HIPAA obligations create legal challenges

Listen to this article

Nancy Davis, the director of privacy for Ministry Healthcare in Sturgeon Bay, is putting in some long hours these days.

She’s bringing her employer into compliance with a new federal patient privacy regulation enacted pursuant to the Health Insurance Portability and Accountability Act, or HIPAA.

The impetus for Davis’ recent efforts is the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part the Stimulus Package. It provides that any business that comes in contact with “protected health information” must comply with HIPAA’s privacy rules.

The Office for Civil Rights of the Department of Health and Human Services issued a new, 32-page rule, 74 FR 42740, in August, and it took effect on Sept. 23.

Expanded liability for breaches

Heather L. Fields, a shareholder in the Milwaukee office of Reinhart, Boerner Van Deuren SC, characterized the new regulation as “irritatingly complicated.”

It requires health care providers, clearinghouses or health plans that are “covered entities” under HIPAA to notify affected individuals of breaches of their individually identifiable health information by them or their “business associates.”

To ease the transition for covered entities, HSS won’t enforce the rule until Feb. 10.

Claudia J. Egan, a shareholder at Von Briesen & Roper SC in Milwaukee, explained that previously problems with accountants or billing services were resolved contractually.

“What’s coming in February is the federal government is now saying, ‘If you’re an accountant, billing services provider, attorney or software company that hosts patient information, we’re going to regulate you directly.’”

A provision in the regulation requires covered entities to implement a specific set of security protocols for health information. Going forward, electronic health data must be encrypted, per the level set forth by the National Institute of Standards and Technology.

Egan noted that previously, “We had security rules, but it was left up to health care providers or plans to make their own decisions as to how much security they wanted, based on risk factors and other reasonable considerations.

“This is coming out and telling providers, ‘If you want to avoid telling people that there was a problem, you better use hard-to-break encryption. Username and passwords won’t be sufficient anymore.’”

Achieving that level will be more difficult for “data at rest.” Egan noted that some larger health care providers don’t encrypt within their servers. It can be done, but it requires refinements to both hardware and software.

There’s still exposure for paper files, noted Fields.

If a covered entity faxes protected health information to a wrong number, for example, they face liability under the new regulation.

Reg promotes greater transparency

Until Sept. 23, when consumers’ health information was accidentally disclosed, they might not have known about it.

But under the new regulation, breaches must be reported to the Department of Health and Human Services and to the individuals affected. If providers cannot locate them, they must report the violation on their Web site and to the local media. The media must also be notified if a breach affects more than 500 individuals.

Here’s where the regulation gets a little murky, according to Egan.

It’s left up to the businesses themselves to make fact-based determinations as to whether notification is necessary, based on whether there has been a “significant risk of financial, reputational, or other harm” to the patient.

“It’s a bit of a judgment call. We’re waiting to see what that turns out as,” Egan said. “As a lawyer, my guess is people who don’t want to tell will test the limits of that judgment call. Those will be the first violations.”

While covered entities can make those determinations, there’s no leeway for business associates, noted Fields. So, for example, if a cleaning person reads protected health information within a law firm’s files the firm must report it. Period.

“You can imagine that business associates are going to have to be way on their toes,” Fields observed.

Few remedies

For individuals whose information is disclosed, there’s little tangible help under the regulation.

Right now, regardless of HIPAA, they have a right to sue under state law for a breach of privacy, said Egan.

“That still stands. But, historically, it’s really hard to prove damages. It’s pretty hard unless something really drastic happens — like you get fired,” she explained.

That may change. According to Egan, the buzz in the health law community is that a proposal is supposed to be put forth by the end of 2010 requiring the government to share some of the dollars it collects in fines with the affected individuals.

“But, we don’t know any details yet,” said Egan. “And in this climate where they’re trying to capture all kinds of fraud to fund health care reform, it probably won’t be a lot of money that they give back.”

Also in the works is clarification from the Office of Civil Rights. Susan McAndrew, OCR Deputy Director for Health Information Privacy, announced that the regulation that took effect Sept. 23 was an “interim final” regulation. “Final rulemaking” is on the way.

Thumbs up or down?

Beth DeLair, an attorney with DeLair Consulting LLC in Madison, and the HIPAA Collaborative of Wisconsin president, says the new regulation creates a serious burden for healthcare providers and their business associates.

“I was a former in-house privacy officer. If I were still in that role, I’d be very concerned about the … burden it will place upon providers about processes they’ll need to put in place,” she said.

Davis takes a more positive view of the regulation.

Overall, she said, the regulation “is a good thing, although the quick implementation date is a bit of a challenge. When you work in the health care industry, realistically, it probably takes six months to get any type of new policy, or policy revision, through the entire system.

“But I still think we have to be firmer in recognizing our responsibilities to respect this information. Because as we try to convince a patient population that electronic health records are a good thing, and they’re safe and sound, that’s all undermined by these periodic stories on the national level about inappropriate access.”

Egan is concerned for her clients.

“It’s a heck of a lot of administrative work to get done in a relatively short amount of time, in a period when there are less resources due to a depressed economy,” she said. “They’re being told to spend more on processes and software. It’ll be a big challenge, and I hope they can all keep up and stay in business.”