Earn CEU credit Cathy Garrey, Connect with your - Health Care ...

Complying with the
HIPAA Privacy Rule
– What you need to
know
Editor’s note: Rebecca C. Fayed is an associate
in the Washington law offices of Sonnenschein,
Nath & Rosenthal LLP. Rebecca is a member
of Sonnenschein’s Health Care Group. She may
be reached by telephone at 202/408-6351 or by
e-mail at rcfayed@sonnenschein.com.
The Health Insurance Portability
and Accountability Act of 1996
(HIPAA) 1 , among other things,
directed the Department of Health and
Human Services (HHS) to adopt regulations
regarding the privacy of health information.
After a series of proposed and final rules and
modifications, on August 14, 2002, HHS
published what is now commonly referred
to as the Privacy Rule. 2 Most covered entities
have been required to comply with the
Privacy Rule since April 14, 2003.
As a general matter, the Privacy Rule requires
that covered entities not use or disclose
protected health information (PHI) without
an individual’s authorization unless that use
or disclosure is specifically permitted under
the Privacy Rule. In addition, the Privacy
Rule provides individuals with a number of
rights with respect to their PHI and requires
covered entities to comply with certain
administrative requirements.
In order to comply with the Privacy Rule, a person
or entity must, at a minimum, determine:
n If the Privacy Rule applies (i.e., whether
the person or entity is a covered entity or a
business associate);
n What information is considered PHI; and
By Rebecca C. Fayed, JD
n What uses and disclosures of PHI are
permitted.
In addition, covered entities must have
procedures in place to allow individuals to
exercise their rights with respect to their PHI
and must implement the requisite administrative
requirements under the Privacy Rule.
Who must comply with HIPAA
Only people or entities that meet the definition
of a covered entity are required to comply
with the Privacy Rule. A covered entity is a
health plan, a health care clearinghouse, or a
health care provider who transmits any health
information in electronic form in connection
with a standard transaction. In terms of health
care providers, generally this includes any health
care provider who submits claims electronically.
Health care providers who may be covered
entities include, for example, hospitals, physicians,
dentists, nursing homes, and pharmacies
(assuming that these entities submit claims electronically).
Health plans that may be covered
entities include, for example, health insurance
companies, HMOs, and employer group health
plans (but not the employer plan sponsor).
In addition, people or entities who are not
part of a covered entity’s workforce, but who
provide certain services for or on behalf of
a covered entity and receive PHI from the
covered entity when providing those services,
may be considered business associates under
the Privacy Rule and contractually required
to comply with certain Privacy Rule requirements.
Specifically, if a covered entity is
disclosing PHI to a business associate in order
for the business associate to provide services
for the covered entity, the covered entity must
obtain “reasonable assurances” from the business
associate that the business associate will
appropriately safeguard the PHI that it receives
when providing services. These reasonable
assurances must be in the form of a written
agreement, commonly referred to as a business
associate agreement or BA agreement.
BA agreements must contain a number of
provisions set forth in the Privacy Rule,
including, for example, a provision that establishes
the permitted and required uses and
disclosures of PHI, a prohibition against any
further use or disclosure except as permitted
by the agreement or as required by law, and
provisions that require the business associate
to permit individuals to exercise their rights
with respect to their PHI (either directly or
through the covered entity).
To comply with the Privacy Rule’s requirements
regarding disclosure of PHI to a business associate,
covered entities should analyze their business
relationships to determine who is a business
associate. Covered entities should enter into
BA agreements with any people or entities that
meet the definition of a business associate. Some
common examples of business associates include
lawyers, consultants, CPA firms, and third-party
administrators. In contrast, a person or entity is
not a business associate if that person or entity’s
services do not involve the use or disclosure of
PHI or only involve incidental disclosures of
PHI. For example, janitors, electricians, or couriers
generally are not business associates, because
they only incidentally come into contact with
PHI during the course of providing services.
What is protected
PHI is the only information protected by the
Privacy Rule. PHI is information (including
Continued on page 62
59
October 2008