Electronic data transmission technology allows increased portability of patient records, which, some argue, can jeopardize patient privacy. There have been reports of patient-identifiable health information being transmitted without patient consent to third parties that have nothing to do with health care. Employers, for example, have obtained detailed information about the types of pharmaceuticals taken by certain employees in order to determine what illnesses they may have. The result is that some patients are taking privacy protection into their own hands by providing inaccurate information, frequently changing their physicians, and, in some situations, completely avoiding care.
LEGISLATIVE EFFORTS
To ensure that patient medical records are afforded some degree of privacy, a number of jurisdictions, primarily at the state level, have enacted legislation restricting access to these records. However, the result has been a patchwork of state laws with no uniform privacy standards. Recognizing the potential privacy concerns and the lack of uniformity in privacy protection, Congress, in a bipartisan action, enacted the Health Insurance Portability and Accountability Act (HIPAA) of 1996, also known as the Kassebaum-Kennedy Law. HIPAA required Congress to pass legislation protecting the confidentiality of health information by August 21, 1999, instructed the Secretary of Health and Human Services (HHS) to issue recommendations to Congress regarding standards governing the privacy of individually identifiable information by September 1997, and provided that in the event Congress fails to enact legislation by August 1999, the Secretary of HHS must promulgate final regulations governing privacy of electronically transmitted health information by February 21, 2000.
This past year, Congress attempted to pass legislation complying with the requirements of HIPAA. However, after four different congressional committees held hearings on the matter, there was no general consensus. Various forms of legislation were proposed, including, in the Senate, the Medical Information Privacy and Security Act, the Health Care Personal Information Nondisclosure Act, and the Medical Information Protection Act of 1999. The House proposed the Health Information Privacy Act, the Medical Information Privacy and Security Act, and the Medical Information Protection and the Research Enhancement Act of 1999. However, none of these bills were successful in the legislative process. As a result of Congress’ failure to pass medical records privacy legislation by the self-imposed deadline, the Secretary of HHS, as required by HIPAA, released proposed regulations regarding the privacy of electronically transmitted medical records.
PROPOSED REGULATIONS
The full text of the proposed regulations was published in the November 3, 1999 Federal Register and can be downloaded from the Department of Health and Human Services Web site. The proposed regulations are intended to apply to health plans, health care clearinghouses (such as billing companies and community health management information systems), and health care providers. In addition, those parties that have entered into contractual obligations with providers to provide or assist in the care given by providers are also specifically covered by the regulations. To ensure compliance by those parties assisting providers, the proposed regulations specifically require all providers to enter into contractual obligations with those parties to ensure that both will comply with all applicable regulatory requirements.
The proposed regulations are limited in scope in that they relate only to those medical records that are stored electronically or are derived from an electronic format. Medical records that are still recorded and stored on paper in the traditional form are not covered by the proposed regulations. However, the regulations apply to those paper medical records that are print-outs from records stored in electronic format.
In terms of overall protection of patient medical records, the coverage is not absolute. The proposed regulations apply to only individually identifiable health information on patient medical records. Examples include demographic information, any personal information provided by the patient, or any other data that identify, or could be reasonably used to identify, the patient. In order to use patient medical records and not run afoul of the proposed regulations, all identifying information, including name, address (and zip code), names of relatives and employers, birth date, telephone numbers, social security numbers, and all medical record/health plan account identification numbers must be removed.
USE OF RECORDS WITHOUT CONSENT
Use of patient medical records without the patient’s authorization in certain limited instances is permitted. The proposed regulations allow providers to use and disclose patient medical records without obtaining consent for purposes of treatment, payment, and health care operations such as quality assurance and evaluating provider performance. Protected health information can also be disclosed without patient authorization for certain national priority activities such as law enforcement, public health emergencies, and government health data systems. These situations do not allow for wholesale disclosure of patient medical records, but rather only disclosure of information that is necessary and required for the intended purpose.
The proposed regulations would require providers to obtain an authorization to use an individual’s information for purposes other than treatment, payment, or health care operations. Examples include, but are not limited to, marketing of health and non-health items and services; disclosure by sale, rental or barter; disclosure to an employer for use in employment determinations; use or disclosure for fund-raising purposes; and use or disclosure of research information unrelated to treatment. The regulations also prohibit providers from conditioning treatment or payment on the patient agreeing to disclose information for such other purposes.
Under the proposed regulations, patients would have the ability to review their medical records, copy them, and request corrections or amendments to any information that is inaccurate or incomplete. Patients would also have the right to receive an accounting of the instances where protected health information about them has been disclosed for purposes other than treatment, payment, or health care operations.
The regulations are intended to preempt any state law that provides less stringent privacy protection. This will ensure a uniform minimum level of protection for electronic patient-identifiable information. Recognizing the rights of the states to maintain public health and regulate controlled substances, the proposed regulations do not preempt any state laws that are designed to prevent fraud and abuse, regulation of insurance and health plans, state reporting requirements on health care delivery and costs, public health function laws, and state requirements for reporting related to licensure, certification, and other related activities. Since states are free to enact laws that are more stringent than the federal regulations, practitioners should be vigilant in monitoring regulatory changes occurring in the states. HHS will provide assistance in that it plans to issue opinions on its own initiative or at the written request of states relating to whether the proposed regulations will preempt specific state laws.
POLICIES AND PROCEDURES
The proposed regulations require providers to develop and implement basic administrative procedures to protect health information and the rights of individuals with respect to that information. These include the designation and appointment of a privacy official responsible for the development and implementation of privacy policies and procedures, appointment of a contact person (who may also serve as the privacy official) to receive and process complaints, the implementation of privacy training on an ongoing basis to all personnel likely to have contact with patient medical records, and the development and maintenance of document policies and procedures to ensure compliance with the proposed regulations.
Noncompliance by a party assisting a provider with the contractual provisions of the regulations results in civil and criminal liability by the contracting party. In addition, the rise of such situations does not insulate a provider from civil and criminal sanctions as well. However, the number of situations where this provision would apply is relatively limited. A provider would be deemed failing to comply with the regulations in situations where (i) the contracted party breaches the contractual provisions of the agreement by disclosing confidential patient medical records with unrelated third parties or uses the records in a manner inconsistent with their intended use, and (ii) if the provider knew or should have known of a breach of the contract and fails to take reasonable steps to cure the breach or terminate the contract.
The current language of the proposed regulations does not give patients a private right of action to bring suit against providers for failing to comply with the regulations. However, a patient may have the right, depending on state law, to sue a contracted party if it violates a contractual obligation with a provider relating to the privacy of a patient’s medical records and the patient is an intended third-party beneficiary of such a contract. Given that few patients will be aware of the existence of such contractual arrangements entered into by providers, this exception is very limited in scope and unlikely to be exercised.
PENALTIES AND ENFORCEMENT
While patients may not sue providers for violation of the proposed regulations, HHS may impose civil penalties for failure to comply with the requirements. Criminal penalties may be imposed in more egregious situations. Civil fines are capped at $25,000 per calendar year for each provision of the proposed regulations that is violated. Given that there are numerous provisions in the proposed regulations, the liability for failure to comply could be astronomical. Criminal penalties are graduated, increasing if the offense is committed under false pretenses or with the intent to sell or for personal gain.
The proposed regulations, once finalized, will rely on voluntary compliance with the rules, as there will be no active enforcement by HHS. The Department thinks that private citizens will file complaints with the government if they believe there is a violation. This is the enforcement mechanism currently utilized to enforce other federal statutes, including the Civil Rights Acts and the Americans with Disabilities Act.
Once the proposed regulations are issued in final form in February 2000, providers must be in compliance with the regulations no later than 24 months after its issue. The timetable is increased to 36 months for small health plans that have annual receipts of $5 million or less.
RADIOLOGIST REACTION
As health care providers and contractors, radiologists are included within the proposed regulations. The applicability of these regulations is particularly evident in the use of digital images. Digital images typically contain patient identifiers such as a name, medical record number, or social security number. The radiologist who stores and transmits digital images, a common practice, must be cognizant that because of these patient identifiers, the image would be protected health information subject to the disclosure restrictions of the proposed regulations. If the images are used for teaching, marketing, and purposes other than treatment, payment, or health care operations, the patient’s consent would be required to disclose the image to others unless the image can be de-identified or sanitized to remove patient-identifiable information.
Query whether it is possible to completely sanitize an image, particularly if the image depicts a patient with a very rare condition or physical attribute. For example, a de-identified computed radiograph of a six-fingered hand may not be attributable to a particular patient in an urban setting but may be patient-attributable if the setting is in a small town or rural county. Since most practitioners do not have the statistical experience and expertise needed to gauge the risk of identification, the regulations propose a standard based on whether there is a reasonable basis to believe that the information can be used to identify an individual.
Radiologists will be responsible for not only ensuring their own knowledge of the policies and procedures adopted pursuant to the privacy regulations, but also ensuring that their nurses, technicians, and administrators are trained in the same. In addition, radiologists should get assurance from any parties with whom they contract and who receive patient-identifiable information (eg, hospital, billing company, locum tenens, third-party payors, etc) that such information will be handled in accordance with the new regulations.
INDUSTRY REACTION
The proposed regulations have been the subject of significant criticism. For example, the cost to the health care industry to implement the new regulations is unknown. Estimates range from as low as $2 billion to as high as $43 billion over the next 5 years alone. While the true cost will be determined in time, consumers fear the cost will be passed to them in the form of higher health insurance premiums.
There are also concerns about potential loopholes in the regulations that may be exploited. As discussed above, those records that have not yet been stored in electronic form or derived from electronic form are not covered by the regulations. For those records that are stored in electronic form, lawyers, auditors, consultants, and third-party administrators who come into possession of the medical records are not subject to the proposed regulations. It is unknown if the proposed regulations will be modified to address such concerns, but many consumers hope that Congress will enact more comprehensive patient privacy legislation. The Senate Health Committee has already announced that it intends to hold hearings on the proposed regulations once they are finalized. Given its inability to meet the deadline imposed by HIPAA, it is unlikely that Congress will pass any new legislation on the matter in the immediate future.
The inability of the patients to sue their providers is another issue of concern to many consumers. Only legislation enacted by Congress can grant patients a right to sue since HHS does not have the ability to create such rights without congressional authorization.
The deadline for soliciting comments to the proposed regulations is February 17, 2000. The regulations are scheduled to be finalized and effective February 21, 2000. Once finalized, the new regulations should be a significant step forward for protecting patient privacy while allowing practitioners to realize the enormous benefits that electronic patient information technology can provide to their practices.
?
Scott A. Edelstein, JD, MPA, is a partner and John M. Alpay, JD, is an associate in the health law department of McDermott, Will & Emery, Los Angeles.
