HIPAA — not always the ‘hippo’
When the Health Insurance Portability and Accountability Act, commonly referred to as “HIPAA,” was enacted, commentators enjoyed making comparisons between the daunting HIPAA privacy regulations and a “hippo.” Hospitals, physician groups, dental practices, nursing facilities, and other health care providers who have spent considerable amounts of money and man-hours implementing the privacy requirements would likely describe HIPAA in less favorable terms, particularly after another new set of requirements, known as “HITECH,” were enacted as part of this year’s health care reform legislation.
However, HIPAA is not always the “hippo.” Contrary to popular belief, HIPAA does not apply to all organizations or to all types of health information. HIPAA governs the use and disclosure of health information by health care providers, health plans, and health care clearinghouses and their respective business associates. The HIPAA does not apply to an organization solely because it maintains health information.
For example, HIPAA does not apply to health information that an organization maintains regarding its employees, such as fitness for duty exams or requests for medical leave. While employers have confidentiality obligations under the Americans With Disabilities and Equal Employment Opportunity Commission regulations, HIPAA requirements are not applicable to information used for employment purposes. On the other hand, if an employer sponsors a self-insured health plan, the health plan is subject to HIPAA, and the employer has certain obligations with respect to its administration of the health plan. The HIPAA also provides a broad exception for health information related to workers’ compensation claims consistent with applicable state law. Oklahoma law requires a treating physician to provide information about an employee’s medical condition and treatment to the employer. A HIPAA authorization signed by the employee is not required for the release of this information to an employer.
If HIPAA applies to your organization, not all health information is entitled to HIPAA protection. “Protected health information” has to satisfy three criteria.
- It is information created or received by your organization.
- With respect to an individual, it relates to the individual’s health or condition; the provision of health care, or the payment for health care.
- It identifies the individual or there is a reasonable basis to believe that the information can be used to identify the individual. If a receptionist tells a friend that an “adult film star” had a certain procedure at a surgery center, is this a HIPAA violation? Probably not. The patient was not identified and without more information, the friend could not identify the individual. Although the receptionist likely violated the surgery center’s confidentiality policies, the HIPAA requirements for mitigation, breach reporting and other actions would not apply. Can a physician practice use photos of patient’s wounds in a seminar? Yes, as long as the photos do not include the patient’s face or other identifiers.
Finally, HIPAA does not provide a private right of action. An individual who alleges a HIPAA violation cannot sue your organization. The individual may file a complaint with the Department of Health and Human Services Office of Civil Rights, which is charged with investigating all complaints, and the Office of Civil Rights may impose civil penalties and refer potential criminal matters to the Department of Justice. We have found that if an organization has sufficient HIPAA policies and procedures in place and takes appropriate action in the event of a HIPAA mishap, the Office of Civil Rights typically investigates and then closes the matter. We have also figured out that many HIPAA complaints arise because individuals are unhappy about something else: their bill, their care or treatment, or interactions with staff members. Once again, good customer service can prevent a multitude of complaints.