HIPAA: Understanding the Impact on Government Agencies
If you are a current government agency counsel it is likely you have heard something about a new federal law entitled the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, it is equally likely you have not had the opportunity to review this far-reaching legislation to determine how it might affect your agency and clients. This article provides a brief primer on HIPAA. The goal of this article is to help public-sector lawyers determine whether they need to learn more about HIPAA and to assess its potential impact on their government clients. I. Introduction The Health Insurance Portability and Accountability Act of 1996 is a comprehensive federal law that affects the health-care industry. It consists of two main sections. Title I — the portability provisions — provides employees and their families the right to keep their group health insurance when they change or lose their jobs. Title II — the administrative simplification (AS) provisions — standardizes the format of electronic health-care claims and other electronic transactions and establishes new requirements for the privacy and security of health-care information. The health-care industry implemented the portability provisions of HIPAA with little fanfare. However, the implementation of the AS provisions has not been so easy. Administrative simplification is a multi-year project involving not only major one-time modifications to health-care computer systems, but also permanent changes in health care entities’ internal operational processes and workforce culture. The industry is in the midst of this process now with significant HIPAA compliance deadlines looming in 2003. II. Toward a more simplified system The purpose of administrative simplification is to reduce health-care costs by encouraging providers to conduct health-care transactions electronically rather than on paper. The federal government estimates that a health entity that conducts claims electronically rather than on paper will save substantial amounts of administrative costs associated with processing claims. In fact, estimates place the savings at $1 per claim for health plans and $1.49 per claim for health-care providers. While HIPAA does not require providers to submit claims electronically, it does make it much easier for them to do so. Today, many providers avoid processing claims electronically because insurers impose different formats and requirements on electronic submissions. With administrative simplification, however, providers will be able to use the same format to submit a claim to all insurers. This ease is expected to encourage providers to submit their transactions electronically, and the cost savings will multiply. The federal government estimates that administrative simplification will save the health-care industry a total of $29.9 billion over 10 years. However, the capital investment that will be required to enact HIPAA is not insubstantial and is the subject of much debate. The official federal estimate is that it will cost the health-care industry $6.7 billion to implement administrative simplification. However, one large insurer disputes that estimate, placing the actual costs closer to $43 billion. III. The benefits of simplification Administrative simplification will permanently and dramatically change the way health care does business. The AS provisions require that health-care entities transmit electronic health-care information in legally mandated formats. This provides strong privacy protection for that information in every stage of the information life cycle — from creation to disposal, from use to disclosure and from storage to transmission. The positive ramifications of these changes will impact the entire business community. Naturally, the AS provisions of HIPAA are of particular importance to the private regulated entities. These entities come in three categories: health plans (entities that pay for the cost of health care); health-care providers (entities that provide health care to individuals); and, health-care clearinghouses (entities that process transactions for another entity). Yet the impact of HIPAA on government agencies must not be ignored. IV. The applicability of the AS provisions to government agencies In general, if a government agency acts as a health plan, health provider or health clearinghouse, it will be a “covered entity” and must comply with the AS provisions of HIPAA. As such, many government agencies are covered entities because they function as either a health plan or health provider. However, there exists an important exception for government agencies that might otherwise meet the definition of “health plan.” A government-funded program is excepted from the definition of “health plan” if any one of the following three conditions apply: (1) its principal purpose is not providing or paying the cost of health care; (2) its principal purpose is the direct provision of health care to persons; or (3) its principle activity is making grants to fund the direct provision of health care to individuals. Under the exception, programs such as the Special Supplemental Nutrition Program for Women, Infants and Children (WIC), the Food Stamp Program, the Ryan White Comprehensive AIDS Resources Emergency Act, government-funded health centers and immunization programs will not be “health plans” for purposes of the AS provisions. Nevertheless, some of these may still meet the definition of “health-care provider.” V. The government agency as plan, provider or clearinghouse Before embarking on an AS compliance program, a government agency must determine whether it is acting as a plan, provider or clearinghouse because different requirements apply to each role. This may not be a simple answer. For example, a government agency might find that only one part of its business acts as a plan, provider or clearinghouse under the HIPAA definitions. In that case, the agency would be a “hybrid entity” and must maintain organizational controls between the covered sections of the agency and the non-covered sections. Alternatively, a government agency might find that one of its departments acts as a plan while another acts as a provider. In that case, the agency would be a “covered entity with multiple covered functions” and must ensure that each different department complies with the rules applicable to its function. VI. Government agency compliance with HIPAA A government agency that is a covered entity must comply with three major AS regulations: the Transactions Rule (Health Insurance Reform: Standards for Electronic Transactions, 45 C.F.R. 160 and 162); the Privacy Rule (Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. 160 and 164); and the Proposed Security Rule (Security and Electronic Signature Standards; Proposed Rule, 45 C.F.R. Part 142). A. Compliance with the Transactions Rule The Transactions Rule requires all health plans and clearinghouses to have their systems ready to send and receive HIPAA compliant transactions by October 2002, or October 2003 for entities that request a year extension of the compliance date. To accomplish this, government agencies that are health plans will need either to make major changes to their existing computer systems, or purchase special software known as a “translator.” The Transactions Rule does not require health-care providers to be compliant if they choose not to conduct electronic transactions, but it does require that any who do so be sure that those transactions are in the legally mandated format. Government agencies that are providers may find, like other providers, that the easiest way to comply with the Transactions Rule is to hire billing intermediaries who will conduct standard electronic transactions on their behalf. The Transactions Rule, issued in final form in August 2000, sets standard formats for eight common health-care transactions, including health-care claims, eligibility inquiries and enrollment information. It incorporates by reference standards that have already been adopted by certain private Standard Setting Organizations (for example, the American National Standards Institute). It is well accepted throughout the industry that the transaction standards are an evolving requirement. The Standards Setting Organizations identified in the Transactions Rule will issue updated and new standards as necessary, and those modifications will then be automatically incorporated into the Transactions Rule. This construct is interesting in that private industry organizations are acting, in effect, as lawmakers. B. Compliance with the Privacy Rules In many ways, compliance with the Privacy and Security Rules may be more difficult for health entities. The Privacy and Security Rules closely regulate how health-care entities store, transmit, use and disclose the protected health information (PHI) in their possession. As a result of these rules, health-care entities will permanently change their day-to-day ways of handling data, many of their operational processes and even their entire workplace cultures. The Privacy Rule has had an interesting procedural history. The Clinton Administration issued the proposed Privacy Rule in November 1999 and the final Privacy Rule in December 2000. In March 2002, in response to the health-care industry’s dissatisfaction with certain aspects of the Privacy Rule, the Bush Administration issued proposed modifications to the final Privacy Rule. These modifications alter neither the basic structure of the rule nor the compliance date of April 14, 2003, but propose changing a number of specific provisions such as the consent requirement and the definition of “marketing.” The final version of the Rule, issued in August 2002 by the federal Office of Civil Rights, had the effect of easing certain compliance burdens and was hailed by the health-care industry as an
improvement. The final version of the Privacy Rule still imposes many changes on the day-to-day operations of covered entities. Covered entities are allowed to use and disclose PHI without patient consent only for routine health-care purposes — treatment, payment and health-care operations. For non-routine uses, such as marketing, fundraising and most research, covered entities must obtain prior specific patient authorization. The Privacy Rule imposes strict requirements for "deidentifying" data and for releasing data to researchers. It requires covered entities to impose certain contractual requirements on any vendor to which they disclose PHI, to keep a log of all non-routine disclosures of PHI, and to provide a “Notice of Privacy Practices” to all of its patients or members. The Privacy Rule also grants individuals important rights, including the right: (1) to access their PHI; (2) to request that their PHI be amended; (3) to request that the use of their PHI be restricted; (4) to request alternative means of communications; and, (5) to complain about an entity’s PHI protection procedures without fear of reprisal. C. Compliance with the Security Rules While the Privacy Rule regulates how a covered entity uses and discloses PHI, the Security Rule regulates how a covered entity stores and transmits PHI. The goal of the Security Rule is to protect the confidentiality, integrity and availability of PHI and to guard against unauthorized access. As of this writing, the Security Rule is not yet final: the industry has been waiting for a final version since the current rule was published in August 1998. For several reasons, however, most health-care entities are taking steps to comply with the Security Rule in its current form. One reason is that industry experts believe that the final Security Rule will not be substantially different than the proposed rule. Another reason is the generic nature of the rule. Although the Security Rule requires that an entity use 24 specific security features (i.e., password policies), it does not specify what exact technology must be used or how extensively the feature must be employed. Rather, it requires health-care entities to assess their own security needs, identify their own unique set of risks and adopt appropriate security devices to meet their own particular business requirements. Thus, the Security Rule embodies what most security experts believe to be current good business practice. The third (perhaps most important) reason that health-care entities are taking steps to comply with the proposed Security Rule is that Title II of HIPAA includes explicit security requirements applicable to covered entities. Specifically, the statute requires covered entities to “ensure” the integrity and confidentiality of PHI; to protect against any reasonably anticipated threats or hazards to the security or integrity of the information; and to otherwise ensure compliance by officers and employees. These statutory provisions impose very high standards on the industry and are in effect now. Finally, the Privacy Rule and the Security Rule have certain common requirements with respect to internal processes. For example, both rules require health-care entities to develop and maintain privacy and security policies; to train their workforces in the requirements of the Rules and the contents of internal policies; to impose sanctions on any member of the workforce who does not comply; and to appoint officials to ensure compliance with the rules. VII. How HIPAA affects government agencies that are not covered entities Many government agencies that are not themselves covered entities may regularly receive PHI from covered entities. The Privacy and Security Rules will likely affect whether and how the covered entity can continue these disclosures. A covered entity may release PHI to a government agency without authorization only in certain situations, including if the disclosure is for the purpose of the covered entity’s operations, if law or regulation requires the disclosure or if the disclosure is made to health oversight agencies or law enforcement officials. Counsel for government agencies who receive PHI from covered entities should review the Privacy Rule to determine the authority under which covered entities may continue the data release. Moreover, even when a covered entity can properly release the PHI to a government agency, it often will be required to keep a log of that disclosure and inform the individual, upon that individual’s request, about the contents of the log. An individual’s right to receive this information can be temporarily suspended if a law enforcement or a health oversight agency provides the covered entity with a written statement that revealing the PHI disclosure would impede its law enforcement or health oversight activities. Counsel for government agencies that are law enforcement agencies or health oversight agencies should review the Privacy Rule for the details of this procedure. Finally, a government agency that is not a covered entity will be indirectly affected by the Privacy Rule if it is a business associate of a covered entity. Business associates are entities that perform a function for a covered entity that involves the use or creation of PHI. Any government agency that is a business associate of a covered entity, whether or not that covered entity is also a government agency, will be required to execute “business associate agreements” with the covered entity. These business associate agreements will contain language requiring the business associate to comply with certain portions of the Privacy Rule and specifying exactly how the business associate may use and disclose the covered entity’s PHI. Counsel for government agencies who perform functions for health plans, providers or clearinghouses should review the business associate provisions of the Privacy Rule for details of these new contractual requirements. VIII. Conclusion The importance of this primer is to raise awareness of HIPAA and its impact on government agencies. For more information regarding HIPAA and the AS provisions, the reader is encouraged to review the Department of Health and Human Services Web site at http://aspe.os.dhhs.gov/admnsimp. For further information pertaining to the Privacy Rule, the Office of Civil Rights has more detailed information at its Web site: http://www.hhs.gov/ocr/hipaa.