HIPAA: Impacts and Actions by States
Updated February 2012; material added February 2013
The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, continues to have a broad impact on state health policy, as well as on virtually all health providers, insurers and health consumers. Listed below are brief updates and resources of potential interest to state legislatures.
On March 23, 2010, President Obama signed the Affordable Care Act. Section 1561 required HHS, in consultation with the Health Information Technology (HIT) Policy Committee and the HIT Standards Committee, to develop interoperable and secure standards and protocols that facilitate electronic enrollment of individuals in federal and state health and human services programs. To view the recommendations made by the Committees click here. A number of the recommendations address HIPAA related issues.
New HHS rule protects patient privacy, redefines health information distribution (January 17, 2013)
New Privacy Rules Apply to ACA
On January 17, 2013 U.S. Health and Human Services’ Office for Civil Rights released its long-awaited final regulations expanding privacy rights for patients and others. These new rules trigger major changes in medical record privacy measures required of health providers by two federal laws, the Health Insurance Portability and Accountability Act (HIPAA, enacted in 1996) and the Health Information Technology for Economic and Clinical Health Act. (HITECH, enacted in 2009),
Although not written specifically for the ACA, these rules will apply to virtually all people insured or treated, including those newly covered through exchanges, private employer coverage, and Medicaid expansions . “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. The rules expand privacy measures to apply to additional groups that have access to patient information “regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
The final regulations, published January 25, 2013, spell out the new HIPAA compliance obligations of business associates and — for the first time — directly regulate thousands of “subcontractors.” Among many things, the rule also prohibits health plans from using genetic information for underwriting (as called for under the Genetic Information Nondiscrimination Act, GINA, enacted in 2008) and adds new privacy restrictions on health-related businesses engaged in marketing and fundraising. One of the highlights of the rulemaking is the creation of a clearer process to determine when patients must be notified of a "breach" in their medical record privacy.
The HHS issued a summary release which included this information:
The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.
“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
The changes in the final rulemaking provide the public with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured hea lth information must be reported to HHS.
Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.
The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
- The final omnibus rule announced January 2013 may be viewed in the Federal Register (as published 1/25/2013) (138 pages, PDF)
- A listserv published by the HHS Office of Civil Rights is available to state policymakers and the public, at OCR-PRIVACY-LIST
- STATE- BASED RESOURCES
HHS Electronic Health Record Regulations
In 2010, U.S. Department of Health and Human Services Secretary Kathleen Sebelius announced final rules to help improve Americans’ health, increase safety and reduce health care costs through expanded use of electronic health records (EHR). “Health care is finally making the technology advances that other sectors of our economy began to undertake years ago,” Dr. Blumenthal said. “These changes will be challenging for clinicians and hospitals, but the time has come to act. Adoption and meaningful use of EHRs will help providers deliver better and more effective care, and the benefits for patients and providers alike will grow rapidly over time.”
NOTE: NCSL provides links to other Web sites from time to time for information purposes only. Providing these links does not necessarily indicate NCSL's support or endorsement of the site.
Health Information Technology (Includes archive materials)
- NCSL’s Project HITCh—for Health Information Technology Champions—supports state legislative decision-making about HIT. For details about what states are doing, go to www.ncsl.org/programs/health/forum/hitch/. For more detailed reports, visit: http://www.ncsl.org/default.aspx?TabID=160&tabs=832,97,328#328.
- A 2008 NCSL report describes and provides links to specific state legislation on HIT and public reporting: www.ncsl.org/programs/health/Transparency.htm.
HIPAA functions expanded by HITECH Act- Among other HIPAA changes made in the new law (all of which should be of concern to health care providers, health care payors, health care clearinghouses- "covered entities" or CEs- and their "business associates"- vendors who touch electronic protected health information or ePHI), there is a provision that permits state attorneys general to file HIPAA enforcement actions on behalf of the people of their state, in order to protect their interests, and to seek injunctive relief and/or money damages. See Sec. 13410(e) of ARRA (p. 160 of HR 1 PDF). A web blog posting titled "HIPAA enforcement by state attorneys general: The shape of things to come" provides details on a CT case. 1/15/2010.
Profiles of Progress 4: State Health IT Initiatives - published by NASCIO, July 2010.
Office of the National Coordinator for Health Information Technology, US Department of Health and Human Services
"50 Little Labs: States are functioning as proving grounds for healthcare information technology initiatives" - Healthcare Infomatics, 10/08.
FTC Sets Rule Requiring Public Notification of PHR Breaches. In mid-August 2009, the Federal Trade Commission issued a final rule requiring personal health record providers to alert consumers about data security breaches. The rule also requires organizations to notify the media if the security breach involves more than 500 people. FTC's regulations will apply to Google Health, Microsoft HealthVault and others. Government Health IT, Health Data Management. 8/20/09.
- "Profiles in Progress: State Health IT Initiatives," by the National Association of State CIOs, a compendium highlighting health IT initiatives in all 50 states and D.C. Released 11/15/06 [54 pages, PDF]
HEALTH INFORMATION TECHNOLOGY: Efforts Continue but Comprehensive Privacy Approach Needed for National Strategy- Report by the Government Accountability Office identifies challenges that the Department of Health and Human Services faces in trying to protect electronic patient data. However, HHS says that it already has adopted a privacy approach. 6/19/07. [23 pages, PDF]
CMS Gears Up for South Carolina Test of Personal Health Records- The Centers for Medicare and Medicaid Services project will offer personal health records to 100,000 participants in South Carolina's Medicare fee-for-service program and will include a campaign to encourage use of the PHRs. The results of the South Carolina project will be compared with the results of earlier PHR initiatives. Government Health IT, 1/21/08.
HIPAA-covered entities such as providers completing electronic transactions, healthcare clearinghouses and large health plans must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions, effective May 23, 2007. All such organizations need to ensure they are prepared for the (NPI) May 2007 deadline.
2006 Minnesota e-Health Initiative Progress Report to the Minnesota Legislature [23 pages, PDF] and Minnesota e-Health Reports and Recommendations.
eHealth Initiative - an association with information on commercial and governmental projects. Updated regularly.
Report: Three-quarters of states are developing HIEs. Published on April 22, 2008 (c) Govt. Health IT: Three-quarters of states have begun developing some kind of health information exchange, according to a report released today by the State-Level HIE Consensus Project. The project’s director, Lynn Dierker of the American Health Information Management Association, told a Health and Human Services Department advisory panel that the need for health care reform generally falls behind the creation of state-level HIE organizations, along with the need to keep patients' data private and secure. Some HIEs have advanced to the point where they are nearly ready to begin exchanging data, Dierker told the American Health Information Community. "We feel like we are labs" for the exchange of patients' health data, she said.
The HIEs are public/private partnerships and seldom part of state governments, she said. They usually include stakeholders from many interest groups, and they serve the public interest, operate cost-effectively and protect the privacy of patients whose records move through the network. Although governance responsibilities are the most common role of state-level HIEs, Dierker said, the organizations are often responsible for the technical operations, too. A new national organization called the State-Level HIE Leadership Forum is emerging to share insights and lessons learned, she said. It will hold its first meeting in May in Dallas.
Also, state-level HIEs want to participate in AHIC’s successor organization, which is being created as a public/private partnership outside HHS, Dierker said. Synergy is needed between national and state-level health information technology programs and other health reform initiatives such as quality-of-care measurement and pay-for-performance incentives. Among other activities in the coming year, the project will decide whether it is desirable to accredit HIEs that meet certain criteria and how to sustain organizations after a start-up period. In addition, the relationship of state-level HIEs to the planned Nationwide Health Information Network remains undefined, the report states. Those who pay for health care should be more involved in HIE development, the report states. “At a national level, the roles for Medicaid and Medicare in helping to build and sustain HIE capacity must be clarified and strengthened,” it states. “The active engagement of health plans in strategies to support state-level HIE remains an important priority.” The Office of the National Coordinator for Health IT supports the State-Level HIE Consensus Project.
Serious patient errors at California hospitals disclosed in state filings. About 100 Californians a month are being harmed in adverse events considered preventable. A lawmaker proposes banning reimbursements to hospitals for some types of injuries. Maine, Massachusetts, Pennsylvania and New York have restricted payments for avoidable medical errors. Hospital associations in Minnesota, Washington and Vermont have pledged never to bill patients for the costs of botched care, according to the National Conference of State Legislatures. LA Times, 6/30/08.
Physician Use of Electronic Prescribing and Barriers to Adoption
Source: Electronic Prescribing: Toward Maximum Value and Rapid Adoption Recommendations for Optimal Design and Implementation to Improve Care, Increase Efficiency and Reduce Costs in Ambulatory Care, a Report of the Electronic Prescribing Initiative eHealth Initiative.
- Despite the benefits of electronic prescribing, adoption is still modest. Current surveys estimate that between 5% and 18% of physicians and other clinicians are using electronic prescribing.
- Key barriers to clinician adoption include startup cost, lack of specific reimbursement, and fear of reduced efficiency in the practice.
- The implementation of the prescribing system must fit into the business flow and enhance knowledge, rather than be viewed as “extra work.” Electronic prescriptions need to be seen, in many ways, as an extension of a written prescription, for adoption to occur. The benefits to all parties – pharmacist, clinician and patient – should be the ultimate goal in the adoption of electronic prescribing.
Medical Record Privacy
As of April 14, 2003 "health plans, hospitals, doctors and other health care providers around the country must comply with new federal privacy regulations," according to Secretary Tommy Thompson of the Department of Health and Human Services (HHS). Billions of dollars are being spent to bring public and private sector records into compliance. The following is the department's description, stated in April, 2003: "These new federal health privacy regulations set a national floor of privacy protections that will reassure patients that their medical records are kept confidential. The rules will help to ensure appropriate privacy safeguards are in place as we harness information technologies to improve the quality of care provided to patients. Consumers will benefit from these new limits on the way their personal medical records may be used or disclosed by those entrusted with this sensitive information.
The new protections give patients greater access to their own medical records and more control over how their personal information is used by their health plans and health care providers. Consumers will get a notice explaining how their health plans, doctors, pharmacies and other health care providers use, disclose and protect their personal information. In addition, consumers will have the ability to see and copy their health records and to request corrections of any errors included in their records. Consumers may file complaints about privacy issues with their health plans or providers or with our Office for Civil Rights."
Privacy Online Resources:
- HIPAA Basics: Medical Privacy in the Electronic Age- Privacy Rights Clearinghouse, revised February 2013.
- FAQ on medical privacy
- State Laws on Access to Medical Records- Georgetown University Center on Medical Record Rights and Privacy. Includes 50 state-specific reports. [link accessed 4/2013]
- Texas Aggressive New Patient Privacy Law Could Hit Covered Entities Nationwide. A new Texas law governing the privacy and security of protected health information, perhaps the broadest and among the toughest of such laws in the nation, went into effect on Sept. 1. The Texas Medical Privacy Act, signed into law June 17, 2011, by Gov. Rick Perry (R), not only increases requirements beyond those in HIPAA for organizations that are already covered entities (CEs), but greatly expands the number and type of Texas-based CEs required to comply with the privacy standards in HIPAA and adds a bunch of its own requirements. It contains separate mandates for breach notification of electronic PHI and penalties for violations. Read Full Story [excerpt from Report on Patient Privacy , 9/1/2012]
HIPAA State Actions: Overviews and Examples:
- Federal Trade Commission Issues Proposed PHR Breach Rule - In compliance with the American Recovery and Reinvestment Act, the Federal Trade Commission has issued a proposed rule that would require personal health record vendors and related groups to notify customers if their identifiable health information is breached, Health Data Management reports. FTC is seeking public comment on the proposed rule through June 1. ARRA requires HHS and FTC to publish a study on potential privacy, security and breach notification requirements for PHR vendors and related entities by February 2010. In the meantime, the law requires FTC to issue an interim final rule by August.-Health Data Management, Modern Healthcare. 4/17/09.
"Privacy Issue Complicates Push to Link Medical Data" - article by New York Times, 1/17/09.
"New health-care privacy laws heighten need for HIPAA compliance in California." Gov. Schwarzenegger signs two data privacy bills that use the federal HIPAA law as a baseline. ComputerWorld, 10/7/08.
"PERSONAL HEALTH DATA ON THE NET: STATES ADDRESS PRIVACY CONCERNS" - NCSL's State Health Notes, June 9, 2008.
Warnings Over Privacy of U.S. Health Network - New York Times, 2/18/2007.
"Personal Health Records: The People's Choice?"- National Health Policy Forum, 11/30/06.
HEALTH INFORMATION TECHNOLOGY: Efforts Continue but Comprehensive Privacy Approach Needed for National Strategy- Report by the Government Accountability Office identifies challenges that the Department of Health and Human Services faces in trying to protect electronic patient data. However, HHS says that it already has adopted a privacy approach. 6/19/07. [23 pages, PDF].
Balancing Patient Privacy with the Need to Know Obtaining a patient's health history is vital to ensuring proper treatment, yet disclosing information about mental health or substance abuse can result in social stigma, job loss, or even criminal prosecution. A new issue brief considers how best to balance privacy and disclosure in an age when sharing information has never been easier. CA Healthcare Foundation brief, 3/08.
Medical Privacy - National Standards to Protect the Privacy of Personal Health Information- detailed explanations by the HHS Office for Civil Rights.
- NASCIO's Federal Privacy Law Compendium- NASCIO's Federal Privacy Law Compendium summarizes 10 federal privacy laws, including HIPAA, and provides states with a starting point to determine how the summarized laws might apply to them. (2001).
- HIPAA Enforcement: Legal Opinion by the Dept. of Justice Legal Counsel, 6/1/05.
- HIPAA Privacy Rule and Public Health - updated summary from CDC, emphasizing state and local government agency actions, 4/11/03.
- "Surveys show public distrusts HIPAA; researchers detest it" - Nearly three of five Americans agree that the privacy of their health information is not well protected by federal and state laws and organizational practices. Report in GovHealthIT.com 10/2/07.
- "Many U.S. Adults are Satisfied with Use of Their Personal Health Information; Some Withhold Information Due to Medical Data Security Worries" - While many U.S. adults indicate that they are generally satisfied with how their personal health information is used, a substantial number has serious reservations about the confidentiality and security of their health data, with some withholding information due to these concerns, according to a survey conducted by Harris Interactive. 3/26/07.
- Less Than 25% of Medical Privacy Complaints Investigated- Less than a quarter of the total medical privacy complaints lodged with the US Department of Health and Human Services (HHS) were deemed eligible for further investigation, reports Melamedia's 3rd Annual Review of Medical Privacy and Security Enforcement. 12/14/06.
- Survey Finds HIPAA Compliance Low - AHIMA 4/18/06. Compliance with federal privacy rules regarding patients' medical records that went into effect three years ago has declined, according to an annual American Health Information Management Association survey, Government Health IT reports. The survey of 1,117 hospitals and health systems found that 85% of respondents said they are mostly compliant with HIPAA privacy rules, compared with 91% in 2005. "A slight drop in the number of facilities reporting themselves to be fully or mostly compliant with HIPAA should serve as a warning to the industry that compliance should not be taken for granted," said AHIMA President Jill Callahan Dennis (Ferris, Government Health IT, 4/19/06). Fifty-five percent of respondents said lack of resources was the chief barrier to complete compliance, Health Data Management reports. They also cited as barriers a loss of senior management support and less focus on the privacy rule by some staff.
The survey, which was conducted in January 2006, also asked about compliance with HIPAA security rules. It found that one year after the compliance date, 25% of respondents said their organizations are fully compliant, and half of respondents said their organizations are between 85% and 95% compliant, Health Data Management reports. A survey a year earlier found that 17% of organizations believed they were fully compliant and 43% believed they were substantially compliant (Health Data Management, 4/19/06).
- Bill Would Limit Obtaining, Selling Medical Records- The Missouri Senate on April 13, 2006 unanimously passed legislation (SB 1041) that would make it a crime to sell or obtain patients' health records without their consent. The bill now goes the House. AP/Kansas City Star.
Electronic Transactions Requirements
Federal regulations required compliance with new HIPAA national standards for electronic health care transactions, code sets and national identifiers for providers, health plans, and employers, as of an October 2003 deadline. The federal Administrative Simplification Compliance Act (ASCA) required all claims sent to the Medicare Program be submitted electronically starting October 2003. (This is separate from medical privacy requirements, below.)
HIPAA Administrative Simplification
HIPAA Wellness and Nondiscrimination
DOL ISSUES CHECKLIST FOR WELLNESS PROGRAMS.
Wellness programs must be carefully reviewed to assure that they fit within a variety of legal boundaries. Most important for 2008 and beyond are the nondiscrimination rules under HIPAA. The Department of Labor (DOL) has issued helpful guidance in Field Assistance Bulletin 2008-02 (FAB 2008-02), including a useful checklist. This guidance can be reviewed by any policymaker or plan sponsor implementing a wellness program or considering one. ["CheckUp" by Sibson, 3/10/08)
Health promotion or disease prevention programs offered by a group health plan must comply with the Department of Labor's final wellness program regulations, published as 29 CFR 2590.702. 29 CFR 2590.702. The final regulations include guidance on the implementation of wellness programs.
HIPAA’s nondiscrimination provisions generally prohibit a group health plan or group health insurance issuer from denying an individual eligibility for benefits based on a health factor and from charging an individual a higher premium than a similarly situated individual based on a health factor. Health factors include: health status, medical condition (including both physical and mental illnesses), claims experience, receipt of health care, medical history, genetic information, evidence of insurability (including conditions arising out of acts of domestic violence), and disability. An exception provides that plans may vary benefits (including cost-sharing mechanisms) and premiums or contributions based on whether an individual has met the standards of a wellness program that complies with paragraph (f) of the regulations. The regulations apply to group health plans and group health insurance issuers on the first day of the plan year beginning on or after July 1, 2007.
HIPAA Security Rules for 2005
In a separate process, HHS also has issued a Final Security Rule requiring health plans, certain health care providers and health information clearinghouses to establish "adequate administrative, physical, and technical safeguards to prevent unauthorized access to electronic patient health information." Most covered entities had until April 21, 2005 to comply with the new security standards.
Health Privacy- Center for Democracy and Technology's Web page, which focuses on health privacy issues. The Center for Democracy and Technology works to keep the Internet open, innovative and free.
HIPAA.org- Web page covering a number of HIPAA-related topics. (2003).
Privacy and Security Solutions for Interoperable Health Information Exchange: Report on State Medical Record Access Laws. August 2009.