Health Information Portability (Privacy) and Accountability Act (HIPPA)
By Karen L Kahn
Implementation of HIPAA’S Privacy Rules
The Health Insurance Portability (Privacy) and Accountability Act of 1996 (“HIPPA”) Rules took effect on April 14, 2003. Professionals are legal help with various parts of the Privacy Rules: reviewing Business Associate Agreements/Powers of Attorney; drafting Privacy Notices and HIPAA Compliant Authorizations and resolving issues of privacy involved in providing services to individuals. Like all new regulations there is a fair amount of interpretation that is required and there are many unaddressed issues in the HIPAA Privacy Regulations. Compliance with HIPPA’s Privacy Rules will require legal assistance for some time. Below we have described a few of the problems that have surfaced in implementing the HIPAA Privacy Rules.
A. BUSINESS ASSOCIATE AGREEMENTS/POWERS OF ATTORNEY
We have drafted and reviewed many Business Associates Agreements/Powers of Attorney. Although the Department of Health and Human Services (“DHHS”) posted a model Business Associates Agreement/Powers of Attorney, most of the Business Associate Agreement/Powers of Attorney we have seen are individually drafted by professional for individual clients. Since the responsibility for having a compliant Business Associate Agreement/Power of Attorney rests with the individuals, these Powers of Attorney must be reviewed carefully to ensure that they provide all the necessary representations to fulfill the covered entity’s legal responsibilities. Three particularly troublesome areas which should be reviewed carefully are: (i) any provisions relation to indemnification; (ii) representation regarding compliance with requirements for access, amendment and accounting of disclosures of protected health information (“PHI”), and (iii) the necessary reciprocity provisions where the covered entity also functions as a business associates of the entity from which they are requiring a Business Associate Agreement/Powers of Attorney.
B. HIPAA MEDICAL POWER OF ATTORNEYS/AUTHROIZATIONS
Human resource departments, doctor’s offices and lawyers have required assistance in developing HIPAA compliant authorization forms. The problem already surfacing is that even where an authorization meets the requirements set forth in the HIPAA Privacy Rules regulations, some healthcare providers will not disclose protected health information (PHI) without a proper Business Associate Agreement/Powers of Attorney specifically covering HIPAA disclosure language. These healthcare providers, trying to avoid making any error under HIPAA by disclosing PHI inappropriately, are simply refusing to provide medical records to anyone except the patient of Power of Attorney Agent without a proper Business Associate Agreement/Powers of Attorney specifically covering HIPAA disclosure language.
C. ACCOUNTING FOR MEDICAL DISCLOSURES
Healthcare providers and Power of Attorney Agents must “account for any disclosure” unless it is listed in one of the nine exceptions from the disclosure accounting rules. Few healthcare providers and even fewer Business Associates/Powers of Attorney are clear on when they must record a disclosure of PHI. Some have reacted by suggesting that they will record all disclosures. Recording every disclosure of PHI will prove impossible for nearly every healthcare provider or Power of Attorney. Yet, being clear on what disclosures must be accounted for will require training and a bit of clairvoyance as to what the DHHS has intended.