February
2001
Issue:
Final
HIPAA
Privacy
Rules
On December 28, 2000, the Secretary
of Health and Human Services (HHS) released
final privacy regulations relating to
the protection of patients' individually
identifiable health information as mandated
by the Health Insurance Portability and
Accountability Act of 1996 (HIPAA.) The
deadline for HIPAA Privacy compliance
will be 26 months after its publication
in the Federal Registry for most Covered
Entities. How might the final HHS privacy
rules affect telemedicine practitioners?
Discussion
Under the Administrative Simplification
provision of HIPAA, HHS must adopt national
standards for administrative and financial
electronic data transactions. Additionally,
in the absence of congressional action
by August 1999, the HHS Secretary was
required to develop regulations to protect
the security and privacy of transmitted
individually identifiable health information.
The final rules differ in some important
ways from the earlier 1999 proposed rules.
WHO is covered?
All health plans, All health information
clearinghouses, Health care providers
who engage, directly or through contractual
arrangements, in HIPAA standard electronic
transactions. These electronic transactions
include: computer to computer transmission
of healthcare claims, payment and remittance,
benefit information, health plan eligibility
information WHAT is covered?
A major difference between the Secretary's
1999 proposed privacy rules and the final
regulations is the information covered
by HIPAA. The 1999 proposed rules recommended
that regulations would not apply to information
that had never been electronically maintained
or transmitted by a covered entity."
The final rules cover all personal health
information maintained in any format,
whether electronic, paper or oral.
HOW to comply?
Train employees about security and designate
a privacy officer. Develop a Trading Partner
Agreement that extends privacy protections
to third party business associates. Obtain
patient consent for most disclosures of
protected health information. Provide
the minimum amount of information necessary.
HOW might HIPAA affect Telemedicine
Providers?
Some Privacy issues that may uniquely
affect telemedicine practitioners include:
- State preemption of Federal laws.
HHS proposes that Federal laws preempt
state laws that are in conflict with
regulatory requirements or those that
provide less stringent privacy protections.
But those states that have more stringent
privacy laws would preempt Federal law.
Under these circumstances, telemedicine
practitioners could be faced with a
patchwork of state privacy standards.
- For example, if a specialist in
state A were teleconsulting with
physicians in states B, C and D,
which state privacy laws should
take precedence over others? What
if they conflict?
- All states have laws governing
the use and disclosure of health
information with a wide variety
of protections. The Georgetown Privacy
Project has assembled a comprehensive
summary of these state laws at:
http://www.healthprivacy.org/resources/statereports/contents.html
According to the Advanced Technology
Institute's preliminary research, using
input from OAT grantees, other privacy
concerns for telemedicine practitioners
may include:
- A need for a heightened level of concern
for patient privacy in the telemedicine
environment, especially where patient
visits are occurring in real-time.
- The potential for more complicated
informed consent requirements under
HIPAA that could inhibit obtaining the
necessary patient consent signatures
which are necessary prior to initiating
telehealth activities.
- The presence of outsiders or non-clinical
persons in teleconsultations.
Non-clinical technicians, camera people,
schedulers etc. located on either side
of a telemedicine consultation or at
the site of a service provider, either
physically or via the technology they
support.
- Clinical Personnel who may not be
visible or observable by the patient
in a teleconsultation.
- Patient information that is transmitted
in electronic and physical forms on
a regular basis across organizations
and political (state and national) borders;
- Patient information routinely stored
electronically and/ or physically at
each of the sites involved in the encounter,
often unintentionally, may not be protected
by policies or procedures as effectively
as information used in on-site encounters.
Background
Under the final privacy rules, covered
entities must protect individually identifiable
health information against deliberate
or inadvertent misuse or disclosure. Consequently,
health plans and providers must maintain
administrative and physical safeguards
to protect the confidentiality of health
information as well as protect against
unauthorized access. These entities must
inform individuals about how their health
information is used and disclosed and
ensure them access to their information.
Written authorization from patients for
the use and disclosure of health information
for most purposes is also required with
the exception of health care treatment,
payment and operations (and for certain
national priority purposes)
Those entities that misuse personal health
information can be punished. Under final
HIPAA rules, the HHS Office for Civil
Rights, which is responsible for implementing
the Privacy rules can impose civil monetary
penalties and criminal penalties for certain
wrongful disclosures of protected information.
Civil penalties can be imposed up to $25,000
per year and criminal penalties can range
from $50,000 and one year in prison to
$250,000 and ten years in prison.
The Health Care Industry has been lobbying
the Bush Administration to change or dismantle
HIPAA regulations, while Consumer privacy
advocates view the rules as a milestone
that provides comprehensive federal, rather
than conflicting state standards for patient
medical privacy. At this time, it is unclear
whether or not the current Administration
will fully implement HIPAA and how these
final rules will affect telemedicine practitioners
over the long term.
What You Need to Know
Federal Proposed Rulemakings
State Privacy Laws
General Information on Safeguarding
Information
Next Steps
OAT and the Assistant Secretary's Office
of Planning and Evaluation have recently
funded a study and a conference entitled
Privacy, HIPAA and Telemedicine by the
Advanced Technology Institute, which will
be completed in spring 2001. The purpose
of the study is to identify privacy issues
and concerns unique to telemedicine and
to determine how HIPAA may affect telemedicine
practitioners and patients. The study
will draw upon the experience of OAT's
grantees, which include over 60 telemedicine
networks and over 400 sites.
|