Sign In
    Wisconsin Lawyer
    April 01, 2002

    New Federal Privacy Rules for Health Care Providers

    The new privacy rules apply to health care providers and to third-party payers, ancillary businesses, and even attorneys who have access to protected health information in order to do work for covered entities.

    Timothy Hartin

    Wisconsin LawyerWisconsin Lawyer
    Vol. 75, No. 4, April 2002

    New Federal Privacy Rules
    for Health Care Providers

    The new privacy rules apply to health care providers and to third-party payers, ancillary businesses, and even attorneys who have access to protected health information in order to do work for covered entities.

    shower curtain by Timothy A. Hartin

    Health care privacy regulations (the "privacy rules" or "rules") issued by the Department of Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are intended to protect the privacy of a broad range of health care information.1 The privacy rules prohibit the use or disclosure of an individual's confidential health care information by health care providers and others subject to the rules, except as specifically allowed by the rules. The privacy rules have an effective date of April 14, 2001, and a compliance date for providers of April 14, 2003.

    While this article focuses on the application of the privacy rules to health care providers, the rules apply not only to providers but also to third party payers, a wide array of ancillary businesses, and even attorneys and others who have access to protected health information in order to do work for covered entities.

    The privacy rules will affect many outside of the health care community, and many attorneys who do not ordinarily practice health law will need at least some acquaintance with the privacy rules. The privacy rules are lengthy and complex, and this article only acquaints the reader with the basic structure of and issues raised by the rules for health care providers and their business associates. Numerous exceptions to and complications of many of the provisions discussed below have been omitted for reasons of length and clarity, as have many potential endnotes or other citations.

    On March 21, 2002, as this article was going to press, HHS announced that it was proposing extensive amendments to the privacy rules (referred to below as "the proposal"). The numerous technical or clarifying changes in the proposal do not appear to materially affect most of the discussion below. Of its more substantive provisions, the most salient is the elimination of the requirement that individuals give written consent to the use and disclosure of their medical information for treatment, payment activities, or health care operations. Relevant provisions of the proposal are discussed briefly below.

    The Privacy Rules' Effect on Existing Wisconsin Patient Confidentiality Laws

    The privacy rules preempt all contrary state law, except for state laws that provide greater protection for individuals.2 This means that Wisconsin patient confidentiality laws will continue in effect to the extent that they are not contrary to the privacy rules, or more restrictively control the use or disclosure of protected health information, grant individuals greater rights of access, or otherwise provide greater privacy protection than the privacy rules. Wisconsin law on licensure and certification of facilities or practitioners; establishing procedures for reporting diseases, injuries, child abuse, births, and deaths; conducting public health surveillance, investigation, or intervention; or authorizing or prohibiting disclosure about minors to their parent, guardian, or person acting in loco parentis is not preempted by the privacy rules even if it is contrary to or less protective than the privacy rules.

    The privacy rules permit the disclosure of patient information to persons involved in the patient's care based on the patient's informal, oral agreement, while Wisconsin law requires the patient's written informed consent for at least some of these disclosures. To the extent Wisconsin law is more protective of the patient's privacy rights in this situation, it is not preempted by the privacy rules.

    Information Covered by the Privacy Rules

    The privacy rules regulate the use and disclosure of "protected health information," which includes information that identifies an individual and relates to the individual's physical or mental health or condition, the provision of health care to the individual, or payment for that health care.3 Protected health information includes information that is transmitted or maintained in any form or medium, including electronic and paper records and oral statements, and includes demographic information acquired in connection with the provision of health care or payment for health care.

    The privacy rules sweep very broadly, and include not only medical records in the usual sense, but also conversations involving medical information and other documents that contain information drawn from medical records, including mailing lists. Protected health information, as defined by the privacy rules, appears to encompass and even go beyond the "patient health care records" protected by Wisconsin's patient confidentiality statute.4

    Who the Privacy Rules Cover

    The privacy rules apply directly to "covered entities," which include health plans, health care clearinghouses that translate data into and out of standard electronic formats, and health care providers that transmit health care data electronically in connection with transactions regulated by HIPAA. Very few providers will not be subject to the rules, because very few providers will be able to conduct business without triggering the privacy rules. For purposes of brevity, this article assumes that all health care providers are covered by the privacy rules.

    The privacy rules reach beyond providers to a broader class of persons through provisions that extend many of the rules' restrictions and requirements to providers' business associates.5 A business associate is anyone (other than a member of the provider's workforce) who has access to individually identifiable health information to perform a function or activity on behalf of a provider, or to provide legal or various other services for a provider. Many attorneys will be business associates of providers, and thus find themselves required by contract to comply with privacy rule restrictions on access to, use of, and further disclosure of protected health information. Many others will have clients who will need guidance and advice about the rules because such clients are business associates of a covered entity.

    Before a provider may allow a business associate to handle protected health information on its behalf, that business associate must enter into an agreement to safeguard and limit its use and disclosure of protected health information. The proposal includes model business associate agreement provisions, and gives until April 14, 2004, to incorporate business associate language into existing agreements.

    Under a business associate agreement as required by the privacy rules, a business associate:

    • may not use or disclose protected health information except as allowed by the privacy rules;
    • must report to its covered entity client any use or disclosure not allowed by the agreement;
    • must use appropriate safeguards to prevent unauthorized use or disclosure and report any unauthorized use or disclosure to its provider client;
    • must extend the business associate contract requirements to any subcontractors it may use who also have access to protected health information;
    • must facilitate individuals' rights under the privacy rules to access and amend their protected health information, and maintain the audit trails or other information needed for a disclosure accounting to individuals; and
    • must allow HHS to have access to its internal practices, books, and records as necessary to evaluate its provider client's compliance with the privacy rules.

    Wisconsin's patient confidentiality statute applies to anyone in possession of patient health care records, and so would apply to many, if not all, business associates as defined by the privacy rule.6 However, the requirements of a business associate contract go beyond the requirements imposed by Wisconsin law relating to confidentiality and patient access.

    How the Privacy Rules Protect Patient Confidentiality

    For day-to-day activities, the most important privacy rule provisions are likely to be those requiring providers to give written notice of their privacy practices and obtain the individual's written consent in order to use or disclose protected health information for treatment, payment activities, or health care operations.7 The proposal retains the requirement that providers give individuals notice of the provider's privacy practices at the first opportunity, but would make consent optional. The proposal would add a new requirement that a provider make a good faith effort to obtain a written acknowledgement that the notice was given, or document the efforts it made and why a written acknowledgement was not obtained. While the rules also require providers to obtain a specific authorization from the individual to use or disclose protected health information for other purposes, and provide some exceptions to the requirement for consent or authorization, the majority of provider activities should fall within the definitions of treatment, payment, and health care operations, and should be conducted under the auspices of the individual's consent (or, under the proposal, a notice of privacy practices).

    Wisconsin law generally requires the individual's written informed consent before patient health care records may be released, with several exceptions, including some for treatment, payment activities, and certain review activities that are treated as health care operations by the privacy rules.8 These exceptions are largely superseded by the privacy rules' requirement for written consent (or, under the proposal, notice given).

    Notice, consent and treatment, payment, and health care operations. The current version of the privacy rules requires providers to obtain written consent from individuals in order to use or disclose their protected health information for treatment, payment activities, or health care operations, with exceptions for emergencies, when treatment is legally compelled, or when there are significant communications barriers.9 The proposal allows providers to use or disclose protected health information for these purposes if they give notice of their privacy practices and make a good faith effort to obtain written acknowledgement that notice was given. Providers who intend to use and disclose for the full scope of treatment, payment, and health care operations under the privacy rules should be careful to obtain consent that satisfies the requirements of both Wisconsin law and the privacy rules, or they may find that continuing restrictions imposed by Wisconsin law limit their ability to engage in activities that are allowed by the privacy rules. So-called "indirect providers," such as pathologists, who provide care in a consulting or similar role, are not required to give notice or obtain consent.

    Once consent has been obtained (or, under the proposal, notice given), the scope of the defined terms "treatment," "payment," and "health care operations" become critical, because any use or disclosure of protected health information outside the scope of these terms requires either an additional authorization from the individual or an exception from the privacy rules. The proposal clarifies that covered entities can disclose for the treatment, payment, and some health care operations activities of another covered entity.

    "Treatment" is the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination and management of health care by a health care provider with a third party (including health plans). Treatment includes consultation among providers, nursing assistance by telephone, and referrals of individuals from one provider to another.

    Wisconsin providers generally have had access to information for treatment purposes without patient consent under an exception to the Wisconsin patient confidentiality statute. Even though the privacy rules preempt this exception, once consent is obtained (or, under the proposal, notice given), Wisconsin providers still should have good access to information needed for treatment under the broad definition of treatment and other provisions of the privacy rules intended to facilitate the exchange of information for treatment purposes.

    "Payment" includes activities to obtain or provide reimbursement for the provision of health care, including determination of eligibility or coverage, risk adjusting amounts due, billing, claims management, collection activities, medical necessity reviews, and utilization review activities. While the privacy rules preempt the Wisconsin exception from the patient confidentiality statute for payment and billing activities, a provider's ordinary billing activities should be able to continue without undue disruption once consent is obtained (or, under the proposal, notice given).

    "Health care operations" is a catch-all term that includes, among other things, quality assessment and improvement activities, performance reviews, training, licensing, credentialing, conducting or arranging for legal services, medical review and auditing functions, including fraud and abuse detection and compliance programs, business management, planning and development, general administrative activities, internal grievance resolution, and certain narrowly defined fundraising activities. With the exception of certain review activities, health care operations under the privacy rules cover a wide range of activities that either require patient consent under Wisconsin law, or may not involve patient health care records as defined, and protected, by Wisconsin law. Obtaining appropriate consent under Wisconsin law is particularly important in this area to avoid confusion and to render moot some potentially difficult legal issues.

    Authorization. Generally speaking, individuals must give specific, narrowly tailored authorizations for other uses and disclosures of their health information. Authorizations are specific and limited in scope. Treatment and payment generally cannot be conditioned upon receipt of an authorization (with some exceptions), and authorizations must have definite expiration dates.10 Providers will want to be sure that any authorization they obtain also satisfies the elements of informed consent under Wisconsin law, or they may find that Wisconsin law continues to prohibit their access to the records they need under the authorization.

    Informal agreement. The privacy rules permit some uses or disclosures of an individual's protected health information, provided that the provider gives the individual advance notice and an opportunity to agree or object.11 If the patient does not object, the provider may proceed with the use or disclosure. Under the privacy rules, the notice and opportunity to object can be done orally.

    These informal agreements allow a provider to list the patient's name, location in the facility, general medical condition, and religious affiliation in its facility directory. Providers are allowed to disclose protected health information to family members, other relatives, close personal friends, or any other person identified by the patient, as necessary for their involvement with the patient's care or payment for the patient's care.

    Wisconsin law requires written informed consent for some, but probably not all, of the disclosures permitted with informal agreement under the privacy rules. To avoid potential violations of Wisconsin law, providers should consider obtaining written informed consent for those uses and disclosures allowed with informal agreement by the privacy rules.

    Timothy A. HartinTimothy A. Hartin, Harvard 1987, is a partner in the Madison office of Michael Best & Friedrich LLP. He focuses his practice on health care law and government relations, and recently has been developing HIPAA compliance tools for use in Wisconsin and nationwide.

    Use or disclosure without consent, authorization, or informal agreement. The privacy rules do not require consent, authorization, or informal agreement for access to medical records in situations involving health care system oversight; public health protection; law enforcement; national security and intelligence; judicial and administrative proceedings; serious and imminent public health or safety threats; reports of child or adult abuse or domestic violence; reports to coroners, medical examiners, and funeral directors relating to a deceased; reports to persons or entities required to comply with Food and Drug Administration regulations; disclosures by an employed provider to the employer regarding medical surveillance of the workplace or workplace injuries; reports to worker's compensation programs as authorized by or needed to comply with law; or as required by law.12

    Before making disclosures for these public priority activities, a provider must verify the identity and authority of any person not known to it seeking the protected health information. Before providers may use or disclose confidential patient information without patient consent or authorization, they must confirm that the use or disclosure is allowed by both Wisconsin law and the privacy rules. The interactions of the exceptions to the privacy rule with similar exceptions to the Wisconsin patient confidentiality statute are complex and beyond the scope of this article.

    Minimum necessary limitation. From the standpoint of operations and compliance, the minimum necessary limitation may be one of the more difficult aspects of the privacy rules. When a provider or its business associate uses or discloses protected health information, or requests protected health information from another covered entity, it must employ reasonable efforts to limit the amount of protected health information it uses, discloses, or requests to the minimum necessary to accomplish the purpose of the use, disclosure, or request.13 The privacy rules caution against disclosure of an entire medical record without specific justification.

    The minimum necessary limitation does not apply to disclosures to or requests by a provider for purposes of treatment. However, the minimum necessary limitation applies to the use of health care information by a provider for treatment purposes. As a practical matter, this requires institutional providers to document the need for various categories of employees to have access to protected health information.

    Other exceptions to the minimum necessary limitation include disclosures to the individual to whom the information relates, uses or disclosures pursuant to an authorization requested by the individual, disclosures to HHS in its enforcement and compliance activities, or uses or disclosures required by law, including those required for compliance with the privacy rules or other HIPAA regulations. The proposal would also exempt disclosures authorized by the individual.

    The privacy rules require documentation that uses, disclosures, or requests comply with the minimum necessary limitation. At a minimum, this provision of the privacy rules promises to generate a great deal of paperwork. The extent to which it actually will restrict the flow of information remains to be seen.

    Individual Rights Created by the Privacy Rules

    In addition to protecting patient health information, the privacy rules create individual rights, including

    • the right to a written Notice of Privacy Practices explaining the provider's duties with respect to protected health information, the uses and disclosures it may make or be required to make, and the individual's rights;
    • the right to request restrictions on certain uses or disclosures of protected health information for treatment, payment, or health care operations;
    • the right to receive protected health information by alternative means or at alternative locations to protect confidentiality;
    • the right to review and obtain a copy of the individual's protected health information;
    • the right to request amendments of the protected health information held by a provider; and
    • the right to an accounting of certain disclosures of the individual's protected health information.14

    These rights are subject to exceptions and limitations that are detailed in the privacy rules. The right of access has a direct counterpart in Wisconsin law, which also provides access rights to individuals that appear somewhat broader than those provided in the privacy rules.15 Wisconsin also requires that patients be given notice of their right of access, which is considerably narrower than the notice of privacy practices required by the privacy rules.

    Administrative Requirements Imposed by the Privacy Rules

    Unlike Wisconsin's patient confidentiality law, the privacy rules impose several administrative requirements on providers.16

    Privacy officer/contact person.A provider must appoint a privacy officer responsible for developing and implementing privacy policies and procedures and a contact person or office to provide further information on its privacy practices and to receive complaints.

    Training. A provider must train all of its employees on those privacy policies and procedures necessary and appropriate for them to carry out their function by April 14, 2003. Thereafter, each new workforce member must be trained within a reasonable time after the member starts, when the provider's privacy policies and procedures change, or when the workforce member's job functions change.

    Complaints. A provider must have procedures for individuals to complain about its compliance with its privacy policies and procedures or with the privacy rules and must document each complaint and its disposition. No person can be required to waive his or her right to complain to HHS as a condition of treatment, payment, enrollment, or eligibility.

    Providers also are prohibited from intimidating or retaliating against anyone who files a complaint or assists in any investigation, compliance review, proceeding, or hearing regarding the privacy rules. These whistleblower protection provisions also extend to persons who believe in good faith that the provider's practices are unlawful in some circumstances.

    Safeguards. A provider must have in place appropriate administrative, technical, and physical safeguards to secure the privacy of protected health information against any intentional or unintentional use or disclosure in violation of its privacy policies or the privacy rules.

    Policies and procedures; documentation. While it is difficult to predict the degree to which the privacy rules actually will restrict the flow of confidential health care information, the rules clearly will generate a great deal of additional paperwork relating to that flow. Providers must draft and implement policies and procedures that will bring them into compliance with the privacy rules and must comply with the rules' extensive documentation requirements. These include documenting compliance efforts, minimum necessary limitation determinations, workforce training, the handling of complaints, and so on, as well as creating audit trails relating to the use and disclosure of protected health information.

    Conclusion and Caveats

    The privacy rules are one of several sets of regulations that HHS will issue under HIPAA. The Transaction Standards - rules regulating eight types of electronic health care financial and administrative data interchange activities - already are in final form, and their compliance date recently was extended to Oct. 16, 2003, for covered entities that file a compliance plan. Regulations establishing security standards and national provider and employer identifiers have been proposed but are not yet final. Regulations on other topics, including the controversial national individual identifiers that some fear could be the basis for national ID numbers or cards, have not yet been proposed or have been put on hold indefinitely. The validity of the privacy rules has been challenged in court. HHS has issued the proposed amendments, with the promise of more revisions to come.

    In short, the HIPAA regulations in general and the privacy rules in particular are not just sweeping and complex regulatory regimes, they also are moving targets. The health care provider and payer communities are only just beginning to come to grips with the changes and burdens - administrative and financial - that will be imposed by the privacy rules and other HIPAA mandates. Given the reach and scope of these mandates and their rapidly approaching compliance deadlines, many attorneys who are not used to thinking of themselves as health lawyers may soon find themselves grappling with the privacy rules.


    1 The Privacy Rules were published in the Federal Register on Dec. 28, 2000, and consist of 45 C.F.R. parts 160 (which contains provisions also applicable to other HIPAA regulations) and 164 (which contains the privacy rules). The preamble consists of more than 300 pages of introductory text. See 65 Fed. Reg. 82462 et. seq. (Dec. 28, 2000).

    2 45 C.F.R. part 160, subpart B.

    3 Definitions applicable to HIPAA regulations generally (such as "business associate") are found at 45 C.F.R. § 160.103. Definitions used only in the privacy rules (such as "protected health information") are found at 45 C.F.R. § 164.501.

    4 See Wis. Stat. §§ 146.81(4), .836.

    5 45 C.F.R. §§ 164.502(e), .504(e).

    6 Wis. Stat. §§ 146.82(1), .84.

    7 45 C.F.R. § 164.502(a)(1)(ii).

    8 Wis. Stat. § 146.82(1), (2)(a)1., 2., 3.

    9 45 C.F.R. § 164.506.

    10 45 C.F.R. § 164.508.

    11 45 C.F.R. § 164.510.

    12 See 45 C.F.R. § 164.512.

    13 45 C.F.R §§ 164.502(b), .514(d).

    14 See 45 C.F.R. §§ 164.504(f), .514(e)-(f), .520-28.

    15 Wis. Stat. § 146.83.

    16 See 45 C.F.R. § 164.530.

Join the conversation! Log in to comment.

News & Pubs Search

Format: MM/DD/YYYY