UO > Legal Matters > Joined at the HIPAA

Joined at the HIP(AA)

In honor of the first anniversary of the HIPAA Privacy Rule, it’s time
to remember the key elements of compliance and review the federal
government’s efforts to ensure compliance. Plus, physicians share
stories about how the Privacy Rule affects their practices.

By Bruce D. Armon and Julia Draznin Maltzman, MD Published May/June 2004

Happy Anniversary, HIPAA Privacy Rule! April 14, 2004 marked the first anniversary of the long-delayed and still-too-often misunderstood Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”).

For those of you who celebrate with “modern” anniversary gifts, buy yourself a clock to remember the time you spent preparing for the Privacy Rule (hopefully) and how much time you and your colleagues and staff are saving (hopefully) by knowing the answers to most of the Privacy Rule questions your patients are likely to and have already asked. If you are the “traditional” type, buy some paper and remind yourself that the protections in the Privacy Rule apply to protected health information that is transmitted or maintained on paper or any other medium.

One general surgery practice in Northern Virginia was neither modern nor traditional in its approach to celebrate compliance with the Privacy Rule—it spent several thousand dollars on a state-of-the-art paper shredder. While a paper shredder makes a nice gift, it is not a required purchase for every physician practice in order to be compliant with the Privacy Rule.

Most physician employment contracts now include a provision that the physician comply with all rules and requirements of the employer, including the policies related to compliance with the Privacy Rule. More often than not, the contract provides that a breach of any provision of the employment agreement constitutes grounds for termination. Even if you have never heard of the Privacy Rule, you likely have a contractual obligation to understand what you can and cannot do.

Key compliance issues

The Privacy Rule introduced a lexicon of new terms: ‘covered entity,’ the aforementioned ‘protected health information,’ ‘Notice of Privacy Practices,’ ‘Privacy Rule authorization and consent,’ and ‘business associate,’ to name a few.

Assuming that you (or your practice/employer) are a covered entity, there is an obligation to comply with the requirements of the Privacy Rule. The first time a patient comes to your office after April 14, 2003, the practice must present a Notice of Privacy Practices for the patient to review, and attempt to obtain the patient’s acknowledgment of receipt (not awareness or understanding) of the practice’s uses and disclosures of protected health information and the individual’s rights with regard to such information. Now that a year has passed, some practices may believe there is a need to update their Notice of Privacy Practices. The Privacy Rule requires the covered entity to distribute the Notice whenever there is a material change to it. As more practices take advantage of the benefits of the Internet to advertise their services and their employed physicians, keep in mind that the Privacy Rule requires the covered entity to post the Notice on its Internet site as well if the Web site provides information about its customer services or benefits.

You may be relieved to know that a copy of the Notice or the acknowledgment does not have to stay in the patient’s medical file. A hematologist-oncologist with a large academic medical center was concerned that she could not find any Notice or acknowledgment in her patients’ files. Upon further investigation, she learned that a decision had been made to keep all acknowledgments in a different location for ease of access and to save precious file space for clinical records. It’s still a good idea to confirm with your employer that each new patient has signed an acknowledgment of receipt of the practice’s Notice of Privacy Practices.

The administrative requirements of the Privacy Rule have, according to physicians with whom we spoke, had the biggest upfront cost in both real dollars and time. The Privacy Rule requires a covered entity to designate a privacy official who is responsible for the development and implementation of necessary policies and procedures and training all members of the covered entity’s work force (including physicians) with regard to the Privacy Rule. Every new employee is required to be trained within a “reasonable period of time” after the individual begins working for the covered entity.

A covered entity must have in place “appropriate” administrative, technical, and physical safeguards to protect the privacy of protected health information. For some practices, this has resulted in office modifications (note: physical alterations are not required by the Privacy Rule), upgrades in billing and transcription services, and changes to the office’s record and chart-keeping techniques.

One consequence of the Privacy Rule is that physicians and office staff have a greater sensitivity to where and how they disclose a patient’s protected health information. The Privacy Rule recognizes that “incidental exposures” of protected health information may occur. A physician with staff privileges at a large hospital noted that one of the biggest issues that organization had confronted with regard to Privacy Rule implementation was whether the pharmaceutical sales representative who sponsors the physicians’ lunch is allowed to stay in the room during the noon conference. The medical staff administrator decided that the representative could not remain in the room because there were frequent and direct disclosures of protected health information when discussing appropriate clinical care.

A physician practice in suburban Philadelphia has been sending new patients a letter asking them to provide the practice with the name(s) and relationship(s) of the individuals with whom the practice may discuss the patient’s condition. This helps to eliminate the problem of the never-before-heard-of “Aunt Mary” or “Cousin Joe” who insists, despite the Privacy Rule, that they be told every detail of the patient’s condition. It also helps to avoid the physician getting stuck in the middle of intra-family squabbles, strained relationships, or divorces.

An oncologist noted one downside to the reduction in the use of patients’ names. He said that many patients who are being treated for cancer develop close friendships with other patients and/or families going through a similar experience. Some oncology practices have limited the use of a person’s name in the waiting room and this has resulted in patients being less interactive with one another while waiting for treatment. Consequently, the oncologist believes the Privacy Rule may undermine an important support group for the cancer patient.

Clinical research investigators have voiced their concerns about the Privacy Rule and potential obstacles to research initiatives. For example, physicians have raised concerns that the additional requirements the Privacy Rule has placed on institutions has resulted in costly delays in ongoing research studies. Plus, the administrative demands can result in difficult staffing dilemmas that adversely affect researchers operating within a limited budget. Finally, physicians who want to conduct research in multiple institutions simultaneously must be cognizant of Privacy Rule obligations.

Unlike most federal provisions, the Privacy Rule creates a “floor” rather than a “ceiling” and any provision in a state law that is more stringent than the Privacy Rule remains in effect. For instance, California has a statutory provision requiring that a patient’s authorization be printed in a certain font size and that has been interpreted to be more stringent than the federal Privacy Rule. The state rule therefore applies to covered entities in California. A covered entity that practices in multiple states must be aware that they may have different requirements depending on their location.

Covered entities must stay apprised of ongoing Privacy Rule regulatory requirements. Any new engagement with a third party could trigger a ‘business associate’ relationship that must be addressed. Patients have delineated rights with respect to the access, amendment, and accounting of the uses and disclosures of their protected health information. In addition to training its staff with regard to provisions of the Privacy Rule, a covered entity must develop Privacy Rule policies and procedures and have a complaint process for people who do not agree with the entity’s policies and procedures or compliance with the Rule.

The complaint process (which also must be disclosed in the covered entity’s Notice of Privacy Practices) is the most likely route to triggering a federal investigation of a covered entity’s purported violation of the Privacy Rule.

Federal enforcement

The Privacy Rule does not provide a private cause of action. In other words, an individual cannot file a federal lawsuit against a covered entity for an alleged violation of the Privacy Rule. An individual’s only federal recourse is to complain to the covered entity or file a complaint with the Office of Civil Rights (OCR)—the division within the U.S. Department of Health and Human Services charged with enforcing the Privacy Rule.

As of the end of calendar year 2003, OCR reported it had received 3,745 complaints from individuals regarding a covered entity’s practices relative to the Privacy Rule. Approximately 40 percent of the complaints have been closed—most often because the complaint took place before the effective date of the Privacy Rule or against entities not within the jurisdiction of the Privacy Rule. OCR notes the legitimate Privacy Rule complaints largely fall within three categories: impermissible disclosure of protected health information, lack of physical safeguards for protected health information (e.g., persons in a physician’s waiting room can see patient files at the reception desk), and inappropriate accessing of protected health information.

As of January 2004, OCR had not sought civil monetary penalties or other official sanctions against covered entities. This is apparently because the entities approached by OCR regarding a complaint have been cooperative.

OCR has included on its Web page information related to the Privacy Rule, including a list of over 200 frequently asked questions with responses from OCR. This information is on line at www.hhs.gov/ocr/hipaa/

A lifetime of happiness?

Obviously, the health-care delivery system has not crumbled under the weight of the Privacy Rule after one year’s time. While the Rule may not be exactly a match made in heaven with every physician, it is not practical for a covered entity to quickly and relatively painlessly divorce themselves from the Privacy Rule (unlike some high profile celebrities). Based on client feedback and professional interactions, it appears to us that the Privacy Rule has not been nearly as difficult for physicians to cope with as the problems of tort reform and adequate third-party payer reimbursements. However, the Privacy Rule is another unfunded federal mandate requiring physicians to prepare for and now maintain ongoing compliance. Do not expect the federal government to send you a place setting of china (modern gift) or a cotton (traditional gift) shirt with OCR’s insignia when the second anniversary of the Privacy Rule arrives in April 2005…or, for that matter, a fancy paper shredder. But you can bet the Privacy Rule still will be in your life as long as you remain a covered entity. In addition to the Privacy Rule and the Transaction and Code Set Standards, the federal government is giving all covered entities a new gift next year—required compliance with the HIPAA Security Rule as of April 21, 2005. g

Bruce D. Armon practices health-care corporate law for Saul Ewing LLP and can be reached at barmon@saul.com. Julia Draznin Maltzman, MD is an attending physician at the University of
Pennsylvania and can be reached at jdraznin@oncolink.com.

@ 2004 UO Inc. www.uoworks.com 800-888-2047









					Joined at the HIP(AA) In honor of the first anniversary of the HIPAA Privacy Rule, it’s time to remember the key elements of compliance and review the federal government’s efforts to ensure compliance. Plus, physicians share stories about how the Privacy Rule affects their practices. By Bruce D. Armon and Julia Draznin Maltzman, MD Published May/June 2004 Happy Anniversary, HIPAA Privacy Rule! April 14, 2004 marked the first anniversary of the long-delayed and still-too-often misunderstood Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”). For those of you who celebrate with “modern” anniversary gifts, buy yourself a clock to remember the time you spent preparing for the Privacy Rule (hopefully) and how much time you and your colleagues and staff are saving (hopefully) by knowing the answers to most of the Privacy Rule questions your patients are likely to and have already asked. If you are the “traditional” type, buy some paper and remind yourself that the protections in the Privacy Rule apply to protected health information that is transmitted or maintained on paper or any other medium. One general surgery practice in Northern Virginia was neither modern nor traditional in its approach to celebrate compliance with the Privacy Rule—it spent several thousand dollars on a state-of-the-art paper shredder. While a paper shredder makes a nice gift, it is not a required purchase for every physician practice in order to be compliant with the Privacy Rule. Most physician employment contracts now include a provision that the physician comply with all rules and requirements of the employer, including the policies related to compliance with the Privacy Rule. More often than not, the contract provides that a breach of any provision of the employment agreement constitutes grounds for termination. Even if you have never heard of the Privacy Rule, you likely have a contractual obligation to understand what you can and cannot do. Key compliance issues The Privacy Rule introduced a lexicon of new terms: ‘covered entity,’ the aforementioned ‘protected health information,’ ‘Notice of Privacy Practices,’ ‘Privacy Rule authorization and consent,’ and ‘business associate,’ to name a few. Assuming that you (or your practice/employer) are a covered entity, there is an obligation to comply with the requirements of the Privacy Rule. The first time a patient comes to your office after April 14, 2003, the practice must present a Notice of Privacy Practices for the patient to review, and attempt to obtain the patient’s acknowledgment of receipt (not awareness or understanding) of the practice’s uses and disclosures of protected health information and the individual’s rights with regard to such information. Now that a year has passed, some practices may believe there is a need to update their Notice of Privacy Practices. The Privacy Rule requires the covered entity to distribute the Notice whenever there is a material change to it. As more practices take advantage of the benefits of the Internet to advertise their services and their employed physicians, keep in mind that the Privacy Rule requires the covered entity to post the Notice on its Internet site as well if the Web site provides information about its customer services or benefits. You may be relieved to know that a copy of the Notice or the acknowledgment does not have to stay in the patient’s medical file. A hematologist-oncologist with a large academic medical center was concerned that she could not find any Notice or acknowledgment in her patients’ files. Upon further investigation, she learned that a decision had been made to keep all acknowledgments in a different location for ease of access and to save precious file space for clinical records. It’s still a good idea to confirm with your employer that each new patient has signed an acknowledgment of receipt of the practice’s Notice of Privacy Practices. The administrative requirements of the Privacy Rule have, according to physicians with whom we spoke, had the biggest upfront cost in both real dollars and time. The Privacy Rule requires a covered entity to designate a privacy official who is responsible for the development and implementation of necessary policies and procedures and training all members of the covered entity’s work force (including physicians) with regard to the Privacy Rule. Every new employee is required to be trained within a “reasonable period of time” after the individual begins working for the covered entity. A covered entity must have in place “appropriate” administrative, technical, and physical safeguards to protect the privacy of protected health information. For some practices, this has resulted in office modifications (note: physical alterations are not required by the Privacy Rule), upgrades in billing and transcription services, and changes to the office’s record and chart-keeping techniques. One consequence of the Privacy Rule is that physicians and office staff have a greater sensitivity to where and how they disclose a patient’s protected health information. The Privacy Rule recognizes that “incidental exposures” of protected health information may occur. A physician with staff privileges at a large hospital noted that one of the biggest issues that organization had confronted with regard to Privacy Rule implementation was whether the pharmaceutical sales representative who sponsors the physicians’ lunch is allowed to stay in the room during the noon conference. The medical staff administrator decided that the representative could not remain in the room because there were frequent and direct disclosures of protected health information when discussing appropriate clinical care. A physician practice in suburban Philadelphia has been sending new patients a letter asking them to provide the practice with the name(s) and relationship(s) of the individuals with whom the practice may discuss the patient’s condition. This helps to eliminate the problem of the never-before-heard-of “Aunt Mary” or “Cousin Joe” who insists, despite the Privacy Rule, that they be told every detail of the patient’s condition. It also helps to avoid the physician getting stuck in the middle of intra-family squabbles, strained relationships, or divorces. An oncologist noted one downside to the reduction in the use of patients’ names. He said that many patients who are being treated for cancer develop close friendships with other patients and/or families going through a similar experience. Some oncology practices have limited the use of a person’s name in the waiting room and this has resulted in patients being less interactive with one another while waiting for treatment. Consequently, the oncologist believes the Privacy Rule may undermine an important support group for the cancer patient. Clinical research investigators have voiced their concerns about the Privacy Rule and potential obstacles to research initiatives. For example, physicians have raised concerns that the additional requirements the Privacy Rule has placed on institutions has resulted in costly delays in ongoing research studies. Plus, the administrative demands can result in difficult staffing dilemmas that adversely affect researchers operating within a limited budget. Finally, physicians who want to conduct research in multiple institutions simultaneously must be cognizant of Privacy Rule obligations. Unlike most federal provisions, the Privacy Rule creates a “floor” rather than a “ceiling” and any provision in a state law that is more stringent than the Privacy Rule remains in effect. For instance, California has a statutory provision requiring that a patient’s authorization be printed in a certain font size and that has been interpreted to be more stringent than the federal Privacy Rule. The state rule therefore applies to covered entities in California. A covered entity that practices in multiple states must be aware that they may have different requirements depending on their location. Covered entities must stay apprised of ongoing Privacy Rule regulatory requirements. Any new engagement with a third party could trigger a ‘business associate’ relationship that must be addressed. Patients have delineated rights with respect to the access, amendment, and accounting of the uses and disclosures of their protected health information. In addition to training its staff with regard to provisions of the Privacy Rule, a covered entity must develop Privacy Rule policies and procedures and have a complaint process for people who do not agree with the entity’s policies and procedures or compliance with the Rule. The complaint process (which also must be disclosed in the covered entity’s Notice of Privacy Practices) is the most likely route to triggering a federal investigation of a covered entity’s purported violation of the Privacy Rule. Federal enforcement The Privacy Rule does not provide a private cause of action. In other words, an individual cannot file a federal lawsuit against a covered entity for an alleged violation of the Privacy Rule. An individual’s only federal recourse is to complain to the covered entity or file a complaint with the Office of Civil Rights (OCR)—the division within the U.S. Department of Health and Human Services charged with enforcing the Privacy Rule. As of the end of calendar year 2003, OCR reported it had received 3,745 complaints from individuals regarding a covered entity’s practices relative to the Privacy Rule. Approximately 40 percent of the complaints have been closed—most often because the complaint took place before the effective date of the Privacy Rule or against entities not within the jurisdiction of the Privacy Rule. OCR notes the legitimate Privacy Rule complaints largely fall within three categories: impermissible disclosure of protected health information, lack of physical safeguards for protected health information (e.g., persons in a physician’s waiting room can see patient files at the reception desk), and inappropriate accessing of protected health information. As of January 2004, OCR had not sought civil monetary penalties or other official sanctions against covered entities. This is apparently because the entities approached by OCR regarding a complaint have been cooperative. OCR has included on its Web page information related to the Privacy Rule, including a list of over 200 frequently asked questions with responses from OCR. This information is on line at www.hhs.gov/ocr/hipaa/ A lifetime of happiness? Obviously, the health-care delivery system has not crumbled under the weight of the Privacy Rule after one year’s time. While the Rule may not be exactly a match made in heaven with every physician, it is not practical for a covered entity to quickly and relatively painlessly divorce themselves from the Privacy Rule (unlike some high profile celebrities). Based on client feedback and professional interactions, it appears to us that the Privacy Rule has not been nearly as difficult for physicians to cope with as the problems of tort reform and adequate third-party payer reimbursements. However, the Privacy Rule is another unfunded federal mandate requiring physicians to prepare for and now maintain ongoing compliance. Do not expect the federal government to send you a place setting of china (modern gift) or a cotton (traditional gift) shirt with OCR’s insignia when the second anniversary of the Privacy Rule arrives in April 2005…or, for that matter, a fancy paper shredder. But you can bet the Privacy Rule still will be in your life as long as you remain a covered entity. In addition to the Privacy Rule and the Transaction and Code Set Standards, the federal government is giving all covered entities a new gift next year—required compliance with the HIPAA Security Rule as of April 21, 2005. g Bruce D. Armon practices health-care corporate law for Saul Ewing LLP and can be reached at barmon@saul.com. Julia Draznin Maltzman, MD is an attending physician at the University of Pennsylvania and can be reached at jdraznin@oncolink.com. Back to top @ 2004 UO Inc. www.uoworks.com 800-888-2047