HEALTH LAW ALERT
Vol. II, No. 1
January, 2000
HHS ISSUES SWEEPING RULE ON PATIENT DATA PRIVACY
Affected entities will have two years from the effective date of the final regulation to implement and comply with the new requirements. Final regulations are due to be published not later than February 21, 2000. Because of the complexity of the regulation, we are encouraging all of our affected clients to begin study of the regulation immediately in order to determine what steps must be taken to comply and to plan for implementation. What follows is a brief summary of the regulation's key provisions. The proposed rule must be followed by all health care providers and group health plans that transmit or maintain electronic health information. The proposed rule also requires health care providers and health plans to ensure regulatory compliance through written contracts with "business partners", such as clearing houses, third party administrators, data processors, billing services, accreditation organizations, consultants and the like. What Data is Protected
The proposed rule is applies to "individually identifiable health information" that is (or ever has been) converted to an electronic format by a health care provider or health plan. "Individually identifiable health information" is defined as any data, including demographic information, (1) that is created or by or received from a health care provider, health plan, employer or clearing house, (2) that relates to an individual's past, present or future physical or mental health condition, or the provision of or payment for health care services, and (3) that either identifies the individual or is reasonably believed to permit identification of the individual. Only data on paper records that has never been converted to electronic data is exempt from this regulation. Patient Authorizations Required
Except as specifically provided in the proposed rule, protected data cannot be used or disclosed without the voluntary written consent of the individual to whom the data relates. A health care provider or health plan may not condition treatment or payment or use other coercion to obtain an authorization.
Permitted Uses of Protected Data
Under the proposed rule, protected data may be used and disclosed without the individual's authorization for purposes of treatment, payment and health care operations (e.g., quality and utilization management, credentialing, underwriting, legal proceedings). Subject to certain procedural requirements, protected data may also be used or disclosed without authorization in emergencies and for public health, national security, law enforcement or health oversight purposes, and for judicial and administrative proceedings. Protected data also may be used for research purposes under specified conditions. Individuals have the right to access their patient data, as well as to receive an accounting of all disclosures of their protected data, except as it relates to treatment, payment or health care operations, or to avoid interfering with health care oversight or law enforcement activities. Individuals also may request certain restrictions on the uses and disclosure of protected data. Covered entities must designate a privacy officer who is responsible for development and implementation of the entity's privacy policies and procedures, and a contact person who is available to provide information and respond to inquiries and complaints. All members of a covered entity's workforce who come into contact with protected data must receive training on the privacy policies and procedures, according to specified guidelines. The rule requires health care providers and health plans that maintain or transmit protected data to safeguard the integrity, confidentiality and availability of such data. In order to implement these requirements, affected entities must have (1) written policies and procedures, (2) physical safeguards, (3) data security procedures, and (4) technical security mechanisms, such as encryption and audit trails. The appropriate level of safeguards must be determined by each affected entity, in light of its operations and risk profile.
HHS states that it will favor informal resolution of compliance issues. Nevertheless, the proposed rule provides for civil monetary penalties of $100 for each knowing instance of noncompliance, up to a maximum of $25,000 for multiple violations of the same standard. The rule also implements a $50,000 penalty and one year in prison for knowingly obtaining or disclosing protected data in violation of the rule. If the violation involves false pretences, the penalties increase to $100,000 and five years imprisonment. If the violation involves commercial or personal gain or malicious harm, the penalties are $250,000 and ten years imprisonment .
Any health care provider that directly or indirectly electronically transmits or maintains patient health care information should carefully review the full proposed rule and develop a work plan for implementation and compliance. You may obtain the text of the rule online at the following web site: . Implementation of the new standards will require a focused technical and administrative effort perhaps second only to Y2K compliance. If your organization would be interested in attending a seminar outlining the rule's requirements, please contact Rose Young by phone or e-mail (see below).
***** This Health Law Alert is intended to provide information of general interest. Information is presented in summary form and should not be applied to a specific situation. If you have any questions or would like additional information regarding any of the above issues, please contact one of the following Gachassin Law Firm attorneys at (318) 235-4576 or by e-mail:
|
