December 2000

Health Care E-lert - Primer on HIPAA's Privacy Provision, 12/04/00

4 min

The acronym HIPAA is on everyone's mind. However, many health care organizations are unsure about what the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will mean for them.

History and Purpose
Congress passed the Administrative Simplification provisions of HIPAA in the hopes of creating a system that would increase the ease of transmission of health information between various sectors of the health care industry. Congress recognized that by expanding transmission of medical data, there would also be an increased likelihood of breaches of personal privacy. Therefore, they required that privacy regulations be adopted in tandem with regulations that would increase potential access to protected health information.

The proposed rule on "Standards for Privacy of Individually Identifiable Health Information" was published on November 2, 1999, and may provide some indication of what the final rule will contain.
The proposed rule can be found at

HIPAA applies to health plans, health care clearinghouses, and health care providers who transmit protected health information electronically, collectively known as "covered entities." Additionally, the proposed regulations extend HIPAA to the business partners of covered entities through business partner agreements. These agreements will require that any business partner who receives protected health information from a covered entity must meet the requirements of regulations promulgated under HIPAA. Furthermore, under this section of the proposed rule, patients whose information is transmitted to business partners will have the right to sue either party for violation of the business partner contract.

First, HIPAA applies to individually identifiable health information that is electronically maintained or transmitted by covered entities. Therefore, health information that has never been in electronic form, i.e. information contained on paper, will not be covered by HIPAA. However, after the information is electronically imputed it is protected in all formats, electronic or "hard copy."

Second, covered entities will only be able to disclose protected health information without authorization for treatment, payment, and health care operations. Health care operations are services or activities that are compatible with or directly related to payment or treatment. This includes competence reviews of medical staff, quality assessment and improvement activities, compilation and assessment of information for legal purposes, insurance activities and contracts, and auditing services. Other types of disclosures must be accompanied by consent from the individual that is voluntary, not conditioned on treatment or payment, and that specifically states what the information will be used for.

Third, individuals will have the right to receive information about an entity's procedure for handling health information, the ability to access their health information, the right to amend or correct health information, and the ability to obtain an accounting of disclosures of their health information.

Finally, anyone failing to comply with the privacy regulations will be subject to penalties of not more than $100 per violation, and not exceeding $25,000 per year. Additionally, if a covered entity or business partner knowingly discloses protected health information, it could be subject to both civil fines and criminal penalties. The extent of the punishment varies, depending on the intent of the disclosure. These penalties may be reduced if the entity at fault shows that they have attempted to comply with HIPAA.

Both sides of the debate over the proposed privacy regulations are generally unhappy with the effect and coverage of the regulations. Those wanting more privacy for health records argue that the regulations don't go far enough to protect American's health information. For example, they believe that all health information, not just information that is electronically transmitted or maintained, should be covered. On the other side of the debate, opponents maintain that HHS has surpassed its powers under HIPAA, specifically in the sections extending the regulation's reach to business partners. They also argue that to implement the proposed regulations, the health care industry will have to expend vast sums of time and money, which in turn will increase the ever rising cost of health care. Some experts believe that implementing HIPAA will cost more than preparations made for Y2K. We will have to wait for the final regulations to see if either side wins this debate.

Although it has been rumored that the final privacy regulations will be released before the end of 2000, there is no way to know exactly when we will have a concrete set of rules. Yet, prudent organizations should begin to consider the effect of HIPAA on their current systems for handling health information and create compliance programs based on the guidelines of the proposed rules. Therefore, affected organizations may wish to consider a number of measures, including:

  • appointing a privacy officer
  • reviewing and renegotiating contracts with business partners
  • creating a system so that protected health information is not wrongly disclosed
  • developing a HIPAA training program for employees
  • revising forms authorizing the release of health information.
For further information, please contact: Connie Baker at 410.244.7535 or by email.