|
|
Final
HIPAA Privacy Rules
February
20, 2001
Issue:
Final HIPAA Privacy Rules
On December 28, 2000, the Secretary of Health and Human Services
(HHS) released final privacy regulations relating to the protection
of patients' individually identifiable health information as mandated
by the Health Insurance Portability and Accountability Act of 1996 (HIPAA.)
The deadline for HIPAA Privacy compliance will be 26 months after its
publication in the Federal Registry for most Covered Entities. How might
the final HHS privacy rules affect telemedicine practitioners?
Discussion
Under the Administrative Simplification provision of HIPAA, HHS must
adopt national standards for administrative and financial electronic
data transactions. Additionally, in the absence of congressional action
by August 1999, the HHS Secretary was required to develop regulations
to protect the security and privacy of transmitted individually identifiable
health information. The final rules differ in some important ways from
the earlier 1999 proposed rules.
Top
WHO
is covered?
- All health
plans,
- All health
information clearinghouses,
- Health
care providers who engage, directly or through contractual arrangements,
in HIPAA standard electronic transactions.
- These
electronic transactions include: computer to computer transmission
of healthcare claims, payment and remittance, benefit information,
health plan eligibility information
WHAT
is covered?
A major
difference between the Secretary's 1999 proposed privacy rules and the
final regulations is the information covered by HIPAA. The 1999 proposed
rules recommended that regulations would not apply to information
that had never been electronically maintained or transmitted by a covered
entity."
- The
final rules cover all personal health information maintained in
any format, whether electronic, paper or oral.
HOW
to comply
- Train
employees about security and designate a privacy officer.
- Develop
a Trading Partner Agreement that extends privacy protections
to third party business associates.
- Obtain
patient consent for most disclosures of protected health information.
- Provide
the minimum amount of information necessary.
HOW
might HIPAA affect Telemedicine Providers?
Some Privacy
issues that may uniquely affect telemedicine practitioners include:
- State
preemption of Federal laws. HHS proposes that Federal laws preempt
state laws that are in conflict with regulatory requirements or those
that provide less stringent privacy protections. But those states
that have more stringent privacy laws would preempt Federal
law. Under these circumstances, telemedicine practitioners could be
faced with a patchwork of state privacy standards.
- For
example, if a specialist in state A were teleconsulting with physicians
in states B, C and D, which state privacy laws should take precedence
over others? What if they conflict?
- All
states have laws governing the use and disclosure of health information
with a wide variety of protections. The Georgetown Privacy Project
has assembled a comprehensive summary of these state laws at:
http://www.healthprivacy.org/resources/statereports/contents.html
According
to the Advanced Technology Institute's preliminary research, using input
from OAT grantees, other privacy concerns for telemedicine practitioners
may include:
- A need
for a heightened level of concern for patient privacy in the telemedicine
environment, especially where patient visits are occurring in real-time.
- The potential
for more complicated informed consent requirements under HIPAA that
could inhibit obtaining the necessary patient consent signatures which
are necessary prior to initiating telehealth activities.
- The presence
of outsiders or non-clinical persons in teleconsultations.
- Non-clinical
technicians, camera people, schedulers etc. located on either
side of a telemedicine consultation or at the site of a service
provider, either physically or via the technology they support.
- Clinical
Personnel who may not be visible or observable by the patient in a
teleconsultation.
- Patient
information that is transmitted in electronic and physical forms on
a regular basis across organizations and political (state and national)
borders;
- Patient
information routinely stored electronically and/ or physically at
each of the sites involved in the encounter, often unintentionally,
may not be protected by policies or procedures as effectively as information
used in on-site encounters.
Background
Under the final privacy rules, covered entities must protect individually
identifiable health information against deliberate or inadvertent misuse
or disclosure. Consequently, health plans and providers must maintain
administrative and physical safeguards to protect the confidentiality
of health information as well as protect against unauthorized access.
These entities must inform individuals about how their health information
is used and disclosed and ensure them access to their information. Written
authorization from patients for the use and disclosure of health information
for most purposes is also required with the exception of health care
treatment, payment and operations (and for certain national priority
purposes)
Those entities
that misuse personal health information can be punished. Under final
HIPAA rules, the HHS Office for Civil Rights, which is responsible for
implementing the Privacy rules can impose civil monetary penalties and
criminal penalties for certain wrongful disclosures of protected information.
Civil penalties can be imposed up to $25,000 per year and criminal penalties
can range from $50,000 and one year in prison to $250,000 and ten years
in prison.
The Health
Care Industry has been lobbying the Bush Administration to change or
dismantle HIPAA regulations, while Consumer privacy advocates view the
rules as a milestone that provides comprehensive federal, rather than
conflicting state standards for patient medical privacy. At this time,
it is unclear whether or not the current Administration will fully implement
HIPAA and how these final rules will affect telemedicine practitioners
over the long term.
Top
What
You Need to Know
Top
Other
Links
Federal
Proposed Rulemakings
State
Privacy Laws
General
Information on Safeguarding Information
For a short
summary of OAT's Jan. 13, 2000, Privacy, Security and Confidentiality
seminar, go to:
Next
Steps
OAT and the Assistant Secretary's Office of Planning and Evaluation
have recently funded a study and a conference entitled Privacy, HIPAA
and Telemedicine by the Advanced Technology Institute, which will
be completed in spring 2001. The purpose of the study is to identify
privacy issues and concerns unique to telemedicine and to determine
how HIPAA may affect telemedicine practitioners and patients. The study
will draw upon the experience of OAT's grantees, which include over
60 telemedicine networks and over 400 sites.
|