Medical Privacy and Securityby Scott Einiger, Esq.

Medical Privacy and Security: Is Your Medical Office Ready for HIPAA?

I. Background
Protecting confidential medical information has historically been addressed on a local level with each state setting its own rules and regulations. In New York State, the legal protections afforded individuals concerning their confidential medical information is delineated by statute in the Civil Practice Law and Rules (CPLR), Public Health Law and Mental Hygiene Law. [1]

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was originally enacted to enhance (not guarantee) certain health care insurance coverage for Americans. HIPAA also creates a national, standardized set of rules for maintaining (security) and protecting (confidential) patient medical information known as PHI (Protected Health Information). The privacy component of the HIPAA law will go into effect on the first medical service delivery on April 14, 2003. The law has recently undergone significant amendments since the “Final Rule” was originally enacted. While the Federal Law will not pre-empt more restrictive state law, HIPAA does create certain mandatory procedures that must be implemented by all covered entities to avoid potential monetary fines and/or for intentional acts even possible criminal penalties.

While the HIPAA regulations may continue to undergo further fine tuning to address various practical concerns, it is imperative that physicians and their administrative office staff not wait to educate themselves about the federal law’s purpose and the actual legal requirements. Undertaking to education the office staff is one of the key requirements of the law. Implementing a written compliance plan is another. Waiting until the effective date could prove costly. The failure to institute a good faith and reasonable office compliance program, to provide privacy notice to patients concerning their rights, to protect against the unauthorized release of confidential records and implement security safeguards for data in transit and maintained in the office, could potentially place physician owners their employees (including administrative office staff) and even business associates at grave risk for potential monetary fines and even criminal penalties for the unauthorized disclosure of PHI. The Office for Civil Rights (OCR) is responsible for implementing and enforcing the privacy regulation.

II. Covered Entities and Covered Services
Covered entities within HIPAA’s jurisdictional reach would include those that either provide, pay for or submit electronically information concerning health care services or billing information including hospitals, health plans, group and solo medical offices. Virtually every individual physician practitioner and group medical practice are covered entities under the jurisdiction of the HIPAA federal law as submission of their claims to managed care entities and or governmental programs (medicaid/medicare) will all be done electronically. This includes the services (i.e. tests procedures) provided directly to the patients by primary care physicians and also includes medical services indirectly performed or tests or procedures ordered by medical consultants at the direction or order of another physician (i.e. consultants such as radiologists).

III. Protected Health Information
Once an entity fulls under the jurisdiction of HIPAA, Protected Health information (PHI) under the federal law is broadly defined and includes all information whether recorded or oral that relates to past, present or future health conditions, medical care or payment for said conditions or care. Creating an effective confidentiality and security compliance program will help avoid the penalties and sanctions that apply for noncompliant programs. Such penalties and sanctions could include civil penalties and fines for each violation ($100 per violation with a maximum penalty of $25,000/year for identical penalties) and for intentional violations of the law could even include criminal penalties (i.e. fines between $50,000 – $250,000 and imprisonment terms between 1 to 10 years).

IV. Summary
HIPAA is a complex and extensive national initiative which includes at its core rules that govern: notice to patients of their rights, protection of confidential medical information and rules for medical professionals to implement reasonable precautions and safeguards to protect the privacy and security of confidential Private Health Information (PHI). It behooves all medical offices which included the physician owners, employees and administrative staffs to learn HIPAA’s rules as there are serious monetary fines and even criminal (if intentional) penalties for unauthorized disclosures of PHI as of April 14, 2003.
________________________________________
[1] (CPLR 4504, Public Health Law 18, Article 27-F of the Public Health Law and MHL 2205).