Health Insurance Portability and Accountability Act (HIPAA) Overview
NOTE: This is not legal advice. The DMA is providing you with general information about the rules below and DMA-related member guidelines. For legal questions specific to your company, please ensure you are working with your own legal counsel who can represent your organization.
I. GENERAL QUESTIONS
What is HIPAA, and what does it do?
Pursuant to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Department of Health and Human Services promulgates rules and regulations to regulate the privacy and security of medical information. The purpose of the law is to improve portability of health insurance coverage, reduce healthcare fraud and abuse and to protect individual privacy of personal health records.
Please note that after HIPAA went into effect, several sets of regulations were promulgated, two rules are key for marketers—the “Privacy Rule” and the “Security Rule”. The Privacy rule creates national standards to protect the privacy of personal information, while the Security Rule governs the security of electronic healthcare information. Each must be reviewed by organizations that are using health information of individuals.
To view the entire rule and related materials, see http://www.hhs.gov/ocr/hipaa
HHS announced changes in January, 2013, called the “omnibus” rule, to provide the public with increased control over personal health information as a result of enhanced enforcement by the Health Information Technology for Economic and Clinical Act (HITECH) enacted as part of the American Recovery and Reinvestment Act of 2009 and other rulemaking proceedings since 2009.
The omnibus final rule is comprised of some of the following additional requirements for your “protected health information” (PHI):
- Makes “business associates” of covered entities directly accountable for compliance under HIPAA unlike the previous rules—this is an important change.
- Strengthens limits on use and disclosure of protected health information for marketing and fundraising purposes and prohibits the sale of protected health information without individual authorization.
- Expands individual’s rights to electronic copies and restricts disclosures to health plans concerning fully-paid treatment.
- Provides modifications to and redistribution requirements of a “covered entity’s” privacy practices.
- Strengthens privacy protections for genetic information.
- Adds new breach notification requirements for unauthorized disclosures of unsecured PHI, the Federal Trade Commission also regulates health data breaches (see FTC Breach Notification Rule, 74 FR 42962, published August 25, 2009.)
1. When do I have to be in compliance? For the changes related to HITECH, September 23, 2013 (covered entities, business associates, and subcontractors.)
2. What legal documents should be developed under HIPAA?
Covered entities should develop the following legal documents through their legal counsel, and review additional requirements that may impact them, their business associates and subcontractors:
- Authorization Forms – to obtain written permissions from patients to authorize covered entities to use or disclose health information;
- Notice of Privacy Practices – to provide patients notice regarding disclosure and use of information; and
- Covered entities must have business associate agreements to assure that business associates also comply with the rule. Additionally, “subcontractors” of business associates may also be required to comply and this must be reviewed in all contracts. The rule grants an additional one-year timeframe for contract compliance.
To view a sample agreement, go to this link: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
3. What type information is protected?
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.
Examples (not an exhaustive list):
- Specific dates – birth, admission, discharge, death
- Telephone number
- Social Security number, medical record number
- City, zip code, and other geographic identifiers…
4. What are “covered entities?”
- Health plans — HMOs, insurers;
- Health care clearinghouses – billing services, community health management information systems and “value added” networks and switches; and
- Health care providers – medical or health service provider and any other person or organization that furnishes, bills, or is paid for health care in electronic form (e.g., insurers, physicians, hospitals, labs and pharmacies).
5. What is meant by “business associates” covered by the Rule?
- Business associates perform functions or services for the covered entity that involve the use of protected health information. They may include: direct marketers, pharmaceutical manufacturers, medical equipment suppliers, software and database vendors and suppliers. A covered entity can also be a business associate to other covered entities. Business associates can be held liable at the federal and state level.
Under the omnibus rule business associate include:
- A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services to a covered entity and requires access on a routine basis.
- A person that offers a personal health record to one or more individuals on behalf of a covered entity.
- A subcontractor that creates, receives, maintains or transmits protected health information on behalf of the business associate.
II. Receiving Permission: AUTHORIZATION FORMS
Under HIPAA, covered entities must obtain written permission from individuals – by way of a signed authorization form – before they use or share health-related information for marketing and certain other purposes.
1. What is an authorization form?
An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or “health care operations,” or to disclose protected health information to a third party specified by the individual. Such specific purposes include for marketing purposes, disclosure of psychotherapy notes (where appropriate), disclosures of the sale of protected health information.
2. What is the definition of “health care operations”?
Health care operations include but are not limited to the following:
- Certain fundraising activities for the covered entity’s own benefit;
- Quality assessment and improvement activities;
- Insurance underwriting, premium rating, and related insurance activities;
- Business planning, development and management activities;
- Licensing and audits;
- Evaluating health care professionals and plans; and
- Training health care professionals
3. Can health care providers and health plans condition treatment/service on obtaining authorization?
No. Providers and health plans may not condition treatment, enrollment in a health plan, benefits
4. Can more than one authorization be obtained on one form?
Yes. More than one authorization may be obtained on one form, but the “authorization” cannot be expanded. Again, it is important to note that treatment or enrollment in a plan cannot be conditioned upon receiving authorization.
5. Can the authorization be included with other documentation?
No. The authorization needs to be conspicuous and separate from any other document, including any other written legal permission from the individual.
However, as noted in the previous question, more than one authorization may be obtained on one form. For example, an authorization for the disclosure of the individual’s demographic information for both marketing and fundraising purposes would be permitted. A health care provider could not, however, refuse to treat an individual because the individual refused to authorize disclosure to a pharmaceutical manufacturer for the purpose of marketing a new product.
III. MARKETING AND FUNDRAISING UNDER HIPAA
1. What is considered “marketing” under HIPAA?
Marketing is defined as a communication about a product or service that encourages recipients to purchase or use the product or service. This covers the planned use or disclosure of protected health information “PHI” for marketing purposes. To view the full set of marketing FAQs, go here: http://www.hhs.gov/ocr/privacy/hipaa/faq/marketing/index.html
2. What is an “authorization” to market?
All subsidized communications (receipt of financial remuneration in exchange for the communication) are marketing and they will need an advance authorization.
3. What types of communications are allowed without authorization?
The following communications activities are allowable without authorization so long as there is no financial remuneration from a third party in exchange for making the communication. Examples:
- Communications regarding treatment, case management or care coordination, and recommending alternative treatments, therapies, health care providers, or types of care to the individual. This allows activities such as referrals, prescription reminders, appointment notifications, disease management and wellness programs.
- Also, communications about government or government-sponsored programs do not fall under “marketing” so a covered entity may use and disclose protected health information to communicate with individuals about eligibility for Medicare, Medicaid and other government programs.
4. What must be included in the marketing authorization?
In addition to other authorizations (see question in “Authorization Forms” section above), an authorization for marketing must include a statement that the covered entity will be paid for the marketing activity if the marketing involves direct or indirect remuneration by a third party.
5. Fundraising: What types of fundraising are covered and what are the obligations? Permitted fundraising activities include appeals for money, sponsorships of events, etc. They do not include royalties or remittances for the sale of products of third parties (except auctions, rummage sales…) Covered entities are allowed to use or disclose to a business entity or institutionally-related foundation limited protected health information (demographic and dates of care) about an individual for that entity’s fundraising without authorization.
The covered entity’s fundraising materials must include an opt-out notice that is clear and conspicuous, and if it is over the phone an opt-out disclosure must be made (channel neutral disclosures). If the individual does opt-out, no more fundraising communications across all marketing channels may be sent.
-the opt-out must be included in each fundraising communication,
-the methodology for the opt-out must not cause additional costs for the individual (you should provide and 800 numbers, or an email address, or a prepaid postcard…)
-the covered entity cannot condition treatment on an individual’s choice to receive fundraising communication.
IV. PATIENT’S RIGHTS UNDER HIPAA
What are the individual’s rights under HIPAA?
Under HIPAA, individuals have the right to:
- Receive a privacy notice to inform them about how protected information will be used and disclosed;
- Request that uses and disclosure of protected information be restricted (covered entities are not required to always agree to restrictions);
- Inspect, copy and amend their medical records (providers are allowed to charge a reasonable fee for copying expenses);
- Get an accounting of the disclosure of their protected information; and
- File a complaint.
1. Can individuals bring a private cause of action against a covered entity?
No. A private cause of action is not authorized by the Rule.
2. Are there other actions an individual can take to file a complaint against a covered entity’s failure to comply?
Individuals can file a complaint against covered entities that they believe have not complied. The complaint should be filed with the U.S. Department of Health and Human Services (DHHS). Here is the complaint portal: https://ocrportal.hhs.gov/ocr/cp/complaint_frontpage.jsf
See this link for additional consumer rights information:
V. NOTICE OF PRIVACY PRACTICES (NPP)
The privacy notice requirements under HIPAA and related regulations are complex. Here are some key highlights:
1. What privacy notice is required?
An individual has the right to notice regarding the uses and disclosures by a covered entity of protected health information. Covered entities must have and distribute a notice of its privacy practices (“NPP”) The NPP must describe the uses and disclosures of protected health information, the covered entity’s legal duties and privacy practices with respect to protected health information, and the individual’s rights with regard to protected health information.
The NPP must contain a statement indicating most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of protected health information for marketing purposes, and disclosures that constitute a sale of protected health information for marketing purposes, and states that other uses and disclosures not described in the NPP will be made only with authorization by the individual. If the entity plans to do fundraising, that must also be included in the privacy notice and the opportunity to opt-out.
The NPP should also inform individuals of their right to restrict disclosures of protected health information when the individual has paid out of pocket for the health care product or service.
A business associate does not need to provide a separate notice. But a covered entity must ensure through its contract with the business associate that the business associate’s uses and disclosures of protected health information and other actions are consistent with the covered entity’s privacy policies, as stated in covered entity’s notice. Also, a covered entity may use a business associate to distribute its notice to individuals.
Please note that the Notice must reflect any State law(s) that is more stringent than the Privacy Rule with respect to the use or disclosure of protected information. Where the covered entity is subject to the privacy laws of multiple States, the more stringent use and disclosure laws of each of the States, if any, must be reflected in the Notice.
When there is a material revision to the Notice based on a change in State law, covered entities must use the revised Notice to meet the Rule’s requirements for distribution of the Notice that occur on or after the effective date of the revised Notice. In particular, a health plan must provide individuals (in most cases, the named insured) then covered by the plan with the revised Notice within 60 days of the revision.
2. What notice is required for a breach of the health data? What if a breach occurs?
The NPP (above) should include a notice of the right of affected individuals to be notified in the event of a breach whereby the protected information is impermissibly used or disclosed to provide helpful context should a breach occur in the future.
The HITECH Act requires covered entities to provide notification to affected individuals, the Secretary of HHS, and the media (if more than 500 residents of the State or jurisdiction are impacted) following discovery of the breach. A breach is to be treated as discovered if any person (other than the individual committing the breach) that is an employee knows or should have known about the breach.
The notice should be sent within 60 days after it was discovered. The notice to the individual should include:
-description of what happened,
-description of types of protected information involved in the breach,
-any steps individuals should take to protect themselves from harm resulting from the breach,
-a brief description of what steps the covered entity (or business associate as applicable) is taking to investigate the breach, mitigate harm, preventative measures
-contact information for individuals to seek more information.
3. What obligations does a Business Associate have in the event of a breach?
A business associate is required to notify the covered entity (or all covered entities if they are multiple) of the breach of unsecured protected health information so that the covered entity can notify affected individuals. This should occur not later than 60 days following discovery of the breach.
Please note that law enforcement may require a delay prior to breach notification.
VI. ENFORCEMENT/COMPLIANCE ISSUES
1. Who enforces the rules and what are the potential penalties?
DHHS’ Office of Civil Rights (OCR) is the governmental body that has the enforcement responsibility. Violations range in the amount from $100 – $50,000 dependent on the type of violation, for a maximum of $1.5 million in a calendar year.
2. What steps do business associates need to take to comply with the Rule?
As a business associate of a covered entity, your organization will need to take the following actions:
- Enter into new contracts with covered entities in which you agree to safeguard protected health information and assume responsibility for certain HIPAA requirements;
- If requested by the covered entity, modify procedures for storing patient information to enable tracking of data disclosures and accessing of records by patient;
- Help the covered entity develop its privacy notice describing the types of uses and disclosures of protected health information as per your agreement;
- If requested by the covered entity, adopt procedures for handling patient requests for correction of information;
- Adopt procedures for handling patient requests for correction of information;
- Enter into new contracts with subcontractors to ensure that they safeguard any protected health information you transfer to them;
- Train employees regarding privacy requirements and the safeguarding of protected health information;
- If requested, provide copies of its policies, procedures, and records for handling protected health information to the covered entity and/or the U.S. Department of Health and Human Services;
- Inform the covered entity if there is any unauthorized use or disclosure of protected health information; and
- If feasible, return the protected health information to the covered entity upon termination of the contract between them.
VI. HIPAA V. DMA HEALTH DATA MARKETING GUIDELINES
If I comply with DMA’s Health Data Marketing Guidelines, then am I in compliance with HIPAA?
No. Although there are similarities between HIPAA and DMA’s Health Marketing Guidelines, HIPAA is law and The DMA’s Guidelines are not, and in some areas HIPAA requires more than The DMA Guidelines.
Where else can I go to get more information about HIPAA?
U.S. Department of Health and Human Services, Office for Civil Rights http://www.hhs.gov/ocr/hipaa/
Members may email DMA at email@example.com