P&C Template

New Privacy Rules Have Major Impact on Handling of Personal Medical Information

By Jeff Rosen

In 1996, with the passage of the Health Insurance Portability and Accountability Act (HIPAA), the federal government took the lead in drafting rules to govern the secure transmission and storage of electronic health records. Final rules were issued by HHS on December 20, 2000, and the privacy rules have been phased in over a two year period. Most covered health care entities must be in compliance with the privacy rules within two years.

These regulations have forced changes in the handling of medical records. The rules cover all health information created or received by health care providers, health plans, public health authorities, employers, life insurers, schools, or health clearinghouses. They apply to both oral and written communications, and include information related to the payment for health care as well as medical records themselves.

To comply with HIPAA, a covered entity is required to obtain "satisfactory assurances" from its business associates that the individual health care data it receives or accesses is properly safeguarded. Effective April 14, 2003, certain entities must comply with the new HIPAA-required privacy regulations (Privacy Rule). Its purpose is to ensure that "covered entities" use, disclose and request only the minimal amount of health information necessary. The Rule covers any health information, electronic, written or otherwise, that can be identified to an individual.

The Rule applies only to three types of "covered entities": health plans, health care clearinghouses, and health care providers that electronically transmit health data under certain methods. The definitions are complex, and there are exceptions. For example, group health plans with less than 50 participants and administrated solely by the employer are not "covered entities" and are exempt from the Privacy Rule. Please consult your lawyer if you are not sure if the Rule applies to you.

The Rule protects information in basically two ways. It requires employers to educate their workforces and set up protection policies, and it sets out the circumstances in which entities can use health data such as for their own records and treatment of patients and for "national priority" reasons such as organ donation and law enforcement. But some uses of data, like marketing, require patient authorization.

Organizations can use health data more freely if all individually identifying information is first removed. Regarding protection policies, the Rule gives entities leeway to form their own procedures. These should include basic steps such as restricting data access and formally designating someone to carry out the policies. The Privacy Rule contains penalties for not complying.

More information about the HIPAA can be found at
http://www.hhs.gov/ocr/hipaa .