Nondiscrimination Act. See http://healthcare.partners.org/phsirb/hipaaglos.htm. The rule covers one's PHI for as long as the covered entity retains it; hence, decedents' health information is protected by this rule. However, the recent changes implemented in 2013 now put a time limit on the protections for decedents: when an individual has been deceased more than 50 years, his/her health information is no longer PHI subject to the Rule.

B. Deidentified Information
The Rule does not apply to deidentified health information. It permits deidentification in two ways: (1) a qualified statistician or expert must determine that the risk of reidentification is "very small" and must document the methods used to reach that conclusion; or (2) 18 identifiers must be removed, and the covered entity must not have actual knowledge that the remaining information could be used to identify an individual. The identifiers of the individual -- and of relatives, employers, or household members of the individual -- that must be removed include:

(1) Names;
(2) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code in certain situations;
(3) All elements of date (except year) for dates directly related to an individual, including birth date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(4) Telephone numbers;
(5) Fax numbers;
(6) Electronic mail addresses;
(7) Social security numbers;
(8) Medical record numbers;
(9) Health plan beneficiary numbers;
(10) Account numbers;
(11) Certificate/license numbers;
(12) Vehicle identifiers and serial numbers, including license plate numbers;
(13) Device identifiers and serial numbers;
(14) Web Universal Resource Locators (URLs);
(15) Internet Protocol (IP) address numbers;
(16) Biometric identifiers, including finger and voice prints;
(17) Full face photographic images and any comparable images; and
(18) Any other unique identifying number, characteristic, or code.

C. Limited Data Set: Option for Research, Operations, and Public Health
The final Privacy Rule (August 2002) introduced a new category of information that may be used by an entity or disclosed externally without triggering all of the rule's requirements. This option is available only for research, health care operations, and public health purposes. DHHS requires many "direct" identifiers to be removed, but certain information - such as dates and geographic information without street address - may be retained. Whoever receives the information must agree to a "data use agreement" that describes the permitted uses and disclosures of the information received and prohibits any attempt to reidentify or contact the individuals. Of note, the data use agreement has fewer requirements than a business associate agreement.

Accordingly, researchers who remove most direct identifiers but need to retain dates (e.g., date of birth, admission and discharge date) and some geographic information may do so without triggering all of the Privacy Rule requirements. Because DHHS has defined only what may not be included in a limited data set, it is possible that other information may also be retained. The "minimum necessary" standard (described below) still applies, but the requirement of accounting for all disclosures of PHI does not apply (also described below).

V. What Does the Rule Require?

The general rule is that a covered entity may not use or disclose PHI without an individual's written authorization, except if permitted or required by the Privacy Rule. Individuals have several rights that the covered entities must protect.

Notice of Privacy Practices and Written Acknowledgement: Covered entities (including health care providers) must give individuals an understandable notice of the ways in which PHI will be used and disclosed. "Use" means sharing within the Partners system, and "disclose" means releasing outside of the system. Entities must make a good faith effort to obtain a written acknowledgement of receipt of the notice.

Uses and Disclosures of Protected Information

No permission or authorization required:Covered entities may use or disclose PHI for the core activities of treatment, payment, and health care operations without written authorization. "Health care operations" refers to a covered entity's health-related activities (e.g., quality assessment, clinical guideline development, teaching, and general administration). The Privacy Notice should describe these uses and disclosures with reasonable specificity. In addition, permission is not needed to use or disclose PHI for certain activities that are in the public interest. These uses and disclosures include: as required by law; for public health activities (e.g., reporting births, deaths, and injuries); about victims of abuse, neglect, or domestic violence; for health oversight activities (e.g., audits, investigations, licensure, or disciplinary action); for judicial and administrative proceedings; for law enforcement purposes; about decedents (e.g., to funeral directors or medical examiners); for organ and tissue donation purposes; for limited research purposes, as explained below; to avert a serious threat to health or safety; and for special government functions (e.g., military and veterans activities, national security).

Authorization: Authorization is required for several uses and disclosures of PHI. One example is for research; generally, a researcher must obtain a subject's authorization before using or disclosing PHI for a study, unless the researcher obtains an IRB-approved waiver of authorization.

Oral Agreement or Objection: If a covered entity wants to include PHI in a facility directory, disclose it to clergy, or disclose it to family or close friends of the patient, it does not need the patient's written authorization. It must, however, give the patient a reasonable opportunity to opt in or opt out.

Minimum Necessary Standard: When a covered entity uses or discloses PHI or requests it from another covered entity, the entity generally must try to limit such information to the "minimum necessary" needed to achieve the purpose. The entity must adopt policies that address what information generally meets this standard for uses, requests, and routine disclosures. For non-routine requests and disclosures, criteria must be developed to permit case-by-case review of the minimum necessary for each purpose. Importantly, the minimum necessary standard does not apply to treatment-related disclosures made to facilitate treatment (e.g., a hospital may release a copy of a full record to an outside physician providing a second opinion). The minimum necessary standard also does not apply when an individual has authorized the use or disclosure (e.g., if a person enrolls in a study and authorizes use and disclosure of her PHI for that purpose, then the researchers do not need to determine what is the minimum necessary information they may use or disclose for the research).

Individual Rights and Entity Responsibilities

Notice, Authorization, and Revocation: Covered entities must give individuals a notice of privacy practices, try in good faith to obtain a written acknowledgement of receipt of the notice, and obtain authorizations when applicable. Individuals have a right to revoke the authorization except to the extent an entity has relied on it. In the event an individual refuses to sign or revokes an authorization, the entity must have mechanisms to track those decisions and ensure they are followed.

Access: Individuals generally have a right of access to their PHI. A covered entity may charge a reasonable fee for copying and postage.

Amendment: Individuals have a right to amend their PHI. If the entity approves the request, it must inform the individual; persons or entities the individual identifies as needing the amendment; and others, including business associates, who may have relied or could rely on such information to the individual's detriment.

Accounting of Disclosures: Individuals have a right to request a list of disclosures of their PHI. The list generally must indicate how, when, why, to whom, and to what extent their PHI has been disclosed outside the covered entity over the previous six years. This right does not include disclosures for treatment, payment, and health care operations, disclosures authorized by the individual, disclosures for certain law enforcement and other purposes, or disclosures occurring before the effective date of the rule.

Request for Restrictions: Individuals may ask a covered entity to restrict its uses or disclosures of their PHI, but the entity need not agree to the restriction. In such a situation, if the individual does not accept the protections that can be provided, the individual can decide to obtain care elsewhere.

Confidential Communications: Individuals may ask that a health care provider communicate with them by alternative means or at an alternative location (e.g., home vs. office, mail vs. email). A provider must reasonably accommodate the request and may not require an explanation.

Personal Representatives: Although not described as an individual right, a covered entity must treat individuals' family and other "personal representatives" in the same way as the individuals, with certain exceptions. Personal representatives include not only family (including parents of minors), but also other relatives, close personal friends, or others who are authorized to act for an individual with respect to decisions concerning health care treatment or payment. An entity has discretion not to treat someone as a personal representative if it reasonably believes an abusive situation exists, the individual may be harmed, or it is otherwise not in the individual's best interest.

Deceased Individuals: A covered entity must protect the privacy of a decedent's health information until the individual has been deceased for more than 50 years, at which point the information is no longer considered PHI under the regulations. This reflects a balance between the ongoing sensitivity of genetic and hereditary information and the importance of medical historical and archival research. Prior to the date 50 years after date of death, a personal representative (e.g., an executor) may access PHI, as may a provider for purposes of treating other family members. In addition, a decedent's PHI may be used for certain research purposes without an authorization if either a waiver of authorization is obtained or if specific assurances are provided by the researcher about the need and purpose for using the PHI.

VI. Select Operational Implications

Administrative Requirements: These include:

Appointing personnel (e.g., a privacy officer);

Implementing privacy policies and procedures to comply with the rule;

Training the workforce;

Applying sanctions for violations;

Providing a complaint process for patients;

Protecting against retaliation;

Updating the privacy notice and other policies and procedures.

Research (addressed further in a separate research-focused overview)

Changes to consent forms, policies, and procedures will be needed. For example, a consent form for a clinical trial will need to include all elements required in an authorization to use or disclose PHI.

A waiver of authorization is available from an IRB only if the waiver criteria required by both the Privacy Rule and the Common Rule are met. If authorization is waived, the researcher must use or disclose the minimum necessary PHI and must track all disclosures.

Transition provisions permit grandfathering of consents obtained and waivers approved before April 14, 2003. As of that compliance date, however, researchers will need to obtain authorizations or waivers that comply with the Privacy Rule.

Some third parties supporting research activities (e.g., data storage companies) may be business associates, in which case contracts must comply with the rule.

Fundraising: Fundraising requires an individual's authorization, except for limited activities involving only demographic information and date of service (without diagnostic or treatment information).

Marketing: Marketing requires an individual's authorization, except for face-to-face encounters and promotional gifts of nominal value. In addition, marketing is defined to exclude treatment-related communications.

Internet and E-health Activities: A covered entity with a web site describing its services must post its notice of privacy practices prominently on the site and make the notice available electronically through the site. Web site privacy policies and terms of use will need review for compliance with the rule.

Use of Legal Counsel: A covered entity's outside legal counsel is a business associate when the representation involves PHI. The minimum necessary standard applies, but an entity may rely on its counsel's judgment regarding the extent of information needed.

VII. How Does the Privacy Rule Affect Other Laws?

A. Preemption
The Privacy Rule generally preempts conflicting state law, with certain exceptions. For example, a state law that offers stricter privacy protections will generally govern.

B. Interaction with Other Federal Laws
HHS explains in its preamble how the privacy rule interacts with other federal laws. A full discussion of this is not possible here, but case-by-case analysis will be needed.

VIII. How Will HHS Enforce the Rule?
The rule permits compliance reviews by HHS and the filing of complaints by individuals, which HHS may investigate. HIPAA authorizes both civil and criminal penalties, including significant fines and imprisonment.

The final privacy rule is available on-line at http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf or through http://www.hhs.gov.

Updated 10/2013