X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The federal law giving privacy protection to medical records has been seven years in the making. Plenty of time, one would think, to get ready for it. Yet with the deadline now just around the corner, many companies that are affected by the law are still worlds away from meeting its requirements, if they are even aware that it applies to them. “No one is going to be finished with all the stuff they need to do by [the] April 14 [deadline]. It’s too hard, too confusing, and there are too many open issues,” said Kirk Nahra, a partner in the Washington, D.C., office of Wiley Rein & Fielding, a leading law firm in the privacy arena. Nahra echoed a widespread observation among those who are grappling with the law, known as the 1996 Health Insurance Portability and Accountability Act, or HIPAA, which sets rules for safeguarding the privacy of people’s medical records. A recent survey by the trade publication Modern Healthcare found that at the end of 2002, health care providers were still well behind the eight ball. For instance, the survey found that only 30 percent had completed a list of all “business associates” that are privy to patient information. And only 17 percent had finalized the required business-associate contracts to ensure the confidential treatment of that patient data. The study found similar levels of procrastination for other privacy-related duties, with one exception: Nearly everyone had hired or designated a chief privacy officer, the easiest and often first thing companies can do. Nahra said that of the health care providers, insurers were in the best shape, having spent “millions of dollars” to get into compliance. Large hospitals were also doing OK, he said. At the other extreme, “doctors are perceived to be uniformly behind,” Nahra said. “They’re in very bad shape.” Pharmacies, too, are considered to be lagging in their efforts to comply with the upcoming rules. Findings by the National Committee on Vital and Health Statistics, a quasi-government body advising the agency charged with administering HIPAA, back Nahra’s perception. It estimated that at the end of 2002, “well below half of all small providers have made any effort to comply with the privacy rule, and some have no intent to do so.” The advisory body has predicted “widespread disruption of the health care system” come April 14. MANY FIRMS UNAWARE LAW COVERS THEM As difficult a time as the medical providers are having, even worse off are companies with health insurance plans, many of whom do not even know that the law applies to them. Under HIPAA, any employer with a health insurance plan with more than $5 million in annual receipts is expected to meet the April 14 deadline. Smaller plans have until April 14, 2004. Employers will have to appoint a privacy officer, create a “firewall” between people who handle health benefits and other employees, keep health data in protected areas and prepare written policies and procedures on how employee health records are handled. Many companies, however, are under the mistaken impression that HIPAA applies only to the health care industry. “I sat down with my firm’s human resources people to explain the requirements to them and it was as if I was speaking Martian,” Nahra said. Law firms in particular could find themselves unwitting subjects of HIPAA’s privacy rules not just as employers but also as “business associates” of health care providers. Any legal advice involving a person’s medical records, such as malpractice defense or insurance fraud claims, will require that the firm have a security plan that permits only authorized persons access to the records. This could create problems with, for example, expert witnesses, who may be reluctant to sign a contract that imposes all kinds of privacy obligations on them, Nahra said. But even among those companies that know about HIPAA, “many are not sure what they’re supposed to be doing,” said David B. Spanier, a benefits partner in the New York office of Greenberg Traurig. Alternatively, they are doing too much. A cottage industry has sprung up that too often creates an unnecessary administrative burden for employers, he said. “I hate to tell clients that they’ve wasted their time and money paying for these services,” Spanier said. Yet health care providers and others covered by the rule ignore it at their peril. HIPAA’s remedies border on the draconian: a violation is punishable by a fine of up to $250,000 and 10 years in jail. The U.S. Department of Health and Human Services (HHS) has publicly stated that it plans to go easy on enforcement, which will be handled by its Office of Civil Rights. According to a spokesman, the agency has no intention of coming after inadvertent violators, at least initially. Rather, enforcement will be prompted by complaints and intentional violations. The concept behind HIPAA’s privacy rules is simple enough: Medical records should be private and should not be disclosed except in certain limited circumstances or when authorized by the patient. The law attempts to accomplish this by giving patients the right to control their own health information. Thus, patients have the right to withhold medical information about themselves, even from family members. They also have the right to see their medical files, insert information into the files, or review a log detailing who has seen the file. Yet somewhere along the way, simplicity gave way to a morass of thousands of pages of regulations, conflicting and ambiguous guidelines and a wealth of misinformation from the mushrooming industry selling HIPAA “expertise” that has sprung up around the new rules. A major part of the problem stems from the manner in which HIPAA came into being, experts said. The law had its genesis in the 1990s as a way to standardize electronic billing and claims in the health care industry. Congress saw HIPAA as playing a unifying role in a notoriously complex industry, saving providers billions of dollars in the process. HIPAA HAS BALLOONED But HIPAA has since ballooned, mostly in the form of regulations promulgated by HHS after Congress failed to come up with a privacy scheme for medical records. “Congress couldn’t agree on what the scope of privacy should be,” said Mitchell Olejko, a partner in the San Francisco office of Morrison & Foerster, “so they left it up to the agency.” HHS met the challenge with a thousand pages worth of regulations, which after several iterations, was finalized in August 2002. As it turned out, the regulations raised more questions than they answered. “They just missed a whole bunch of stuff,” Olejko said. “They don’t deal with how people work in the real world.” For instance, the regulations required that spouses have written authorization to pick up a prescription for their husband or wife, he said. The agency has since amended this particular requirement, but many other problematic rules still remain, he said. Olejko pointed to medical research as one such potential problem area. Secondary analysis of the data, for example, could require that the researcher go back and get each subject to reauthorize the research, he said. Another area of controversy revolves around how the federal law relates to the myriad state laws that protect medical information. HIPAA pre-empts only state laws that are less stringent. “But who knows what that means,” Olejko said. Wiley, Rein & Fielding’s Nahra said HHS had not done much better with its attempts at guidance. He said that, for instance, in the “Frequently Asked Questions” section of its Web site, answers that turned out to be wrong “would just disappear” without any explanation. Given all the uncertainty, lawyers said things will be far from settled come April 14. Some predicted that the deadline will actually create a whole new rush of activity. “I think there are lot of people who are going to be scrambling after they read all the articles,” Olejko said.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.