Official Publication of the Minnesota State Bar Association

Vol. 59, No. 5 | May/June 2002
Classifieds | Display Ads | Back to Contents

 

Some Things Old, Some Things New:The HIPAA Health information Privacy Regulations
By Mary K. Martin

Between now and April 14, 2003, as individuals, we will receive a flurry of privacy notices from our health care providers and insurers, similar to the privacy notices we’ve received from banks and financial institutions in the recent past. As lawyers, we will be advising health care clients and non-health care clients on a variety of privacy topics. The reason? The new health information privacy regulations adopted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

This law and its regulations give patients a variety of new rights relating to their medical records, and require that: 1) health care providers, health plans and clearinghouses (“covered entities”) distribute notices describing their privacy practices relating to patient health care information; 2) covered entities have HIPAA policies and procedures by that date; and 3) lawyers and others who receive Individually Identifiable Health Information (“IIHI”) in the course of business sign “business associate agreements” to ensure that subcontractors comply with the HIPAA privacy regulations. Also of interest to lawyers practicing in a variety of settings is a requirement that before IIHI  may be released in a judicial proceeding, the patient will either need to be notified or a request must be made for a protective order.

The rules are lengthy, complex and controversial. The Department of Health and Human Services (“HHS”) published proposed amendments to the rules on March 25, 2002, and the rules are being challenged in court. The full text (about 1000 pages, should you decide to print it all) is available at http://aspe.os.dhhs.gov/admnsimp. The Minnesota Department of Human Services also has material about HIPAA compliance on its web site at http://www.dhs.state.mn.us/hippa.

This article provides a brief overview of the HIPAA  privacy regulations (assuming adoption of the March 25 proposals substantially as published) and their relationship to existing law in Minnesota. This article is by no means exhaustive; the reader will need to refer to the regulations themselves to answer specific or complex questions.

Background. Published on December 20, 2000, in the waning days of the Clinton administration, and basically affirmed by the Bush administration, the privacy regulations impose for the first time a uniform federal privacy standard regarding the collection, storage and dissemination of individually identifiable health information. The HIPAA  privacy rules are part of a larger group of regulations authorized under HIPAA . This group of regulations includes rules governing electronic data interchange (EDI) for health information. The compliance date for the EDI rules has been extended to October 16, 2003, but only if the covered entity files a Compliance Plan on or before October 16, 2003. The extension form and more information on the EDI rules are available at http://www.cms.gov/hippa/hippa2/default.asp.

HIPAA provides a sweeping new set of federal patient rights, an area previously regulated primarily at the state level. In some cases, the existing laws already provide greater privacy protections for consumers, and HIPAA says specifically that the law that provides greater privacy protections to the subject of the health care record will control. But in other cases, HIPAA conflicts with existing privacy laws, and covered entities and their lawyers must decide which provision provides the greater privacy protection.

One area where the new federal regulations will need to be examined carefully in conjunction with existing state requirements is the area of “social responsibility” disclosures. HIPAA specifically permits a variety of disclosures without the patient’s consent. They include disclosures to report child abuse or abuse, disclosures to licensing agencies, disclosures in the interest of national security, disclosures for litigation purposes, and certain disclosures to law enforcement.

The HIPAA Requirements

In effect now, but not scheduled to be enforced until April 14, 2003, the regulations require covered entities to assess their current privacy and security practices, to modify their privacy and security practices to come into compliance, and to adopt a significant number of policies and procedures governing privacy.

There are fines and civil and criminal penalties for failing to comply with the new regulations. These include civil fines of up to $100 per violation, to a maximum of $25,000 per calendar year, and three levels of criminal penalties ranging from $50,000 and up to one year in jail to $250,000 and 10 years in jail. The Department of Health and Human Services Office of Civil Rights is authorized to enforce the regulations on a complaint basis.

Covered entities will need to take at least six actions to comply with HIPAA.

1. Appoint a Privacy Officer. The Privacy Officer is in charge of overseeing the compliance effort.

2. Assess privacy and security practices, and develop appropriate administrative, technical and physical safeguards. This will include a review of policies and practices regarding electronic records and communications, paper records, and verbal communications.

The safeguards must be developed with an eye to the standard of “minimum necessary” disclosure. The policies and procedures must limit disclosure to the minimum necessary to achieve the purpose of the disclosure. Specifically, covered entities must consider minimum necessary disclosures for internal use (such as internal billing), for external disclosures, whether routine (such as disclosures by providers to payors to obtain payment) or not (such as subpoenas or court orders). Covered entities must also adopt policies and procedures to verify the identity of persons who request disclosure.

3. Develop and distribute a "Privacy Notice". The Privacy Notice must be distributed to current patients by April 14, 2003, and to new patients after that date. The Privacy Notice describes situations in which the patient’s information may be released without the patient’s consent, and must describe the patient’s rights concerning his or her health information. Patients have five such rights under HIPAA - the rights to:

  • review and copy their records;
  • request amendments;
  • request an accounting of disclosures made;
  • ask the covered entity to communicate in a specific way or place; and
  • request limited internal access to their records.

Covered entities must have policies and procedures that let patients exercise these rights.

The most significant change in the March 25 amendments is to drop a requirement that covered entities obtain consent to disclosure, and require instead that the covered entity make reasonable efforts to obtain the patient’s signed acknowledgment of receipt of the Privacy Notice.

4. Develop a privacy complaint process and anti-retaliation policy. Covered entities must have a procedure to accept and investigate complaints about health information privacy, and prohibit retaliation against patients or employees who raise privacy issues.

5. Train workers in HIPAA privacy issues. All existing employees must be trained by April 14, 2003, and all new employees after that during their orientation. Covered entities should keep documentation of the training to prove compliance.

6. Develop and sign Business Associate Agreements with vendors. HIPAA requires covered entities to protect the privacy of IIHI by entering into “Business Associate Agreements” with vendors who must have access to IIHI in order perform services for the covered entity. The business associate agreement in effect extends HIPAA’s requirements to non-covered entities by contract. The March 25 proposed amendments contain a sample business associate agreement and extend the compliance date for business associate agreements from April 14, 2003 to April 14, 2004.

Beyond these six actions, covered entities face the task of coordinating what they must do under HIPAA and under existing state and federal privacy regulations. More precisely, lawyers advising clients face that task. Among other obligations to be harmonized are:

  • the Minnesota Medical Records Act (“MMRA”) which generally governs health records of licensed professionals;
  • the Minnesota Patient Bill of Rights and Home Care Bill of Rights, Minn. Stat. ¤ 144.651 and 144A.44;
  • the Minnesota Government Data Practices Act (“MGDPA”), which governs health care data collected by or under contract with government agencies or payors; and;
  • the current federal regulations concerning the confidentiality of drug and alcohol treatment records.

The task of finding a way to comply with all of these that may apply in a given situation is not simple. A 5-by-13 chart comparing the requirements of HIPAA and these four laws in thirteen key areas is available with the web version of this article at the MSBA’s website. What follows are just some highlights.

Click here to view HIPAA chart

Medical Records Act, Minn. Stat. ¤ 144.335

Who is covered? The Minnesota Medical Records Act (MMRA) applies to medical records created or maintained by providers such as medical doctors, physician’s assistants, psychologists, unlicensed mental health practitioners, licensed home care providers, and facilities licensed by the Minnesota Department of Health (such as hospitals, nursing homes, boarding care facilities and supervised living facilities). Note that licensed professionals may also have professional codes of ethics that describe or limit how and when patient records may be disclosed.

Patient’s access to medical records. The MMRA requires that a provider give patients “complete and current information possessed by that provider concerning any diagnosis, treatment and prognosis . . . in terms and language the patient can reasonable be expected to understand;” and, upon written request, a copy of the “patient’s health record, including but not limited to laboratory reports, x-rays, prescriptions, and other technical information used in assessing the patient’s health conditions.”

Under the MMRA, copies of written speculation about the patient’s health conditions may be excluded from the record given to the patient. HIPAA does not have a specific exclusion for speculation, but like the MMRA, it lets a provider withhold information if the provider determines that giving the information is detrimental to the physical or mental health of the patient, or is likely to cause the patient to harm himself or another.

HIPAA specifically excludes psychotherapy notes from its definition of the health care record, but the MMRA and MGDPA (discussed below) appear to include them. Since HIPAA recognizes other laws that give greater access to the patient, it appears that psychotherapy notes would continue to be part of the medical record in Minnesota in some circumstances.

The MMRA prohibits re-release of records of other providers stored in the patient’s medical record, but HIPAA leaves it up to the provider to define what it considers to be the “medical record set.” It is not clear how “correspondence” is to be treated under state or federal law.

There are also differences in how quickly the patient’s file must be provided. The MMRA says requested records must be provided “promptly;” but HIPAA requires release within 30 days, with a 30-day extension in some circumstances.

Release of records without patient consent. The MMRA has a special provision that lets a provider give limited information to a spouse, parent, child or sibling of a patient being evaluated for or diagnosed with mental illness. There is no similar provision in HIPAA for family members other than legally appointed representatives such as guardians. Arguably, HIPAA provides greater privacy protection to the patient in this case, and probably supercedes the MMRA in such cases.

The MMRA also permits access to records by a surviving spouse and parents of a deceased patient, or “a person the patient appoints in writing as a representative,” and “parents or guardian of a minor, or a person acting as parent or guardian in the absence of” one. However, because HIPAA limits access to “legally appointed representatives,” it appears that HIPAA may require these persons - who have previously had access to records - to become a court-appointed representative in order to retain access.

Documentation of releases. If records are released without the patient’s consent, the provider must document this “in the patient’s health record.” However, the MMRS does not require keeping a log, as HIPAA does.

Notice. The MMRA requires a provider to give patients “in a clear and conspicuous manner” a written notice concerning practices and rights with respect to access to health records.” This notice must include an explanation of what disclosures may be made without the patient’s written consent, and the right of the patient to have access to and copies of the patient’s health records and “other information” about the patient maintained by the provider. However, the MMRA does not require distribution of this document. Thus entities subject to both the MMRA and HIPAA will need to post a privacy policy and disseminate it to patients.

Penalties and Remedies. A violation of the MMRA may be grounds for disciplinary action of the licensed entity or professional by a licensing board. In addition, if records are negligently or intentionally released without the patient’s consent, the patient may recover compensatory damages plus costs and attorney’s fees. As discussed above, HIPAA contains no private right of action for improper release of records, but the Office of Civil Rights may seek civil penalties of up to $100 per violation, up to $25,000 a year, or criminal penalties of up to 10 years in prison and fines up to $250,000.

The Patient and Resident Bill of Rights, Minn. Stat. ¤ 141.651, and the Home Care Bill of Rights, Minn. Stat. ¤ 144A. 44. These statutes grant extensive rights to patients in hospitals, nursing homes, other residential facilities, and persons receiving services in various community based programs, including home health care.

The Patient Bill of Rights says (subd. 16) that patients and residents “shall be assured confidential treatment of their personal and medical records, and may approve or refuse their release to any individual outside the facility.” There is an exception for “complaint investigations and inspections by the department of health, where required by third party payment contracts, or where otherwise provided by law.” This provision appears to provide broad privacy protections, but raises a question about how the patient’s right to approve or refuse release of records to someone outside the facility fits with the permitted (but not required) social responsibility disclosures of HIPAA.

The Home Care Bill of Rights (subd. 11) grants “the right to have personal, financial, and medical information kept private, and to be advised of the provider’s policies and procedures regarding disclosure of such information.” This protection extends to “personal and financial” information that is not part of the medical record set or required for billing purposes under HIPAA.

Government Data Practices Act, Minn. Stat. Chapter 13.

Who is Covered? The Minnesota Government Data Practices Act (MGDPA) protects the privacy of individual health information collected by state agencies, political subdivisions, or statewide systems, including the “welfare system.” The “welfare system” includes the department of human services, county agencies, community mental health center boards, the ombudsman for mental health and mental retardation, and “persons, agencies, institutions, organizations and other entities under contract to any of the above agencies to the extent specified in the contract.” Generally, records for services covered by state-administered healthcare programs such as Medical Assistance are subject to MGDPA and to HIPAA.

Patient’s access to medical records Subjects of MGDPA data are entitled to receive a copy of data about them within ten days after a written request. This is a much shorter period than the 30 days permitted under HIPAA. Thus records subject to both HIPAA and MGDPA will still need to be produced within the10 days permitted by state law, not the more generous 30 days allowed by HIPAA.

Release of the records without the consent of the patient. Health information under the data practices act may be released without the consent of the patient in some situations. These include court orders, some parties’ needs in emergencies to protect the health or safety of the person or other people, the statutory obligation to report maltreatment of a child or of a vulnerable adult, releases to “agents” of the welfare system, and some others.

By comparison, HIPAA contains a broader list of permitted “social responsibility” disclosures. These include public health purposes and law enforcement, workers compensation disclosures, and judicial and administrative proceedings. As the MGDPA does not contain as broad an exception for law enforcement or judicial proceedings, providers subject to MGDPA will not be able to provide records to law enforcement in routine investigations. However, HIPAA does impose a requirement that prior to releasing information requested in judicial proceedings, the patient either be notified of the request, or a protective order be requested.  This will be a significant change in practice for many providers.

Penalties and remedies. There is a private right of enforcement under the MGDPA. Under MGDPA, a person damaged by inappropriate release of data may recover actual damages, a penalty of up to $10,000 per violation, and costs and attorney’s fees. There are criminal penalties for improper release of data covered by the act, and there is an external administrative procedure to request review of the “accuracy and completeness” of the data. HIPAA provides only an internal review process.

Federal Drug and Alcohol Treatment Records, 42 USCA ¤ 290dd, 42 CFR 2.1 et seq.

Perhaps the most stringent existing privacy protections appear in the federal law and regulations that govern the handling of drug and alcohol treatment records. They prohibit release of such records without a specific release form; require that any records released contain a notice that they may not be re-released without an additional release; and contain specific procedures about how and when they may be subpoenaed in court, and impose penalties for improper release. In most cases, the federal laws create more stringent protections, and will continue to take precedence over the more relaxed provisions of HIPAA in this area.

Conclusion

This article does not contain an exhaustive list of privacy laws and issues. It is designed only to alert the reader to expect conflicts, and to identify them as they arise. Given the various privacy laws that may apply in any particular circumstance, the lawyer should ask each of the following questions when determining the legal requirements that apply to a given client or a given set of health care records:

1. Which state and federal privacy laws apply to this covered entity?

2. Which state and federal privacy laws apply to this particular patient data?

3. Do any contractual provisions apply?

4. Is there a professional code of ethics that applies?

5. What does each applicable law require or permit?

6. If more than one law applies, which one provides greater privacy protection rights (or in some cases, greater access or patient rights)?

7. Are there any other considerations that apply?

Within such an analytical framework, the advising lawyer should be able to identify applicable privacy provisions, including conflicting provisions, and advise the client accordingly.

The author would like to thank Glenn Anderson, Esq. for his input on this article.

MARY K. MARTIN practices health and human services law in Minnesota and Wisconsin and is currently working with health care providers to develop HIPAA compliance tools.