Skip Navigation

Office of the Advancement of Telehealth Home Page

Welcome
What's new
Who we are
Services
Publications
Grants
Resources
Joint Working Group on Telehealth
Feedback

""
Telehealth update

Final HIPAA Privacy Rules

February 20, 2001


Issue: Final HIPAA Privacy Rules
On December 28, 2000, the Secretary of Health and Human Services (HHS) released final privacy regulations relating to the protection of patients' individually identifiable health information as mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA.) The deadline for HIPAA Privacy compliance will be 26 months after its publication in the Federal Registry for most Covered Entities. How might the final HHS privacy rules affect telemedicine practitioners?

Discussion
Under the Administrative Simplification provision of HIPAA, HHS must adopt national standards for administrative and financial electronic data transactions. Additionally, in the absence of congressional action by August 1999, the HHS Secretary was required to develop regulations to protect the security and privacy of transmitted individually identifiable health information. The final rules differ in some important ways from the earlier 1999 proposed rules.

Top

WHO is covered?

  • All health plans,
  • All health information clearinghouses,
  • Health care providers who engage, directly or through contractual arrangements, in HIPAA standard electronic transactions.
    • These electronic transactions include: computer to computer transmission of healthcare claims, payment and remittance, benefit information, health plan eligibility information

WHAT is covered?

A major difference between the Secretary's 1999 proposed privacy rules and the final regulations is the information covered by HIPAA. The 1999 proposed rules recommended that regulations would not apply to information that had never been electronically maintained or transmitted by a covered entity."

  • The final rules cover all personal health information maintained in any format, whether electronic, paper or oral.

HOW to comply

  • Train employees about security and designate a privacy officer.
  • Develop a Trading Partner Agreement that extends privacy protections to third party business associates.
  • Obtain patient consent for most disclosures of protected health information.
  • Provide the minimum amount of information necessary.

HOW might HIPAA affect Telemedicine Providers?

Some Privacy issues that may uniquely affect telemedicine practitioners include:

  • State preemption of Federal laws. HHS proposes that Federal laws preempt state laws that are in conflict with regulatory requirements or those that provide less stringent privacy protections. But those states that have more stringent privacy laws would preempt Federal law. Under these circumstances, telemedicine practitioners could be faced with a patchwork of state privacy standards.
    • For example, if a specialist in state A were teleconsulting with physicians in states B, C and D, which state privacy laws should take precedence over others? What if they conflict?
    • All states have laws governing the use and disclosure of health information with a wide variety of protections. The Georgetown Privacy Project has assembled a comprehensive summary of these state laws at: http://www.healthprivacy.org/resources/statereports/contents.html

According to the Advanced Technology Institute's preliminary research, using input from OAT grantees, other privacy concerns for telemedicine practitioners may include:

  • A need for a heightened level of concern for patient privacy in the telemedicine environment, especially where patient visits are occurring in real-time.
  • The potential for more complicated informed consent requirements under HIPAA that could inhibit obtaining the necessary patient consent signatures which are necessary prior to initiating telehealth activities.
  • The presence of outsiders or non-clinical persons in teleconsultations.
    • Non-clinical technicians, camera people, schedulers etc. located on either side of a telemedicine consultation or at the site of a service provider, either physically or via the technology they support.
  • Clinical Personnel who may not be visible or observable by the patient in a teleconsultation.
  • Patient information that is transmitted in electronic and physical forms on a regular basis across organizations and political (state and national) borders;
  • Patient information routinely stored electronically and/ or physically at each of the sites involved in the encounter, often unintentionally, may not be protected by policies or procedures as effectively as information used in on-site encounters.

Background
Under the final privacy rules, covered entities must protect individually identifiable health information against deliberate or inadvertent misuse or disclosure. Consequently, health plans and providers must maintain administrative and physical safeguards to protect the confidentiality of health information as well as protect against unauthorized access. These entities must inform individuals about how their health information is used and disclosed and ensure them access to their information. Written authorization from patients for the use and disclosure of health information for most purposes is also required with the exception of health care treatment, payment and operations (and for certain national priority purposes)

Those entities that misuse personal health information can be punished. Under final HIPAA rules, the HHS Office for Civil Rights, which is responsible for implementing the Privacy rules can impose civil monetary penalties and criminal penalties for certain wrongful disclosures of protected information. Civil penalties can be imposed up to $25,000 per year and criminal penalties can range from $50,000 and one year in prison to $250,000 and ten years in prison.

The Health Care Industry has been lobbying the Bush Administration to change or dismantle HIPAA regulations, while Consumer privacy advocates view the rules as a milestone that provides comprehensive federal, rather than conflicting state standards for patient medical privacy. At this time, it is unclear whether or not the current Administration will fully implement HIPAA and how these final rules will affect telemedicine practitioners over the long term.

Top

What You Need to Know

Top

Other Links

Federal Proposed Rulemakings

State Privacy Laws

General Information on Safeguarding Information

For a short summary of OAT's Jan. 13, 2000, Privacy, Security and Confidentiality seminar, go to:

Next Steps
OAT and the Assistant Secretary's Office of Planning and Evaluation have recently funded a study and a conference entitled Privacy, HIPAA and Telemedicine by the Advanced Technology Institute, which will be completed in spring 2001. The purpose of the study is to identify privacy issues and concerns unique to telemedicine and to determine how HIPAA may affect telemedicine practitioners and patients. The study will draw upon the experience of OAT's grantees, which include over 60 telemedicine networks and over 400 sites.


Office for the Advancement of Telehealth, 5600 Fishers Lane, Room 11A-55, Rockville, MD 20857, voice/301-443-0447; fax/301/443-1330