Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
Earn CEU credit Cathy Garrey, Connect with your - Health Care ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Complying <strong>with</strong> the<br />
HIPAA Privacy Rule<br />
– What you need to<br />
know<br />
Editor’s note: Rebecca C. Fayed is an associate<br />
in the Washington law offices of Sonnenschein,<br />
Nath & Rosenthal LLP. Rebecca is a member<br />
of Sonnenschein’s <strong>Health</strong> <strong>Care</strong> Group. She may<br />
be reached by telephone at 202/408-6351 or by<br />
e-mail at rcfayed@sonnenschein.com.<br />
The <strong>Health</strong> Insurance Portability<br />
and Accountability Act of 1996<br />
(HIPAA) 1 , among other things,<br />
directed the Department of <strong>Health</strong> and<br />
Human Services (HHS) to adopt regulations<br />
regarding the privacy of health information.<br />
After a series of proposed and final rules and<br />
modifications, on August 14, 2002, HHS<br />
published what is now commonly referred<br />
to as the Privacy Rule. 2 Most covered entities<br />
have been required to comply <strong>with</strong> the<br />
Privacy Rule since April 14, 2003.<br />
As a general matter, the Privacy Rule requires<br />
that covered entities not use or disclose<br />
protected health information (PHI) <strong>with</strong>out<br />
an individual’s authorization unless that use<br />
or disclosure is specifically permitted under<br />
the Privacy Rule. In addition, the Privacy<br />
Rule provides individuals <strong>with</strong> a number of<br />
rights <strong>with</strong> respect to their PHI and requires<br />
covered entities to comply <strong>with</strong> certain<br />
administrative requirements.<br />
In order to comply <strong>with</strong> the Privacy Rule, a person<br />
or entity must, at a minimum, determine:<br />
n If the Privacy Rule applies (i.e., whether<br />
the person or entity is a covered entity or a<br />
business associate);<br />
n What information is considered PHI; and<br />
By Rebecca C. Fayed, JD<br />
n What uses and disclosures of PHI are<br />
permitted.<br />
In addition, covered entities must have<br />
procedures in place to allow individuals to<br />
exercise their rights <strong>with</strong> respect to their PHI<br />
and must implement the requisite administrative<br />
requirements under the Privacy Rule.<br />
Who must comply <strong>with</strong> HIPAA<br />
Only people or entities that meet the definition<br />
of a covered entity are required to comply<br />
<strong>with</strong> the Privacy Rule. A covered entity is a<br />
health plan, a health care clearinghouse, or a<br />
health care provider who transmits any health<br />
information in electronic form in connection<br />
<strong>with</strong> a standard transaction. In terms of health<br />
care providers, generally this includes any health<br />
care provider who submits claims electronically.<br />
<strong>Health</strong> care providers who may be covered<br />
entities include, for example, hospitals, physicians,<br />
dentists, nursing homes, and pharmacies<br />
(assuming that these entities submit claims electronically).<br />
<strong>Health</strong> plans that may be covered<br />
entities include, for example, health insurance<br />
companies, HMOs, and employer group health<br />
plans (but not the employer plan sponsor).<br />
In addition, people or entities who are not<br />
part of a covered entity’s workforce, but who<br />
provide certain services for or on behalf of<br />
a covered entity and receive PHI from the<br />
covered entity when providing those services,<br />
may be considered business associates under<br />
the Privacy Rule and contractually required<br />
to comply <strong>with</strong> certain Privacy Rule requirements.<br />
Specifically, if a covered entity is<br />
disclosing PHI to a business associate in order<br />
for the business associate to provide services<br />
for the covered entity, the covered entity must<br />
obtain “reasonable assurances” from the business<br />
associate that the business associate will<br />
appropriately safeguard the PHI that it receives<br />
when providing services. These reasonable<br />
assurances must be in the form of a written<br />
agreement, commonly referred to as a business<br />
associate agreement or BA agreement.<br />
BA agreements must contain a number of<br />
provisions set forth in the Privacy Rule,<br />
including, for example, a provision that establishes<br />
the permitted and required uses and<br />
disclosures of PHI, a prohibition against any<br />
further use or disclosure except as permitted<br />
by the agreement or as required by law, and<br />
provisions that require the business associate<br />
to permit individuals to exercise their rights<br />
<strong>with</strong> respect to their PHI (either directly or<br />
through the covered entity).<br />
To comply <strong>with</strong> the Privacy Rule’s requirements<br />
regarding disclosure of PHI to a business associate,<br />
covered entities should analyze their business<br />
relationships to determine who is a business<br />
associate. Covered entities should enter into<br />
BA agreements <strong>with</strong> any people or entities that<br />
meet the definition of a business associate. Some<br />
common examples of business associates include<br />
lawyers, consultants, CPA firms, and third-party<br />
administrators. In contrast, a person or entity is<br />
not a business associate if that person or entity’s<br />
services do not involve the use or disclosure of<br />
PHI or only involve incidental disclosures of<br />
PHI. For example, janitors, electricians, or couriers<br />
generally are not business associates, because<br />
they only incidentally come into contact <strong>with</strong><br />
PHI during the course of providing services.<br />
What is protected<br />
PHI is the only information protected by the<br />
Privacy Rule. PHI is information (including<br />
Continued on page 62<br />
59<br />
October 2008