New Federal Rules for Health Privacy Go Into Effect Today

Health Insurance Portability and Accountability Act of 1999 (HIPAA) Changes Impact Patients in Maine and around the U.S.

Portland, Maine (April 14, 2003) - The new HIPAA Privacy Standards that became effective today, April 14, are the first comprehensive federal regulations developed to protect patient medical information, according to Ken Lehman, a health care attorney with Bernstein, Shur, Sawyer & Nelson.

"The Privacy Standards work in concert with other federal and state confidentiality laws and rules, such as Maine's confidentiality law and other laws permitting patients to access their health information," said Lehman. "Since 1999, Maine has had strong patient confidentiality laws. In some situations, Maine laws will continue to control, and in other situations, the new federal rules will impose new and different requirements. Maine's hospitals, physicians and other health care providers have been working for months to understand the impact of the HIPAA Privacy Standards, and yet the standards are complex enough that many are still finding it a real challenge."

"Patients will find they are getting new notices and being asked to sign new and different forms. While the expressed goal of the government is to protect the privacy of patients' health information, the short-term effect will be an unavoidable degree of confusion. Patients should ask for explanations if they do not understand what they're being asked to sign," Lehman said.

As of today, every "Covered Entity" is required to comply with the HIPAA Privacy Standards. There are three types of Covered Entities: (1) Health Plans, including individual or group plans that provide or pay for medical care; (2) Health Care Clearinghouses; and (3) Health Care Providers who transmit any health information in "electronic form" in connection with a "transaction" covered by HIPAA, according to Lehman.

These "transactions" include: health care claims; payment and remittance advice; coordination of benefits; claim status; enrollment or disenrollment in a health plan; eligibility for a health plan; health plan premium payments; referral certification and authorization; first report of injury; health claims attachments; and other transactions.

Generally, covered entities must manage the medical record, a/k/a Protected Health Information ("PHI") consistent with the Privacy Standards. PHI is "individually identifiable health information" ("IIHI") that is transmitted or maintained by electronic media and IIHI that is transmitted or maintained in any other form or medium.

PHI is information that identifies an individual and that relates to: the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual. Thus, PHI includes: (a) records in electronic or computer form, (b) paper records, (c) oral communications, and (d) PHI in any other medium.

HIPAA specifically excludes education records covered by FERPA (the Family Educational Rights and Privacy Act and employment records held by a Covered Entity in its role as an employer.

The Privacy Standards do not replace federal or state privacy laws that provide for even greater privacy protections to "Individuals" (the HIPAA term for "patients"). The effects of the Privacy Standards on other laws and regulations must be assessed on a case-by-case basis.

State laws and rules are assessed using a "preemption analysis" to determine if the State standard is "more stringent" than HIPAA. Federal privacy laws and rules are assessed using an "implied repeal" analysis of whether a different Federal standard is "constructively" repealed by HIPAA.

Uses & disclosures that do not require an authorization typically include those made for "TPO" ö Treatment, Payment or Health Care Operations, which includes a wide range of activities from peer review and quality assessment, to arranging for medical review, legal services, and accounting or auditing services, to business planning and development, business management of the CE, customer service, and internal grievance matters.

Under the new HIPAA Privacy Standards, there are also 12 broad categories of "uses & disclosures" that a covered entity can make without a patient's authorization or knowledge such as those "Required by Law;" for "Public Health Activities" (including child abuse and neglect reports), or about "Victims of Abuse, Neglect and Domestic Violence."

"Patients have the right to request an accounting of disclosures," said Lehman, "except when use or disclosure is made for a specified Health Care Operation. Patients are permitted to obtain one free accounting of disclosures every year, but may be required to pay for additional accountings sought within a year."

Other patients rights covered under the new regulations include:

• the Right to Receive a Covered Entity's Notice of Privacy Practices
  
• the Right to Request Restriction of Uses & Disclosures. Patients have the right to request that
• the Right to Request to Access, Inspect and Copy their PHI.
  
• the Right to Request Amendment, Correction and Clarification of PHI
  
• the Right to Request an Alternate Means of Communicating PHI.

In addition, every Covered Entity must have a procedure for patients to complain about the Covered Entity's actions or about its policies. The procedure should be detailed in the CE's Notice of Privacy Policies, along with how to complain to the CE. CEs need to document complaints and how they responded to concerns raised. Patients may also complain to the Secretary of DHHS about a CE. The Office of Civil Rights within DHHS will investigate complaints and prosecute for sanctions. HIPAA does not provide patients with a private right of action.

Ken Lehman is a resident of Cumberland, and is a shareholder at Bernstein, Shur, Sawyer & Nelson. He chairs the firm's Health Law Practice Group.

Bernstein, Shur, Sawyer & Nelson is one of northern New England's largest law firms, with more than 70 attorneys in offices in Portland and Augusta, ME and Manchester, N.H. The firm provides legal services in all major subject areas, including corporate and commercial law, litigation and trials, municipal and governmental affairs, education law, construction and tax and estate planning. Bernstein, Shur also has an active practice in bankruptcy, health law, environmental law, technology and commerce, employment law, legislative law, intellectual property, public utilities and other regulated industries. For more information on the attorneys involved in this case or the firm, visit the Bernstein, Shur web site at www.bssn.com.

# # #