Nearly every document that makes any mention of a patient in your facility can be considered protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), says Veronica A. Marsich, JD, a shareholder with the law firm of Smith Haughey in East Lansing, MI, specializing in health care issues. Even the slightest identifiers or reference to an individual’s health can make a document PHI, she says, and that creates a lot of work for a risk manager trying to assure compliance.
"You really have to consciously expand your concept of your notion of what we’re trying to protect," Marsich says. "The federal government has told America that they have a federal right of privacy to respect to their health information, and their health information is more than just their medical records. It’s bigger than that. That is a sense that has to be embraced within your organization if you want to be in compliance."
She addressed HIPAA compliance at the recent meeting of the American Society for Healthcare Risk Management (ASHRM) in Nashville, TN. "The bottom line is you have to take this seriously," Marsich notes. "This is a big change. If you want to get hyped up about HIPAA, get hyped up about the definition of PHI because that’s the biggest change conceptually from what we did before."
Everything else regulated by HIPAA, such as the particulars of what information can be exchanged with whom, and when, doesn’t change a great deal from pre-HIPAA days, Marsich says. But the definition of PHI is so broad that risk managers must protect far more information than before, she says.
Marsich also notes that efforts to "de-identify" patient information by removing all identifiers are usually not worth the effort. In most cases, she says, researchers or analysts find the data useless if they can’t be connected to individual patients.
Business associates still a thorny issue
Marsich admits that she "hates" HIPAA because it is overly restrictive and amounts to a bureaucratic exercise with little benefit to the patient. Nevertheless, she says, risk managers must be careful to comply fully, and the ASHRM attendees expressed their own frustration with how to follow the law. The concept of "business associates" prompted many questions from perplexed risk managers, and Marsich says she is not surprised.
"A lot of providers have just given up and called everyone a business associate, but that doesn’t work because most people won’t sign the agreements if they know they’re not one. And some won’t sign it even if they are," she notes. "Business associate agreements are one of the most difficult parts of complying with HIPAA."
Marsich says she often is asked if attorneys working with a health care provider are business associates, and the answer is yes. A business associate is anyone you hire to do something for you, so Marsich says that covers a wide range of contacts. But that does not include every contract or person you do business with. Your landlord, for instance, is not doing anything on your behalf. So the landlord is not a business associate even though you are doing business with him or her.
"It’s anyone you hire to do something for you instead of you doing it yourself. You need busi- ness associate agreements with your legal counsel, billing agents, collection agencies, with anyone who provides business services on your behalf," she says. "But you don’t have to get business associate agreement with anyone who provides treatment. And the definition of treatment is hugely broad."
Insurers probably not business associates
Another frequent question involves liability insurance companies. Are they business associates of the health care provider? Marsich says government guidance on HIPAA suggests they are not, with the reasoning that the insurers are working for themselves and not for the health care provider. "That’s an interpretation that I think most risk managers won’t disagree with," Marsich says. "It’s a cynical way of looking at the relationship, but it means you don’t need a business associate agreement with your insurer."
Some risk managers also have wondered if it is a HIPAA violation to provide PHI to insurers when shopping for insurance. It is almost impossible not to, they say, because the insurers demand data about the health care provider’s history and patients. Marsich says that practice is safe and does not require a business associate agreement.
"You’re using the data for a health care function, the acquisition of insurance coverage you have to have. The use of that data is permitted without a business associate agreement because until you have a contract you don’t have anyone working on your behalf, and even then the government says the insurer isn’t really working on your behalf," she says. "But if you have a broker shopping for you, you need a business associate agreement with the broker because you’re not doing your own work anymore. You hired someone else to do it for you, and that’s the definition of a business associate."
There is ample opportunity to run afoul of HIPAA during a provider’s daily operations, Marsich says. Medical staff not following policies or misusing access represents a major risk, but she also warns about unnecessary and inappropriate conversations of employees. Unauthorized conversations with family and friends are another big risk.
Marsich notes that HIPAA also can supersede some state laws regarding confidentiality. "HIPAA probably supersedes state law provisions that enable co-defendants to simply share records as part of a pre-suit discovery process, as well as state statutes that provide a patient has waived the physician-patient privilege with respect to any medical information relevant to a damage claim in a legal action," she says. "HIPAA is probably not impacted by waiver of a privilege, because HIPAA protects information that is not even covered by a privilege."
Marsich points out that though HIPAA establishes a standard of care in terms of what is necessary to protect health information, it is only a minimum and health care providers are free to be more restrictive if they want. That overly cautious approach often is based on a poor understanding of the law and can frustrate health care providers who are trying to engage in a legitimate and necessary exchange of information. But she says you can’t really fight them.
"When you run into those health care providers who are doing more, doing something that HIPAA doesn’t require and it frustrates you, their response can be, So what? I can if I want to.’ That is for the most part true," Marsich says. "HIPAA is a floor, a minimum for what we must do."
She notes that HIPAA allows PHI to be disclosed for law enforcement purposes. An example would be providing information as required by laws that require reporting of certain types of physical injuries or events. HIPAA also is not an issue if you are providing PHI in compliance with a court order or court-ordered warrant, pursuant to grand jury subpoena, an administrative subpoena, or summons.
However, Marsich explains that, when releasing PHI for law enforcement purposes, the information must be relevant and material to a legitimate inquiry. The request must be specific and limited in scope to the extent reasonably practicable. HIPAA also requires satisfactory assurance from the requesting party that reasonable efforts have been made to give notice to the patient.
"Alternatively, they have to make reasonable efforts to secure a qualified protective order," she says. "If neither of those things happen, it’s still OK to disclose the information if the covered entity itself makes the same reasonable efforts."