By: Akanksha A. Panicker
The Health Insurance Portability and Accountability Act of 1996 was a law enacted at the federal level creating national standards for disclosing sensitive patient information. This prevented information from being disclosed without the patient’s consent. The act itself covers health insurance coverage for workers and their families [Title I of HIPAA,] national identifiers and electronic health care transaction provisions [Title II,] guidelines for pre-tax medical spending accounts[Title III], health insurance reform, including individuals with pre-existing conditions and those seeking continued coverage [Title IV]. Title V governs company-owned life insurance policies.
[1.0] IMPORTANCE OF THE HIPAA
The HIPAA is significant legislation insofar as it ensures sustainable and accessible healthcare plans. It provides a framework requirement for healthcare in the United States and ensures that medical data is not traded indiscriminately. Since healthcare is necessary, it also pre-empts state law to ensure uniformity in the country’s medical regulations [unless the state itself has more rigorous medical rubrics.]
HIPAA law encompasses a broad range of medical requirements. It frames the policies for healthcare services as well as the requirements for technology and record-keeping. The latter applies to health insurance, and billing companies, and HMOs, and non-compliance is punishable.
[2.0] WHAT IS THE HIPAA PRIVACY RULE
Medical identity theft has been a major issue in the healthcare sector. Consequently, the HIPAA Privacy Rule was enacted by the US Department of Health and Human Services and addressed the use and disclosure of information as to the patients. Entities responsible for the same who are subject to the Privacy Rule are called ‘covered entities’ and are required to comply with the standards laid down to protect healthcare information.
Primarily, a balance is struck in the Privacy Rule between protecting individual health information and ensuring data is sourced for high-quality healthcare. The Rule does not lay down rigid and impermeable rules insofar as each seeking care requires diversity in their treatment but provides standards for covered entities and the individuals themselves’ rights. The HIPAA Privacy Rule is sustained by national regulations for using and disclosing Protected Health Information (PHI) in healthcare treatment, payment, and operations by covered entities.
[2.1] WHAT CLASSIFIES AS PHI
Personal identifiers that can reveal the identity, medical history, or payment records of the holder and contribute to medical identity theft comes under PHI insofar as it classifies as individually identifiable information. This may include the names, phone numbers, email addresses, or addresses of the individuals and include their Social Security numbers, medical record numbers, fingerprints, IP addresses, health insurance beneficiary numbers, or personal photographs.
[3.0] WHO IS COVERED UNDER HIPAA PRIVACY
Practically every component of the healthcare sector comes under the HIPAA Privacy Rule. Every healthcare provider is subject to the Privacy Rule irrespective of their size of the practice. This includes providers who electronically transmit health information connected with transactions of eligible claims, benefits, coverage inquiries, and referral authorization requests. The HIPAA Transactions Rule denotes transactions that fall under this umbrella. A broad rule of thumb to classify covered entities is their exposure to Protected Health Information regularly.
[3.1] HEALTH PLANS
Providing medical care to individuals means that the entities that govern health plans come under the Privacy Rule. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). These health plans do not need to be individual and include employer and multi-employer sponsored health plans as long as there are more than fifty participants.
Furthermore, covered entities also include processing bodies that transform nonstandard information into data that conforms to HIPAA requirements. This means that healthcare clearinghouses fall under the Privacy Rule, considering that they receive individually identifiable health information to process for a healthcare provider.
[3.2] BUSINESS ASSOCIATES
Even if the primary occupation of the entity is not the creation, receipt, or transmission of Protected Health Information, any person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity comes under the Privacy Rule. Examples of the same would be data analysis, claims processing, etc. Third-party services and activities that come in contact with PHI during their service come under the Privacy Rule. A Business Associate must sign an agreement that ensures that the sanctity of the PHI encountered is retained. The HHS extended the Privacy Rule to comprise independent contractors to ensure the same. An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR)
[3.3] PERMITTED USES AND DISCLOSURES
Information that can be disclosed without the person’s authorization is called permitted disclosures because a covered entity is not required to disclose the same. The obvious situation wherein this is acceptable is to the individual themselves, which is mandatory if the information is necessary to access or account for the disclosure and the treatment/payment that accompanies it. Furthermore, public interest and benefit activities and court orders and administrative requests can see PHI disclosure without authorization or permission. It is necessary to disclose potential child abuse to welfare agencies.
Of course, the individual can be allowed to acquiesce to disclosing their PHI by being asked to do the same by the covered entity. An entity needs to disclose the information within thirty days of being asked for the same while ensuring that the minimum disclosable information is provided to the supplicant. Furthermore, it is necessary to keep track of disclosures of PHI and document privacy policies and procedures.
[4.0] HIPAA SECURITY RULE
The HIPAA Security rule covers all individually identifiable information that a covered entity is electronically responsible for. This would include creation, reception, maintenance, or transmission of said electronic protected health information (e-PHI). It is necessary to understand that covered entities here are mandated to ensure the confidentiality and integrity of the e-PHI and actively take steps to protect against threats to the same. It is necessary to undertake due diligence and compliance measures to safeguard against anticipated threats or unwarranted disclosures.
The Security Rule’s confidentiality requirements are supplementary to the Privacy Rule’s prohibitions against improper use. The Administrative Safeguards provisions in the Security Rule compel covered entities to perform a risk analysis to test the security of their management processes, which would include[A.] evaluation of the likelihood of risks to e-PHI, [B.] security measures taken to answer the inadequacies exposed in risk analysis, [C.] recording of security measures and process behind choosing the same
The HIPAA 2013 update was through the Final Omnibus Rule, which expanded the Privacy and Security Rules’ scope and included updates to the HITECH Act’s Security Rule and Breach Notification. Business associates were required to adhere to the guidelines enumerated. The definition of ‘significant harm’ caused in the event of a breach was further updated to shift the onus onto the covered entity to prove that the harm had not occurred to the individual.
[5.0 HIPAA SERVICE REQUIREMENTS
Process servers are not responsible for procuring, managing, or being privy to health information documents. Personally, identifiable information cannot be on the documents delivered by a civil process server. Said information should be redacted in legal documents accessible to these process servers since they can be held liable for improperly redacted information. Process Service must be exceedingly stringent in HIPAA cases because the delivery of sensitive information to the wrong individual or a mistaken address can attract liability.
When obtaining PHI for a judicial proceeding, it is necessary to ensure that the court order expressly authorizes obtaining the information. Furthermore, disclosure may be obtained for a subpoena, discovery request, or another lawful process without a court order as long as the reasonable effort has been undertaken by the party seeking the information to ensure notice has been given to the individual. Ideally, a written statement must be given to the covered entity as to a good faith attempt to provide written notice to the individual. If personal delivery fails, a copy of the notice must be mailed o the individual’s last known address. The notice must include information about the litigation or proceeding that demands the information and must allow the individual to present themselves or raise objections to the court.
Furthermore, a written statement may be provided to the covered entity regarding the necessity of disclosing the information upon the request of a qualified protective order from a court with jurisdiction. On a general basis, however, the standard permitted information is de-identified. This information may be used to identify or aid in a suspect’s location, fugitive, material witness, or missing individual. However, even then, the information that can be disclosed is highly limited.
[5.1] PRIVACY PRACTICES NOTICE
Covered entities must provide a notice describing the right to privacy that the individual may avail and the reasons why an entity might disclose protected healthcare information. The notice must detail the individual’s right to complain about the infringement of their privacy rights and must be mandatorily distributed to patients in case of a direct treatment relationship. This would include a first service encounter by personal delivery for in-person patient visits or by the automatic and contemporaneous electronic response for electronic service delivery. This would also mean that telephonic service delivery is supplanted with prompt mailing. Furthermore, covered entities (regardless of the directness of treatment provided) must ensure that notice is available to any individual on request and is additionally available on customer service or benefits websites maintained.
For information on serving legal papers, click here or call (800) 774-6922. Representatives are available Monday-Friday 8 am – 8 pm EST. If you found this article helpful, please consider donating. Thank you for following our blog, A space dedicated to bringing you news on breaking legal developments, interesting articles for law professionals, and educational material for all. We hope that you enjoy your time on our blog and revisit us!
1. 45 C.F.R. § 164.501
2. 45 CFR 160.103,
3. 45 CFR 160.103
4. Secretary, H., & (OCR), O. (2013, July 26). Summary of the HIPAA Privacy Rule. Retrieved November 02, 2020, from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
- When required by law
- Public health activities
- Victims of abuse or neglect or domestic violence
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement
- Functions (such as identification) concerning deceased persons
- Cadaveric organ, eye, or tissue donation
- Research, under certain conditions
- To prevent or lessen a serious threat to health or safety.
- Essential government functions
- Workers compensation
6. 45 C.F.R. § 160.103.
7.The Health Information Technology for Economic and Clinical Health Act, abbreviated HITECH Act, was enacted under Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub.L. 111–5)
8.The following identifiers of the individual or relatives, employers, or household members of the individual must be removed to achieve the “safe harbor” method of de-identification:
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of Census (1) the geographic units formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
(C) All elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses:
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers; (J) Account numbers;
(K) Certificate/license numbers; (L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers; (N) Web Universal Resource Locators (URLs); (O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints; (Q) Full face photographic images and any comparable images; and ® any other unique identifying number, characteristic, or code, except as permitted for re-identification purposes provided certain conditions are met. In addition to removing the above-stated identifiers, the covered entity may not have actual knowledge that the remaining information could be used alone or in combination with any other information to identify an individual who is subject to the information. 45 C.F.R. § 164.514(b).
9. The covered entity may disclose only the following information:
- Name and address;
- Date and place of birth;
- Social security number;
- ABO blood type and RH factor;
- Type of injury;
- Date and time of treatment;
- Date and time of death, if applicable; and
- A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos
10.Secretary, H., & (OCR), O. (2013, April 08). Model Notices of Privacy Practices. Retrieved November 02, 2020, from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html