Congress enacted Health Insurance Portability and Accountability Act (HIPAA) in 1996 to limit the ability of an employer to deny health insurance coverage to employees with preexisting medical conditions. The law also directed the U.S. Department of Health and Human Services to develop privacy rules, including, but not limited to, the use of electronic medical records. This law has increased patient privacy, but in doing so has added to the financial burden, including personnel costs in health care. Nurses stand at the forefront in the resolution of the dilemma of patient privacy versus health care expediency. The purpose of this article is to assist nurses and other health care professionals to better understand their responsibilities regarding HIPAA regulations. First, responses to HIPAA regulations by covered entities to date, along with responses which are still needed, will be described. It will be noted that HIPAA is a work in progress and not a specific act. Next, future initiatives having HIPAA implications will be presented. In conclusion, the need for all covered entities and their personnel to look broadly at HIPAA as initiating a new way of work in health care will be emphasized.
Key words: consumer-driven health plans, covered entities, Health Alert Network, HIPAA regulations, patient safety, personal health record
Congress enacted HIPAA in 1996 to limit the ability of an employer to deny health insurance coverage to employees with preexisting medical conditions.
Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) (P.L 104-191) in 1996 to limit the ability of an employer to deny health insurance coverage to employees with preexisting medical conditions. The law also directed the U.S. Department of Health and Human Services (USDHHS) to develop privacy rules, including, but not limited to, the use of electronic medical records (EMR). However, enactment of this Act was accompanied by a virtual collective groan among many in the medical field when they realized that the DHHS would be required by law to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. They recognized that while this would be a laudable effort to maintain health care privacy for the average citizen, such laws would require covered entities to convert years, sometimes decades, of paperwork to computer files, and impose additional work in other areas on health care organizations.
HIPAA defines a covered entity as a health plan; a health care provider, specifically a provider who conducts certain financial and administrative transactions electronically, (e.g., billing, funds transfer, and/or insurance claims); or a health care clearing house. These entities are defined as organizations that process or facilitate the processing of health information from non-standard formats to standard formats or vice versa (e.g., a physician's billing service).
The "Privacy Rule" impacts all health care providers and health care plans that transmit health care information in electronic form.
The "Privacy Rule" impacts all health care providers and health care plans that transmit health care information in electronic form. HIPAA has been described as a consumer protection statute, which among other things gives individuals the right to obtain their own medical records (45 C.F.R. §164.524), to request amendments to records (45 C.F.R. §164.526), and to learn where the records have been disclosed (45 C.F.R. §164.528).
Under HIPAA, "covered entities" must provide individuals with medical records within thirty days of a request. Alternatively, the "Privacy Rule" also prohibits covered entities from releasing PHI (personal health information) without permission. To that end, any patient who believes his or her health care information has been illicitly exchanged may file a complaint with either the provider or USDHHS Office for Civil Rights. The provider can be liable for both civil and criminal penalties of up to $250,000.
Nurses stand at the forefront in the resolution of the dilemma of patient privacy versus health care expediency.
Nurses stand at the forefront in the resolution of the dilemma of patient privacy versus health care expediency. The purpose of this article is to assist nurses and other health care professionals to better understand their responsibilities regarding HIPAA regulations. First, responses to HIPAA regulations by covered entities to date, along with responses which are still needed, will be described. It will be noted that HIPAA is a work in progress and not a specific act. Next, future initiatives having HIPAA implications will be presented. In conclusion, the need for all covered entities and their personnel to look broadly at HIPAA as initiating a new way of work in health care will be emphasized.
Responses to Date by Covered Entities
As a risk management tool, and to further assure patient privacy, a number of hospitals and other health care providers have already issued new authorization forms that contain the required HIPAA elements. Although some releases may require witnessed signatures, this is not mandated by the HIPAA regulations, per 65 Fed. Reg. 82518 (Federal Register, 2000a), where DHHS, in the preamble to the Privacy Rule regulations, specifically states that verification of the individual’s identity or authentication of the individual’s signature is not required. The preamble also makes clear per 65 Fed. Reg. 82660 that copies of original signatures, as well as certain electronic signatures, are also permissible(Federal Register, 2000b).
Although many covered entities have developed elaborate HIPAA compliant forms, these forms often do not include a "re-disclosure" provision. Federal and state laws may prohibit re-disclosure without specific authorization per 42 C.F.R. §2.32, NY Mental Hygiene Law §33.13, and NY Public Health Law §2782.5(a), prohibiting re-disclosure of records pertaining to alcohol or substance abuse, mental health treatment, or HIV status, respectively, without express written consent. Similarly, many release forms make it clear that a specific release for behavioral and/or psychiatric records is necessary. In all likelihood, the regulations at 45 C.F.R.§164.508(a)(2) will be interpreted to require specific requests for such records. The net effect of this situation is to encourage nurses, nurse administrators, and other health care professionals to amend HIPAA consents to incorporate language specifying release of psychiatric records into these forms.
...anecdotal tales abound of the inconsistent, and sometimes bizarre, manner in which health care professionals display their understanding of the HIPAA privacy regulations.
What started as an attempt to shield patient rights has metaphorphasized into the Act we know today as HIPAA. Although HIPAA has provided privacy for health information, anecdotal tales abound of the inconsistent, and sometimes bizarre, manner in which health care professionals display their understanding of the HIPAA privacy regulations. This questionable understanding can be illustrated by a Washington Post (Woodlee,2004) story in which a man’s family was not informed that he had died as a result of a hit and run accident which occurred two minutes away from his home. The family thought he was missing for two weeks and only learned of his death when his wife received a bill for $17,000 from the hospital. Granted, there were questions about the current address of the man since it was not listed on his identification, but somehow the hospital was able to forward a bill for services to the right address. When asked why they had not notified the family, hospital authorities cited federal confidentiality regulations as preventing them from doing so.
Questions remain as to what extent HIPAA privacy regulations are a positive addition to the health care profession.
Questions remain as to what extent HIPAA privacy regulations are a positive addition to the health care profession. Also, many question the extent to which they must heed the warnings of consultants, governmental representatives, and industry partners who are familiar with HIPAA’s impending compliance requirements and deadlines. Many covered entities are seeking—or should be seeking—assistance in attempting to improve upon areas in which HIPAA has created conflicts, such as in disclosure of information to patient families and to insurance companies.
Responses Still Needed by Covered Entities
The delayed reaction to the impending regulatory requirements seems indicative of a significant lack of understanding regarding HIPAA’s impact on health care delivery as well as a misconception surrounding the effects that these regulations will have on the health care industry and patients.
Health care partners, erroneously assuming that HIPAA requirements will have little or no tangible impact...are failing to adequately assess their patients' needs and are missing a significant opportunity to improve their care.
To date, only two Final Regulations have been promulgated by the Department of Health and Human Services under HIPAA’s authority: Standards for Electronic Transactions and Code Sets and Standards for Privacy of Individually Identifiable Health Information. Many covered entities have focused their efforts on complying with the Electronic Transactions Standards which went into effect on October 16, 2002. However, as attentions shift toward compliance with the Final Privacy Standards and the forthcoming Final Security Regulation, covered entities are beginning to recognize the need and the importance of seeking inter-industry assistance with compliance efforts.
Chain of Trust Agreements...are intended to ensure that information remains secure at every point of an electronic transaction.
Included among the various requirements imposed by HIPAA’s regulations are specifications regarding covered entities and relationships with third parties. Specifically, the Final Privacy Regulation contains requirements for "Business Associate Agreements." These are agreements between certain third parties and covered entities intended to ensure the privacy of any protected health information that is disclosed to or utilized by third parties on behalf of the covered entity, under certain circumstances. Business Associate Agreements must establish permitted uses of Protected Health Information (PHI) and must contain provisions ensuring that a third party business entity will employ appropriate safeguards to prevent use or disclosure of this information except as authorized by the agreement. Corporate and business entities should enter into agreements that contain the appropriate provisions to ensure that third parties performing certain functions on the covered entity’s behalf employ the necessary and required safeguards. As the law does not reach third parties directly, covered entities will be charged with obtaining "satisfactory assurances" from certain third parties that disclosure and use of protected information fall within the regulatory parameters.
Similarly, the Proposed Security Regulation requires covered entities to maintain agreements—Chain of Trust Agreements—to ensure the security of protected information exchanged electronically. These agreements are intended to ensure that information remains secure at every point of an electronic transmission. Accordingly, the covered entity must be satisfied that the third parties involved in electronic information exchange are employing adequate, appropriate, and necessary technical, physical and administrative measures. Information in this format must be encrypted or protected in a some manner to prevent inadvertent disclosure and thus exposure to liability by the third party or the covered entity itself. Moreover, agreements must address reporting procedures in the event that protected information is used or disclosed inappropriately.
HIPAA: A Process Not an Act
HIPAA should not be construed as a series of deadlines, but rather as that of a process.
Covered entities have already overcome enormous budgetary and operational challenges in the HIPAA implementation process. However, HIPAA should not be construed as a series of deadlines, but rather as that of a process. Many still believe that HIPAA is a deadline or a need for compliance; such is not the case. HIPAA has taken on a life of its own, so to speak, in relation to the ramifications for revolutionizing patient information. HIPAA is now recognized by most individuals and entities in the health care field as a pervading framework influencing the entire health care culture. The health care industry is beginning to view HIPAA as a universally-accepted standard for health care, rather than simply "another governmental regulation." As we move forward during this fast changing - if not tumultuous - period, we are expanding the "HIPAA culture" concept beyond organizational focus on compliance deadlines. One need only search the Internet which readily yields hundreds, if not thousands, of websites that detail how industry organizations are addressing the ongoing challenge of maintaining HIPAA-compliant cultures as they respond to new initiatives and opportunities.
HIPAA is now recognized by most individuals and entities in the health care field as a pervading framework influencing the entire health care culture.
Furthermore, HIPAA compliance itself will continue to require ongoing updating and monitoring. Many entities seek to expand HIPAA to applications such as that of transactions and code sets (TCS), with the promise of a succession of new standards to further simplify health care business processes. More importantly we have yet to fully appreciate the overall impact of privacy violations and threats on consumers. As of April 2003, the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) reported over 6,000 formal complaints had been filed. What remains to be seen is what, if any, punitive measures will be taken for failure to comply with HIPAA regulations. Although fines and possible imprisonment may occur, little information has been made available in regards to the prosecution of these offenses.
Future Initiatives Having HIPAA Implications
A variety of upcoming initiatives in health care will be affected by HIPAA. Examples of these initiatives include development of unique patient identifiers, patient safety strategies, the Health Alert Network, personal health record technologies, and consumer driven health plans. The implications of HIPAA regulations for each of these areas will be discussed below.
Unique Patient Identifiers
Seen as the next HIPAA "opportunity," the electronic claims attachment transaction offers a bridge between administrative and clinical records...
The HIPAA standard transaction for "electronic health care claims attachment" presents huge ramifications for the capture and protection of clinical documentation in accordance with major HIPAA rules. Seen as the next HIPAA "opportunity," the electronic claims attachment transaction offers a bridge between administrative and clinical records; and is viewed as a major milestone toward a true electronic record. What is also needed is what is known as a "Unique Patient Identifier." Although mandated by HIPAA Administrative Simplification legislation in 1996, the national patient identifier was placed on hold by Congress several years ago because of the complexity of its implementation. Over the last two years, a committee of the Institute of Medicine urged legislators to revisit the issue. The committee maintained that the lack of universal patient IDs could hamper realization of administrative simplification and adversely affect patient safety (HIPAAdvisory, n.d.). The concept of a universal electronic health record for all Americans includes some manner of uniquely identifying individual patients. In spite of the fact that DHHS has no current plans to pursue development of this HIPAA-mandated data element, the issue of a unique patient identifier will likely continue to elicit controversy.
A primary and ubiquitous health care initiative is patient safety. Improvement of patient safety has been a major topic on organizational agendas for years. Many facets of patient safety involve the capture of patient data to both monitor and research key indicators related to patient care. Since much of this data includes privacy health information, its use will need to address HIPAA privacy and security compliance, along with issues related to standardized coding and reporting formats. It is realistic to expect that HIPAA-related assessment and implementation tasks will be necessary for years to come as we evolve more extensive and aggressive patient safety measures across the industry. Some exciting and far reaching examples include the following:
- In an article for HealthLeaders magazine, medical errors expert Robert Wachter, MD, called for the establishment of information technology that provides universal access to standardized patient information so that all practitioners providing care to a patient are on the same page. (Olsen, 2004).
- In its recently released set of Informational Standards for Patient Safety, Utilization Review Accreditation Commission (URAC),of the American Accreditation Health Care Commission, recommended using "patient safety features of automated tracking and decision support tools (URAC, n.d., p.2)" to identify and analyze actual (or potential) medical errors.
- The National Coordinating Council for Medication Error Reporting and Prevention (NCC MERP) (National Coordinating Council, 2003), which includes many of the industry leaders, is mounting a nationwide campaign for medication error reporting and prevention. Although not focused specifically on technology-based solutions, the Council recognizes that "for error reporting systems to be effective, they must be non-punitive, provide appropriate confidentiality and legal protections, and facilitate learning about errors and their solutions" (paragraph 4).
Health Alert Network
Since 9/11, terrorism, biological warfare, emergency preparedness, and homeland security have climbed to the top of the country's "hot topics" list. These concerns are bringing health-related issues and new initiatives to the forefront. Integrating the HIPAA regulations (both current and new) into these areas of concern presents overwhelming challenges for the health care industry. Medical records can be also construed as a sword or shield for those seeking the information. Unscrupulous individuals who could gain access could also obtain information for identity theft purposes. Yet by the same token this information could be readily accessed to manage a patient’s care in a streamlined manner.
...the basic tenets of HIPAA, namely standardization and security of health information, are also essential criteria for homeland security.
The Centers for Disease Control has proposed and implemented an initiative to establish a network to promote communication of health and related information during an emergency. The mission of this Health Alert Network is to "ensure that each community has rapid and timely access to emergent health information; an army of highly-trained professional personnel; and evidence-based practices and procedures for effective public health preparedness, response, and service on a 24/7 basis" (USDHHS, n.d., paragraph 1). This far reaching initiative has significant ramifications relative to HIPAA. The current regulations cite a number of specific circumstances when covered entities are required to submit/report PHI (protected health information) for "national security" purposes. It is assumed that the establishment of a Health Alert Network would fall under the HIPAA privacy standard for "uses and disclosures for specialized government functions" (164.512k); yet covered entities will likely need to expand their policies and their practices in order to address the mandates for reporting information to the network.
It is noteworthy that the basic tenets of HIPAA, namely standardization and security of health information, are also essential criteria for homeland security. In order for homeland security processes to function smoothly, appropriate access to personal information is necessary and, in certain circumstances, will involve PHI covered by HIPAA. Covered entities must ensure that HIPAA practices already in place will be responsive to any homeland security initiatives. During times of crisis, it is essential that medical practitioners have access to health information in order to treat patients effectively and safely. It is also essential that the security of that same health information is maintained to protect it from access by terrorist forces.
Personal Health Record Technologies
According to The Informatics Review (Sittig, 1999-2000), personal health records (PHRs) include "any Internet-accessible application that enables a patient (or care provider for a patient, e.g., the 'mom and dad') to create, review, annotate, or maintain a record of any aspect(s) of one’s health condition, medications, medical problems, allergies, vaccination history, visit history, or communications with their health care providers" (paragraph 1). There are numerous commercial ventures offering the consumer options for maintaining a personal health record on the internet. This current trend in health care opens the door for both innovative technologies in health care record-keeping, as well as potential risks for the confidentiality of patient information.
One example of a PHR is the American Health Information Management Association (AHIMA)-sponsored website for personal health tracking (AHIMA, 2005), which provides a clear statement on PHR and definitions about HIPAA, confidentiality, and the patient's rights with respect to his/her health information. It also provides links to many of the agencies who govern or support electronic health information.
Disclosure of this information may run the risk of inadvertent or negligent dissemination of information. Obviously, PHR information in this format must be strictly guarded and its use limited to those covered entities and third parties who have the means to safeguard the information. Nurses may be the access point to obtain the information for the patient or third parties. Care must be taken by health care providers to safeguard this information no matter how innocuous the circumstances.
Consumer Driven Health Plans
Consumer Driven Health Plans (CDHPs) are health benefits plans that offer their members a role in choosing their own health care providers and managing their own health expenses. All over the nation, benefits companies are offering consumers the opportunity to be in charge of their own health care delivery (Consumer driven health, 2003).
The implications of this concept are staggering. CDHP would essentially revolutionize insurance coverage and health care delivery. Many view CDHP as a positive health care innovation, offering reduced costs and improvements in patient care, but others are equally correct in their concern regarding the challenges related to its implementation and information privacy and security threats. Since CDHPs would be considered covered entities under HIPAA, the improper presumption is that privacy and security practices would already exist within the payer organizations offering CDHPs. As discussed in this article many entities are playing "catch up" or have failed to implement many of the major initiatives of HIPAA. Therefore a guarded approach must be taken.
A decade ago no one anticipated the Internet boom, which has created significant ramifications for ll data, including private health care records.
The original purposes of the HIPAA Act (P.L. 104-191, 1996) were to limit denial of insurance coverage to employees with preexisting conditions and to protect the health care privacy rights of all Americans. However, it may be that HIPAA has not lived up to the high expectations of our legislators and lobbyists in regard to protection of health care privacy rights. A decade ago no one anticipated the Internet boom, which has created significant ramifications for all data, including private health care records. Thus the past several years of HIPAA enactment begs the question as to whether HIPAA has really protected our personal health information, or whether this information has been put on a database where any computer-savvy hacker can find it.
Although HIPAA was a noble effort and the first of its kind, the primary purpose of the act has yet to be enforced. In October 2002, six years after the Act was passed, medical health care facilities were still found in violation of HIPAA’s Title II Privacy Rule. HIPAA does have enormous potential, if properly enforced. Until this happens, the Health Portability and Accountability Act of 1996 will remain as just one more unachievable, HIPAAthetical Federal goal.
As patient advocates, it is our duty to provide the accurate information and appropriate reassurances to ensure continuity of care and compliance with HIPAA standards.
Although the health care industry has spent extensive time and money implementing the privacy regulations, the general population of patients is confused about their actual rights and many (or at least some) health care workers see HIPAA privacy compliance as frivolous and comply to varying degrees. As patient advocates, it is our duty to provide the accurate information and appropriate reassurances to ensure continuity of care and compliance with HIPAA standards. HIPAA is an inter-industry economic issue. As the health care field begins to implement Administrative Simplification, and as claims payment becomes more efficient, access to more streamlined information will also increase the security risk of mismanaging this information. The burden of maintaining security of protected health information should be shared across industry lines ultimately to protect those who are most vulnerable: our patients. To maintain this privacy, personnel in covered entities will need to continue to recognize and accept the new way of work HIPAA has introduced into our lives.
Table 1. C.F.R. Title 45 Regulations
45.C.F.R. § 160.103.
Joe A. Flores, RN, MSN, CCRN, FNP, JD
Joe A. Flores, a trial attorney, has been a registered nurse for 17 years and an advanced practice nurse for the past 7 years. He serves as general counsel for several health care entities and has authored various health care law articles. He also lectures nationally on medical-legal issues related to nursing care. Mr. Flores practices in Houston and Corpus Christi, Texas. His areas of practices include health care law, medical malpractice, nursing home negligence, pharmaceutical product liability, and general civil litigation.
Andrea Dodier, Paralegal
Andrea Dodier is the Chief Legal Assistant for the Law Offices of Joe A. Flores. Her areas of practice as a paralegal include health care law, administrative law, nursing home abuse law, and general civil litigation. Ms. Dodier resides with her family in Portland, Texas.
Article published May 31, 2005
American Health Information Management Association (AHIMA). (2005). My PHR. Personal health record. A guide to understanding and managing your personal health information. Retrieved May 24, 2005 from www.myphr.com/.
Code of Federal Regulations (C.F.R.). (n.d.) Title 45. Public welfare. Subtitle A – Department of Health and Human Services. Part 164. Security and privacy. Retrieved May 24, 2005 from www.access.gpo.gov/nara/cfr/waisidx_02/45cfr164_02.html.
Consumer driven health plans (CDHPs). (2003). Retrieved May 18, 2005 from: www.consumerdrivenhealthplans.us/.
Federal Register. (2000a, December 28). 65 Federal Register 82660. Retrieved May 24, 2005 from www.njha.com/hipaa_section/pdf/Pages82611-82660.pdf
Federal Register. (2000b, December 28). 65 Federal Register 82518. Retrieved May 24, 2005 from www.njha.com/hipaa_section/pdf/Pages82511-82560.pdf
HIPAAdvisory. (n.d.). December 2003 news archives. Retrieved May 24, 2005 from www.hipaadvisory.com/news/NewsArchives/2003/dec03.htm.
National Coordinating Council for Medication Error Reporting and Prevention. (2003). Press releases. NCC MERP supports principles for patient safety reporting programs. Retrieved May 24, 2005 from www.nccmerp.org/press/press2003-11-25.html.
Olsen. K. (2004). Robert Wachter: The word on medical mistakes. News features. Health Leaders Speak Out. Retrieved May 24, 2005 from www.healthleaders.com/news/feature57663.html.
Sittig, D.F. (1999-2000). Informatics review. Personal health records on the internet. The Informatics Review. Retrieved May 24, 2005 from www.informatics-review.com/records.html.
URAC draft informational patient safety standards. (n.d.). Retrieved May 24, 2005 from www.urac.org/documents/modelpatientsafetystandards060704drft_001.pdf.
U.S. Department of Health and Human Services, Centers for Disease Control and Prevention (n.d.). Health alert network. Retrieved May 24, 2005 from www.phppo.cdc.gov/han/Index.asp.