|
The federal government has recently established new Health Insurance Portability and Accountability Act (HIPAA) privacy regulations which impose significant new duties on employers whose personnel files may contain employee medical data. The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) promulgated by the Department of Health and Human Services (DHHS) became effective on April 14, 2001. Larger health plans and health care providers must comply with the Privacy Rule by April 14, 2003, while smaller health plans will have a full three years, until April 14, 2004, to comply. The Privacy Rule, for the first time, creates national standards to protect individuals' medical records and other personal health information, including:
- Giving patients more control over their health information;
- Setting boundaries on the use and release of health records;
- Establishing appropriate safeguards that health care providers and others must achieve to protect the privacy of health information; and
- Holding violators accountable with civil and criminal penalties that can be imposed if patients' privacy rights are violated.
For patients, it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used. The Privacy Rule:
- Enables patients to find out how their information may be used and what disclosures of their information have been made.
- Limits release of information to those who reasonably need to know.
- Gives patients the right to examine and obtain a copy of their own health records and request corrections.
This Privacy Rule covers health plans, health care clearinghouses, employers who administer their own plans and those health care providers who conduct certain financial and administrative transactions electronically, such as electronic billing and fund transfers. These entities are bound by the new privacy standards even if they contract with others to perform some of their essential functions. The law does not give the DHHS the authority to regulate other types of private businesses or public agencies through this regulation. For example, the DHHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits.
For the average health care provider or health plan, the Privacy Rule requires activities such as:
- Providing information to patients about their privacy rights and how their information can be used.
- Adopting clear privacy procedures for its practice, hospital, or plan.
- Training employees so that they understand the privacy procedures.
- Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
- Securing patient records containing individually identifiable health information so that the records are not readily available to those who do not need them.
To ease the burden of complying with the new requirements, the Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. The scalability of the rules provides a more appropriate means of safeguarding protected health information than would any single standard. For example:
- The privacy office at a small physician practice may be the office manager who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time position and may have the regular support and advice of a privacy staff or board.
- The training requirement may be satisfied by a small physician practice providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.
- The policies and procedures of small providers may be more limited under the rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.
Congress authorized DHHS to make appropriate modifications in the first year after the final rule took effect in order to ensure the rule could be properly implemented in the real world. These regulations are complex and subject to change between now and the compliance date as DHHS continues to identify errors and unintended consequences of the current regulation. Covered entities should, however, begin the process of implementing the privacy standards in order to meet their compliance dates.
For more information about privacy, HIPAA and other employment law issues, call Krukowski & Costello, S.C. at (414) 423-1330, or e-mail educational services.
|
