Ten Common Misconceptions about HIPAA

    Several years ago the Health Information Privacy and Accountability Act (HIPAA) was the subject of tremendous attention and trepidation. This Act (at least parts of it) is now the law and provision of medical care has continued uninterrupted, albeit with some changes (eg, more password-protected medical documents) and educational programs (to spread the word on HIPAA). Despite these changes and programs, misconceptions still remain. This article reviews 10 common misconceptions about HIPAA and attempts to clarify the material surrounding these misconceptions.

    1. The government is vigorously enforcing HIPAA, including imposing jail time and fines.
    Some think the federal government, in the incarnation of the Centers for Medicare and Medicaid Services (CMS), the Department of Health and Human Services (HHS), and/or HHS’s Office of Civil Rights (OCR), is vigorously enforcing HIPAA — imposing big fines and meting out jail time for violators. This is not the case. The government is encouraging doctors, hospitals, and others to implement HIPAA but, thus far, has not been severely penalizing breaches in healthcare providers’ compliance with HIPAA.

    The OCR began accepting privacy-related complaints against covered entities as of April 14, 2003. Complaints have been made for a variety of reasons, including 1) impermissible use or disclosure of an individual’s protected health information, 2) lack of adequate safeguards to protect protected health information, 3) refusal or failure to provide an individual with access to or a copy of his or her records, 4) disclosure of more than “minimum necessary” information to satisfy particular request for protected health information, and 5) failure to provide an individual with notice of the entity’s privacy practices and individual’s rights. These complaints are most likely to be filed against those who have direct contact with patients — in particular, private healthcare practices, hospitals, pharmacies, outpatient facilities, and group health plans. As of March 1, 2004, OCR received and initiated reviews of approximately 4,755 complaints under HIPAA.

    Approximately 43% of these 4,000 plus cases had been closed by the OCR for variety of reasons, including 1) OCR’s statement that it lacked jurisdiction under HIPAA (eg, the alleged violation occurred before the compliance date or the allegation is against an entity not covered by the Privacy Rule); and 2) the alleged misactivity did not violate the Privacy Rule (eg, the covered entity had declined to disclose protected health information in circumstances where the Privacy Rule would permit such a disclosure). Some complaints were resolved in a satisfactory fashion through voluntary compliance (eg, the individual was provided access to medical record after alleging their information had been denied to them previously). The number of referrals of breaches of HIPAA evaluated by the OCR to the Department of Justice for criminal action is unknown. In sum, knowing about HIPAA and integrating its strictures into medical practice is necessary but CMS, HHS, and the OCR have yet to punish providers in any substantial fashion for breaching HIPAA.

    2. HIPAA creates a private right of action.
    The only entity that can use HIPAA to sue a physician and impose monetary penalties and prison sentences is the HHS. Patients cannot use HIPAA as a cause of action to sue — that is, a patient does not have a right to sue the physicians for damages if the patient claims the physician has violated HIPAA’s strictures. HIPAA does not provide a private cause of action for violation of its standards. Although plaintiffs have tried to piggyback onto the requirements and strictures of HIPAA, only the federal government can use the remedies that HIPAA provides. In the future, however, HIPAA might affect the standards that provide patients with individual causes-of-action.

    3. HIPAA forbids using waiting room lists and other common practices involving medical information.
    HIPAA requires healthcare providers to use common sense privacy protections to protect patient information. However, HIV-positive patients are afforded extra protections beyond the scope of HIPAA. For example, a healthcare provider can announce the names of patients in a waiting room but may want to consider saying first names only. In HIV clinics, names cannot be announced. Healthcare providers can use sign in sheet (but not in HIV clinics) but information should be limited to the patient’s name and time of arrival. Visit reminder postcards can still be mailed to patients but can only contain minimum information (eg, date, time, contact information). Healthcare providers should give serious consideration to using letters enclosed in envelopes when communicating in any way with patients. Finally, a healthcare provider’s office practices for reminding patients of appointments should be explained in the Notice of Privacy Practices given by a healthcare provider to their patients. Charts can be left outside examination room doors but optimally the charts should turned so the patient’s name faces the door. Not having a patient’s name facing outward prevents inadvertent disclosure of patients’ names. Charts cannot be placed on the same shelf area where patients check in. If patients refuse to sign the Notice of Privacy Practices, they can still be treated, but HIPAA regulations still necessitate a good-faith effort at obtaining written acknowledgment of a receipt of this Notice. Charts must be kept secure; while a locked chart file cabinet provides optimal protection, no requirement for locked file cabinets exists. The OCR suggests that chart use be accompanied by 1) physical barriers (eg, a reception desk), 2) “Authorized Personnel Only” signs, 3) training of staff to recognize unauthorized persons and escort them to the reception area, and 4) clear communication with the janitorial staff and like persons that files should not be touched or examined.

    4. You must use high-priced consultants to comply with the stricture of HIPAA.
    A number of consultants and education providers claim expertise in HIPAA and that they or their materials or systems are endorsed or required by the federal government. This is not the case. The federal government — in the manifestation of HHS and OCR — does not endorse any private consultants’ or education providers’ seminars, materials or systems. The federal government does not certify any persons or products as “HIPAA compliant.” HIPAA does not require attendance at any specific seminars.

    5. There is no easily accessible help to comply with HIPAA’s requirements.
    Materials needed to gain a basic understanding of HIPAA are available at the websites of the HHS and OCR at no cost (visit www.hhs.gov/ocr/hipaa). In addition, a number of medical societies and academies (eg, the American Academy of Dermatology) have assembled low-cost packages of documents and manuals. Almost all medical centers have had seminars on HIPAA and have employees to whom questions can be directed —some of which are the Privacy Officers that HIPAA requires. In addition, you can call HHS and ask for advice on complying with HIPAA.

    6. All components of HIPAA have been implemented.
    HIPAA has many components, some of which have yet to be implemented (see Table 1). For example, the privacy rule now is in full effect and specifies a series of administrative, technical, and physical security procedures for covered entities (ie, physicians, hospital, healthcare clearinghouses) to ensure the confidentiality of electronic protected health information. Specific patient information (eg, date of birth, social security number) is protected health information that must be kept protected and private.

    Not fully implemented are the transactions and code set standards and Employer Identifier Standards. These standards were created to decrease administrative complexity and costs. The final rule modifies a number of the electronic transactions and code sets adopted as national standards under HIPAA and eliminates the National Drug Codes (NDC) code set as the standard for all providers except retail pharmacies. It does not adopt a standard reporting drugs and biologics on non-retail pharmacy transactions. Employer Identifier Standard will deal with the companies that provide health insurance and will be defined further in the future.

    National Provider Identifier. HIPAA mandated the creation to a National Provider Identifier to facilitate a decrease of administrative complexity. National Provider Identifier (NPI) Final Rule as required by HIPAA to create a unique health identifier for healthcare providers was published in the Federal Register on January 23, 2004. Healthcare providers can begin applying for NPIs on the effective date of the final rule, which is May 23, 2005. All healthcare providers are eligible to be assigned NPIs; healthcare providers who are covered entities must obtain and use NPIs. All HIPAA covered entities should use NPIs by the compliance dates (May 23, 2007 for all but small health plans; May 23, 2008 for small health plans).

    Identifier use is complicated. According to the CMS, healthcare payors and claims clearinghouses may continue using legacy provider identifiers for internal processes after the May 23, 2007 compliance date for the HIPAA NPI. This means that while providers must migrate to the new identifier, payors and clearinghouses can keep using the Unique Physician Identification Number, Medicare Provider Number, Medicaid Provider Number, and others for internal processes. In such a situation, they would map the national provider IDs with the appropriate legacy identifiers already in their computer systems.

    7. HIPAA impedes the provision of medical care.
    Some people assume that HIPAA controls that keep patient digital patient information private and secure will compromise care. This is not the case. Different physicians can share information related to a patient’s care without specific written permission. The “minimum necessary concept” that applies to payment, operations, and research does not apply to treatment of patients when physicians communicate. Healthcare providers should exercise professional judgment (animated by “the best interest of the patient”) when deciding with whom to share patient care information, such as family members, when patients cannot communicate their preferences.

    8. Physicians do not benefit from HIPAA in any way.
    Some doctors think HIPAA will not benefit the practice of medicine. This is not the case. The transaction standards that will be part of HIPAA will make it easier for doctors to submit medical claims and decrease administrative costs. The adoption of HIPAA should head off patient claims for “breach of privacy” and even more onerous privacy legislation because healthcare information privacy procedures are now in place that enhance the security and confidentially of patients’ healthcare information. Finally, HIPAA has been an impetus to the deployment and utilization of electronic medical records, which have been shown to enhance care. Although costs heretofore have been substantial ,HIPAA should benefit physicians, patients, and American healthcare.

    9. HIPAA negates all previous state and federal privacy laws.
    HIPAA is not the only piece of legislation that pertains to patient privacy. Other laws still cover privacy of medical data in the contexts of HIV, mental health, alcohol and drug abuse, assault and abuse, and the records of minors. The privacy parts of HIPAA now supplant, for the most part, a large portion of state law that covered issues of medical privacy. Some state laws are still important in specific contexts. In particular, because HIPAA covers digital medical information and not medical information that is kept purely in paper form, state medical privacy laws would likely still cover purely “paper” patient medical information. In addition, state laws that give patients a private right of action to sue doctors for “breach of privacy’ are still in force. More state medical privacy law exists; therefore, HIPAA although the most famous medical privacy law, is not the final or only word on medical privacy.

    10. As legislation, HIPAA is unique and does not relate to other laws.
    HIPAA is not the only federal legislation that relates to healthcare law. Federal law fits HIPAA into the context of other federal laws that include 1) the Employee Retirement Income Security Act of 1974 (ERISA) that establishes national standards for employee benefits; 2) the Consolidated Omnibus Budget Reconciliation Act (COBRA), which provides some workers and their families with the right to continue their health coverage for a limited time after certain events, such as the loss of a job; 3) the Newborns’ and Mothers’ Health Protection Act covering law surrounding maternity; 4) the Mental Health Parity Act giving special protections to patients in the provision of mental health care; and 5) the Women’s Health and Cancer Rights Act. These laws relate to HIPAA because their subject matter — ie, patient information — is what HIPAA is meant to protect. A full understanding of HIPAA requires an understanding of these laws.

Conclusion

    HIPAA has not resulted in a significant alteration of the healthcare provided in the US. While complex, it has been adapted to fit the realities of medical practice. As yet, breaches have not resulted in significant penalties and its implications and effect have yet to be fully felt. Avoiding misconceptions facilitates complying with its requirements and enhancing the proper provision of patient care. 

1. http://www.hhs.gov/ocr/hipaa/misleadingmarketing.html

2. http://www.healthdatamanagement.com/html/PortalStory. cfm?type=hipaa&DID=11223