By now everyone in the healthcare industry knows the term "HIPAA," but not everyone knows that the new healthcare reform law has toughened it up in many respects.
The Health Insurance Portability and Accountability Act was the first broad stroke of the federal government in the direction of healthcare reform. Ensuring the privacy of healthcare records is critical when considering the need of transferability in the new healthcare delivery system. The ability of healthcare providers to communicate electronically and to track both cost effectiveness and quality is essential to the new healthcare reform law, so it is essential to ensure that the new healthcare information superhighway protects confidential information in patient's healthcare records. HIPAA does that.
HIPAA protects Protected Healthcare Information ("PHI") and imposes certain privacy obligations on "covered entities." It attempts to balance both confidentiality and need for communication between providers. Too much protection could gum up the works and defeat the transmissibility aspect of healthcare reform. The new healthcare reform may, however, have done just that by expanding PHI protection to contractors of "Business Associates."
A few definitions would help:
"Protected Health Information" is essentially any information (in any form) that is created or received by a healthcare provider, health plan, etc. which relates to a person's pasts, present or future health care or the payment therefor.
A "covered entity" is a healthcare provider, health plan or healthcare clearinghouse.
A "business associate" is an individual or entity that performs, on behalf of a covered entity any function or activity involving the use or disclosure of PHI and which is not a member of the covered entity's workforce.
Among other things, the new healthcare reform law (1) applies the application of HIPAA to Business Associates, and (2) prohibits the sale of PHI. In addition to granting patients greater rights and PHI access, the new law:
- Prohibits the sale of PHI;
- Enables healthcare consumers who pay for their own healthcare to prohibit their provider from sharing PHI with their own healthcare plan;
- Requires HIPAA covered entities and business associates to provide affected individuals with notice of any breach of their unsecured PHI within 60 days. Covered entities in Florida have just 45 days to report; and
- Requires breaches involving more than 500 people to be reported to HHS and the media.
The law is confusing and complex. Covered entities should have a detailed decision tree to follow to ensure compliance with the law. That said, they should be aware that the following do not constitute a HIPAA breach:
- Unintentional, good faith acquisition, access and use of PHI;
- Inadvertent disclosure of PHI from an authorized person to another authorized person;
- Unauthorized disclosures in which the recipient would not have been reasonably able to retain PHI; and
- Access to secured PHI.
_________________________________________________________________________________
_________________________________________________________________________________
With over 20 years of healthcare law experience following his experience as legal counsel for the Florida Medical Association, Mr. Cohen is board certified by The Florida Bar as a specialist in healthcare law. With a strong background and expertise in transactional healthcare and corporate matters, particularly as they relate to physicians, Mr. Cohen's practice immerses him in regulatory, contract, corporate, compliance and employment related matters. As Founder of The Florida Healthcare Law Firm, he has distinguished himself and his firm for providing exceptional legal services with the right pricing, responsiveness and ethics.
