 |
 
 |
 
|
 |
|
Debate Over Use of Patient Information Resolved
by Joseph A. Vitale
Debate over the appropriate use of
patient information by other than direct
health care providers has heightened over
the last year or so among regulators and health
care providers. This debate has arisen, in part,
because of the ease with which such data may
be compiled, sorted and transmitted electronically.
In response, the United States Department
of Health and Human Services ("HHS")
promulgated its final medical privacy rule (the
"Rule") this Spring.
Formulated to prevent personal health information
from being misused by health care
businesses and their associates, the Rule protects
"individually identifiable health information
that is transmitted by electronic media,
maintained in any medium that falls within the
definition of electronic media, or transmitted
or maintained in any other form or medium."
Effectively, this makes all health information,
paper, electronic or oral, subject to the Rule.
The Rule creates a federal floor of privacy protection
and does not supercede state laws that
may be more stringent. Compliance with the
Rule is required by April 14, 2003.
Those entities covered by the Rule include
health plans, health care billing and other
clearinghouses, and certain health care providers.
A health care provider is defined, for the
purposes of the Rule, as a person or entity who
provides, bills, or is paid for health care services
or supplies in the normal course of business
and who transfers health information electronically
in connection with any of ten types
of transactions for which HHS has adopted a
standard, to wit: (1) health care claims or
equivalent encounter information, (2) health
care payment and remittance advice, (3) coordination
of benefits, (4) health care claims status,
(5) enrollment and disenrollment in a
health plan, (6) eligibility for a health plan, (7)
health plan premium payments, (8) referral certification
and authorization, (9) first report of
injury, and (10) health care claims attachments.
The Rule also applies to a "business associate"
or third party to whom a covered entity
has disclosed personal health information, including
persons or entities who process claims,
analyze data, engage in utilization review, quality
assurance, billing, benefit management,
practice management or repricing. Also included
are those providing legal, actuarial, accounting,
consulting, data aggregation, management,
administrative, accreditation and financial
services to a covered entity.
The Rule requires that a covered entity disclose
personal health information to a business
associate only after it obtains satisfactory assurance
that the business associate will appropriately
safeguard the information, and it makes
the covered entity responsible for violations of
the Rule by a business associate if the covered
entity knows of such a violation by the business
associate and does not take reasonable
steps to cure the breach or terminate its agreement
with such business associate. In addition,
disclosures may be made to business associates
only (1) if the individual involved consents to
the use of the information for treatment, payment,
or health care operations, (2) the consent
includes a reference to any explanatory privacy
notice, and (3) the disclosures are the minimal
disclosures necessary to achieve the purpose of
the disclosure.
Covered entities are also required to adopt
written privacy procedures that outline who
has access to protected information, how it will
be used, and when it may be disclosed. They
are required to train their employees in these
procedures and to designate privacy officers to
ensure compliance. As a result of the implementation
of the Rule, patients will have a
clearer expectation of exactly how their privacy
will be guarded.
- Covered entities must give patients a
clear, written explanation of how the
covered entity may use and disclose
their information.
- Patients will be able to see and get copies
of their records and receive a history
of non-routine disclosures.
- Health care providers will be required
to obtain patient consent before sharing
their information for treatment,
obtain separate authorization for nonroutine
disclosures.
- Patients will have the right to file a formal
complaint with a covered entity or
with HHS in the event of violation.
In the event of noncompliance, a covered
entity may be fined, and criminal penalties may
be imposed for knowing violations of the Rule,
including criminal penalties for obtaining or
disclosing protected health information with
the intent to sell, transfer, or use it for commercial
advantage, personal gain, or malicious harm.
The Rule effectively imposes a whole new
regulatory system on health plans and hospitals,
requiring that they audit their prior policies
and procedures for compliance with the
Rule, revise and/or adopt new policies and procedures,
retrain their employees, and revise
their existing contracts with third parties. The
most significant affect on health care providers
other than hospitals is the requirement that
providers examine their consent forms to determine
whether they comply with the Rule's
mandates on obtaining explicit authorization
before disclosing protected health information
to those outside of the health care provider.
The conditions governing these authorizations
differ depending on the situation involved,
requiring such health care providers to become
familiar with the specifics of the Rule or to
have immediate access to someone who is familiar
with such specifics.
|
|
|
|
|
 |
