The Final Rule for HIPAA was issued yesterday. It was actually several final rules that were kind of rolled into one big final rule. These rules confirm some new rights that people receiving healthcare must receive. If you receive healthcare, the new rights are for you.
A little background: HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. When it was first passed it addressed three main areas.
First, it allowed for a certain level of health insurance portability. If you had health coverage at Employer A, then took a job at Employer B, if Employer B’s health plan had a prohibition against covering “preexisting conditions” for a certain period of time, the Employer B plan needed to count the time you were on the Employer A plan for that purpose. Thus, your "seniority" in a healthplan for purposes of preexisting conditions was "portable." There were also many other changes relating to health insurance. This first part of HIPAA is now largely obsolete with the passage of the Affordable Care Act, which does a better job addressing these areas.
The second part of HIPAA is known as Administrative Simplification. It’s very important, although it’s probably the least known part of HIPAA. Administrative Simplification requires healthcare providers and insurers to use the same sets of codes and the same kinds of electronic transmissions when they do various electronic healthcare transactions, such as sending a bill. For example, if the mandated code for an appendectomy is 123, then every healthcare provider needs to bill a 123 for an appendectomy, and every health insurer needs to accept 123 as the code for an appendectomy. Before Administrative Simplification, providers and health insurers were free to use their own codes which created a lot of problems. Especially when health insurers created silly one-off codes that mainly had the effect of making it harder for healthcare providers to get paid and patients to get covered. Different code sets were a big reason you would see people throw figures around like, “25% of every healthcare dollar is used for administration, not healthcare.” So, while healthcare billing and related transactions are still pretty complicated, they’re better than they were before because of this part of HIPAA.
The last part of HIPAA dealt with the privacy of medical information, and put many limits on what healthcare providers could do with that information (the same restrictions apply to health insurers and some other companies, but I’m just focusing on healthcare providers like doctors and hospitals). For example, HIPAA prohibits healthcare providers from selling your medical information to other companies who want to market something to you. It also prohibits healthcare providers from releasing your information to anyone other than the people you authorize. It’s a fairly broad rule that has many moving parts that are applicable to different situations.
HIPAA also addresses the security of health information, and has various requirements healthcare providers must undertake to ensure that medical information they store remains secure and reliable, mainly from the technical perspective. For example, healthcare providers are required to consider the use of encryption technology for portable devices (smartphones, laptops, USB memory keys, etc.) that hold medical information.
Because the first part of HIPAA is obsolete, and because most people don’t know about the Administrative Simplification part of HIPAA, the word “HIPAA” as used by the general public now almost always refers to the third part of HIPAA, relating to privacy and security.
Various rules were implemented over the years on the privacy/security aspects of HIPAA. There have been four main rules that, until yesterday, were not considered to be completely finalized, and much of which were not in effect. They are: (1) the Privacy Rule, which describes the basic privacy protections for medical information; (2) the Security Rule, which describes mainly the technical requirements for computer and other systems that store, process and transmit health information; (3) the Breach Notification Rule, which describes the processes that healthcare providers need to follow if they lose certain medical information, including notification of the patients whose information was lost; and (4) the Enforcement Rule, which describes how the government will go about considering and imposing penalties on people and companies that don’t comply with one of the first three rules. Each of the four rules contains multiple parts, other rules, etc.
The Final Rule issued yesterday finalizes all four of these rules. This Final Rule has an effective date of March 26, 2013, and a “compliance date” of September 23, 2013. For the most part this means that while the new rules go into effect in March, people don’t need to actually follow them until September. It’s a pretty doable deadline for most of the requirements, but the September date may be pushing it for some requirements at certain healthcare providers. For example, a large healthcare provider will often need more than a year to plan and implement a new computer system, so that new system was necessary for compliance it would be a challenge.
Many of the newer rules were created in response to changes that were made to HIPAA in 2009, pursuant to the HITECH Act. The HITECH Act was not its own law; it was part of the 2009 stimulus bill that was passed after the big crash.
The Final Rule confirms several changes that apply to everybody who receives healthcare. The following is not a comprehensive list (the rule is 560+ pages long) but rather some highlights:
1. The normal rule currently used is that person’s health insurer has the right to access the person’s medical records for payment purposes (e.g., to verify that a billed service was actually provided, was necessary, etc.). So a patient basically has no medical privacy from the patient's own health insurer. Under the Final Rule, a person who pays in full for a certain service out-of-pocket (i.e., no health insurer is billed) has the right to restrict the disclosure of the medical records for that service from being disclosed to their health insurer. For example, if you are getting a test that you consider to be unusually sensitive for whatever reason (e.g., for an STD, cancer, etc.) you can pay for it yourself and restrict the information about the test from being shared with your health insurance company.
2. Probably the biggest news is that HIPAA is now applicable to “business associates” all the way down the chain. A “business associate” is a person or company that performs a function for a healthcare provider. For example, if a doctor hires an outside billing company to prepare and submit the doctor’s bills, the billing company is a “business associate” of the doctor. The first version of HIPAA didn’t apply to business associates directly, so the government required healthcare providers to enter into contracts with business associates. This framework left a lot of exposure in the event problems occurred. If a business associate did something wrong with a person’s medical information, the government could only directly penalize the healthcare provider, not the business associate.
The Final Rule confirms that business associates need to follow most of the same rules, and offer most of the same protections, as healthcare providers do. Also, business associates must extend these obligations to their own business associates all the way down the chain. For example, if a billing company is a business associate of a doctor, and uses a computer company to host its data, the computer company is also a business associate (to the billing company, not the doctor) and needs to maintain privacy and security under HIPAA just like the billing company and the doctor. The overall effect of this is to prevent a person’s medical information from losing protected status simply by moving from one legal entity to another, as had been the case before. Also, patients may now make most requests (e.g., for copies of information, restrictions, etc.) to business associates in addition to healthcare providers.
3. The Final Rule confirms that a person’s genetic information (e.g., DNA analysis result) is protected by HIPAA. This was not completely clear previously because HIPAA allows insurers use a person’s medical information to decide whether to issue a policy and for other insurance-related decisions. The Final Rule clarifies that genetic information can’t be used in this way. It harmonizes the provisions of HIPAA with the GINA law (Genetic Information Nondiscrimination Act of 2008), which prevents discrimination against people based their genetic makeup.
4. A healthcare provider needs the patient’s authorization before sending marketing material that the healthcare provider is being paid by another party (e.g., a drug company) to send. The authorization must disclose to the patient that the healthcare provider is being paid.
5. A healthcare provider must give a patient a copy of his medical information, in the format requested by the patient if possible. If the patient requests an electronic copy, the information must be provided to the patient electronically. This is an expansion of the patient's right of access under the current law.
6. The rule expands the people who may receive information about a patient’s death. Previously only a specified personal representative of the patient (such as the executor of the patient’s will) could get this information. The Final Rule clarifies that anyone “involved in the patient’s care” can access death-related information, and the commentary specifically says that this group of people might include the patient’s domestic partner. This requirement contains an exception to honor the patient’s wishes (i.e., if the patient did not want particular a particular loved one who was involved in the patient’s care to know this information, the healthcare provider would need to do its best to honor this request).
7. The rule changes the current status of child vaccinations. Prior to the Final Rule, a healthcare provider couldn’t release child’s immunization records to the child’s school without written permission from the child’s parent/legal guardian. This caused all sorts of problems, especially for schools that will not enroll a child without first receiving confirmation of immunization – parents/legal guardians would have to drop everything to run to the healthcare provider’s office to sign forms. The Final Rule changes this to allow for oral authorization (e.g., over the phone).
8. The Final Rule confirms that patients have the right to ask the healthcare provider to send their medical information to a third party (e.g., a new doctor). Before this, patients only had the right to get the information themselves, and they would then need to send the information to a third party. This caused the patients to have to waste time in this process.
There are many other changes, but these are ones that most clearly can be exercised by patients. Note that states are free to pass stronger requirements in any area covered by HIPAA, so some states might have additional protections.
A final word. Almost everything HIPAA says a healthcare provider can’t do, the healthcare provider can do if it receives written permission signed by the patient. To preserve your rights, you actually need to read the forms you get in the waiting room, and know what you’re signing.