HIPAA

Introduction. Health care privacy regulations (the "Privacy Rules" or "Rules") issued by the Department of Health and Human Services ("HHS") under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") are intended to protect the privacy of a broad range health care information.

Compliance Forms. Michael Best offers four different Compliance Forms to assist group health plans and business associates comply with the HIPAA Privacy Rules and the HIPAA Security Rules. Please click on the appropriate link below to view an order form, license agreement and sample pages from each of the Compliance Forms.

Who is covered by the Privacy Rules? The Privacy Rules apply directly to most if not all health care providers, third-party payers and insurers and health care clearinghouses. They also apply to a wide array of ancillary businesses, employers, and even (indirectly, through the "business associate" provisions discussed below) accountants, attorneys, consultants, and others who do work for health care providers and payers that requires access to confidential health information. Numerous employers that offer health care coverage to their employees, whether through self-funded plans or insured plans, must address new requirements and prohibitions if they seek access to the broad categories of information protected by the Privacy Rules.

"Business Associates." The Privacy Rules reach beyond the covered entities to a broader class of persons through the "business associate" provisions of the Rules. A business associate is anyone (other than a member of the covered entity's "workforce") who performs or assists with a function or activity on behalf of a covered entity that involves the receipt, creation, use or disclosure of "individually identifiable health information," or who provides legal, actuarial, accounting, consulting, or various other services to or for the covered entity that require access to individually identifiable health information. Before a covered entity may allow a business associate to handle protected health information on its behalf, that business associate must enter into an agreement that will subject it to many of the requirements of the Privacy Rules.

What information is covered by the Privacy Rules? The Privacy Rules regulate the use and disclosure of "protected health information," defined as individually identifiable health information that is transmitted or maintained in any form or medium, including electronic and paper records as well as oral statements. Individually identifiable health information includes demographic information collected from an individual.

How do the Privacy Rules protect patient confidentiality?

• Treatment, payment and operations. For day-to-day activities, the most important Privacy Rules provisions are likely to be those allowing the use or disclosure of protected health information for treatment, payment activities, or health care operations.
• Informal Agreement. The Privacy Rules permit some uses or disclosures of an individual's protected health information for facility directories or with persons involved in the individual's care or payment, provided that the covered entity gives the individual advance notice of these uses or disclosures and an opportunity to agree or object.
• Authorization. Generally speaking, individuals must give specific, narrowly tailored authorizations for other uses and disclosures of their health information.
• Use or disclosure without consent or authorization. The Privacy Rules do not require consent or authorization for uses and disclosures involving health care system oversight; public health protection; law enforcement; and a variety of other priority public purposes.
• Minimum necessary limitation. When a covered entity or its business associate uses or discloses protected health information, or requests protected health information from another covered entity, it must employ reasonable efforts to limit the amount of protected health information it uses, discloses or requests to the minimum necessary to accomplish the purpose of the use, disclosure, or request.

What individual rights are created by the Privacy Rules? In addition to protection of health information, the Privacy Rules create individual rights, including:

• The right to a written Notice of Privacy Practices explaining the covered entity's duties with respect to protected health information, the uses and disclosures it may make or be required to make, and the individual's rights;
• The right to request restrictions on certain uses or disclosures of protected health information for treatment, payment or health care operations;
• The right to receive protected health information by alternative means or at alternative locations to protect confidentiality;
• The right to review and obtain a copy of their protected health information;
• The right to request amendments of protected health information; and
• The right to an accounting of certain disclosures of their protected health information.

Essential elements in complying with the Privacy Rules. A covered entity must:

• Appoint a privacy officer and a contact person or office;
• Train all its workforce members;
• Have complaint procedures;
• Have in place appropriate administrative, technical, and physical safeguards;
• Implement policies and procedures; and
• Create audit trails relating to the use and disclosure of protected health information.