• E-mail
• Print
• Comment
• Font Size
• Digg
• del.icio.us
• Discuss article

Hipaa-a Shield for Health Information and a Snag for Estate Planning and Corporate Documents

Posted on: Friday, 16 September 2005, 03:00 CDT

Editors' Synopsis: Since April 2003, you may have encountered the newly enacted Health Insurance Portability and Accountability Act ("HIPAA") Privacy Rules as a patient or in other interactions with your physician or health insurer. The long list of requirements and documents associated with HIPAA did not appear overnight, and some of the effects of these regulations are just starting to emerge. This Article provides a brief explanation of the HIPAA Privacy Rules; delves into the effect of the Rules on wills, trusts, and other corporate agreements, and offers some practical suggestions for dealing with the effects of the Rules.

I. THE HISTORY AND REQUIREMENTS OF THE HIPAA PRIVACY RULES

The Administrative Simplification Provisions of HIPAA were originated to standardize the communication mechanisms used in the health care industry.1 In August 2000, the U.S. Department of Health and Human Services addressed the need for a standardized method of electronic data interchange in the health care industry, after realizing that there were approximately 400 different formats being used in the United States for electronic health care transactions. These different methods of communicating resulted in a widespread, inefficient, and expensive system for submitting and obtaining payment for health care claims.2 The intent of this endeavor was a good one: to create more efficient and effective exchanges between health care providers and health plans and others in the health care industry3-much like the finance industry did with the creation of universal ATM cards and worldwide debit cards. However, this standardization of health care communications and transactions coupled with the increased use of technology in the health care field resulted in dramatically increased risks to the privacy and security of patient data.4 The U.S. Department of Health and Human Services recognized these risks and the need for a "floor of ground rules for health care providers, health plans, and health care clearinghouses to follow, in order to protect patients and encourage them to seek needed care."5 The result was the promulgation of the HIPAA Privacy Rules6 and the HIPAA security Rules.7

The HIPAA Privacy Rules require health plans,8 health care clearing-houses,9 Medicare prescription drug card sponsors10 and most health care providers11 (collectively referred to as "covered entities") to regulate the use and disclosure of protected health information. The HIPAA Privacy Rules also seek to enhance the rights of individuals who are the subject of this health information, including the right to receive notices about privacy practices, to request access or amendments to information, and to obtain an accounting of disclosures of their information. Specifically, the Rules require covered entities to restrict and control access to "protected health information"12 and to limit the unauthorized use and disclosure of health information to the minimum amount necessary for the intended purpose.13 Specific rules apply to the release of protected health information to third parties, including rules governing the release of information to patients;14 to a family member, friend, or personal representative of the patient;15 and to persons who have requested the information via a subpoena or discovery request.16 Covered entities must also comply with numerous documentation regulations and a requirement continuously to assess compliance efforts.17

While HIPAA and its regulations,18 including the HIPAA Privacy Rules, directly affect health plans, health care clearinghouses, Medicare prescription drug card sponsors, and most health care providers, it is important to understand that the HIPAA Privacy Rules19 may also have an effect on wills, trusts, and corporate agreements. The HIPAA Privacy Rules affect estate planning and corporate documents because, while protecting the privacy and confidentiality of patient data, these Rules may also act as an obstacle to obtaining information about a patient's disability, medical condition, or capacity. Under the HlPAA Privacy Rules that took effect in April 2003, physicians, hospitals, and other providers or health plans are restricted from disclosing individually identifiable protected health information unless they have obtained an appropriate authorization from the patient, or the disclosure is expressly allowed by HIPAA.20 Physicians and other entities charged with safeguarding protected health information are not only concerned with patient privacy because it is a basic premise of their profession, but because they can be investigated, fined (up to $25,000 per year in civil penalties),21 and even jailed for violating the HIPAA Privacy Rules.22 The civil and criminal penalties authorized under HIPAA offer no real incentive for a treating physician, hospital, or other covered entity to assist a corporation, partnership, or trustee in obtaining health information for purposes of evaluating an individual's disability, capacity, or medical condition.

II. DISABILITY CLAUSES

Thus, it is important to review trust documents, partnership agreements, buy-sell provisions, employment agreements, and other types of organizational documents carefully. In particular, one should take care to determine whether they contain a disability provision contracts or similar language that depends on a physician's determination of disability or that requires a person or group to acquire health information from a treating physician or other health care provider. Often a disability provision will require an individual or entity to acquire health care information from a physician or other covered entity to enforce a triggering event or other contractual provision. For example, a document might require that any debate about a shareholder's or trustee's disability or capacity will be resolved by a panel of three doctors. A problem arises because the panel of doctors is permitted to evaluate the mental or physician condition of a shareholder or trustee, but the panel may not be able to communicate its findings to the appropriate interested parties because of the HIPAA Privacy Rules.23 Even if a health care provider desires to release the needed information or to communicate the provider's opinion to the interested party (a board, trustee, or employer), the HIPAA Privacy Rules may become a barrier to the disclosure. Various alternatives may remedy the problem presented by HIPAA: one suggestion involves obtaining the individual's authorization for the disclosure in advance of the need for health care information. Alternatively, the health care information could be obtained from the individual directly, or from the individual's personal representative as defined under HIPAA.24 Or, the disability provision could be modified to permit a committee of laypersons or family members to make disability-related determinations instead of requiring a health care provider to make the determinations. The term "disability" could be defined in a way that does not require an opinion or any health information from a health care provider covered by HIPAA. Each of the alternative suggestions to accessing health information has certain risks and downsides.

III. AUTHORIZATIONS

If a covered entity obtains an individual's permission or authorization, it may use and disclose an individual's protected health information for purposes beyond those discussed specifically in the HIPAA Privacy Rules, such as uses and disclosures for treatment or payment purposes or other purposes required by law. The written authorization obtained by the covered entity must contain certain core elements and statements.25 Specifically, a HIPAA- compliant authorization must include: (1) "[a] description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;" (2) "[t]he name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;"26 (3) "[t]he name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;" (4) "[a]n expiration date or an expiration event;" this must be either a specific date or an event directly related to the individual or the purpose of the use or disclosure; (5) a statement that the individual has the right to revoke an authorization in writing, instructions on how the individual may revoke the authorization, and any exceptions to the right to revoke; (6) a statement showing that "[t]he covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization;" or, if applicable, a statement indicating the consequences to the individual of a refusal to sign the authorization when the covered entity is permitted to condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain an authorization; (7) a statement that the information may no longer be protected by federal privacy laws after it is disclosed; and (8) the individual's signature and the date of the signature, or the personal representative's signature and his or her authority to act for the individual.27

Additionally, all authorizations are required to be written in plai\n language.28 There are no specifications related to the plain language requirement, but some factors that should be considered include the overall length of the document, the amount of white space included, the number of subtitles, the length of sentences, basic vocabulary, and readability scores. Furthermore, HIPAA does not allow "compound" authorizations except under limited exceptions. Thus, the authorization form cannot be combined with other documents, such as a health care surrogate form or employment agreement.29

Therefore, a separate authorization form that meets the aforementioned requirements and any applicable state law requirements30 could be executed simultaneously with the employment agreement, partnership agreement, or other document showing a need for health information upon a trigger event such as a disability determination. However, it is important to realize that obtaining a HIPAA-compliant authorization from an individual will not require a physician or other covered entity to disclose the information shown in the authorization.31 Although many physicians will release information pursuant to a HIPAA-compliant authorization, the HIPAA Privacy Rules permit, but do not require, covered entities to disclose information upon the receipt of a HIPAA-compliant authorization.32 Also, some health care providers will be uncomfortable with a form that they have not developed, or may be unwilling to review another entity's forms for HIPAA compliance. Recall that unlike state-law-mandated release of information forms, there are specific elements and statements that must be included in an authorization before it will be considered compliant with the HIPAA Privacy Rules. Again, the potential sanctions associated with HIPAA do not encourage health care providers or other covered entities to disclose information to trustees, corporate officers, or others without a thorough review of the applicable regulations.

Because a HIPAA-compliant authorization is effective immediately and revocable at any time, unanticipated consequences may arise.33 Specifically, there is some risk that authorized individuals, such as trustees or employers, will use the authorization prematurely, or the employee, partner, or other protected individual will revoke the authorization prior to the release of the needed health care data. For example, consider a scenario where a partner's failing health and absence from work trigger the disability provision under a partnership agreement. Under the HIPAA Privacy Rules and the express terms of a HIPAA-compliant authorization, the partner can revoke the authorization form that was executed simultaneously with the partnership documents when he or she arrives at the physician's office to undergo a physical examination. This action places the partners in the same situation they would have been prior to having an authorization form executed simultaneously with the partnership documents. Stated differently, the use of a HIPAA-compliant authorization will not always lead to the seamless obtaining of health care information for purposes of determining an individual's disability or capacity even though the information to be used or disclosed, the recipient, and the expiration date or event can be limited.

IV. INDIVIDUALS

Recall that the HIPAA Privacy Regulations apply only to covered entities, including health care clearinghouses, health plans, Medicare prescription drug card sponsors, and most health care providers. Individuals, such as patients, trustees, shareholders, or grantors, are not covered entities for purposes of HIPAA, and thus are not required to comply with the various requirements and restrictions related to using or disclosing health care information. If patients or health plan beneficiaries desire to use or disclose their medical records or other protected health information for an unusual or non-private reason, there will be no penalty under HIPAA. Therefore, it will almost always be easier for an attorney, employer, partnership, or other organization to obtain protected health information from an individual as opposed to a health care provider or other covered entity.

Furthermore, the HIPAA Privacy Rules require covered entities to disclose protected health information to the patient (protected individual) under most circumstances.34 With some exceptions, protected individuals have a right to inspect or to receive a copy of their protected health information in the custody of the covered entity.35 This right applies only to protected health information that is stored in "designated record sets," and not to protected health information stored in other forms, such as correspondence files.36 However, these regulations generally will permit protected individuals to access all of their medical records and billing records that are not compiled for litigation, restricted by another law, or considered to be psychotherapy notes.37 Therefore, where possible, it may be easier for an employer, cotrustee, or other entity to require an individual to obtain the needed information, declaration, or certification from the physician and forward that information to the necessary persons for review.

To illustrate, a document could contain a provision that requires the trustee, upon a question of disability, to obtain and share with the co-trustee, or other appropriate individuals or groups, the trustee's own health information, including a determination by a licensed and qualified physician that shows that a disability does not exist. The document could provide that if the health information and determination is not submitted to the appropriate reviewer(s) within a particular amount of time (such as, for example, thirty days), the reviewers, such as the co-trustees, will then have the sole discretion to appoint a successor trustee. Alternatively, the trustee's failure to release information and obtain and share a determination could result in an automatic suspension until acceptable or convincing evidence or information is produced. Likewise, in an employment situation, the failure to provide the appropriate information or professional opinions could be a cause for termination of the employment arrangement.

V. PERSONAL REPRESENTATIVES

Under most circumstances, the HIPAA Privacy Rules require covered entities to disclose information to the individual who is the subject of the information.38 This is important because a personal representative who is authorized under state law to make health care decisions for the individual must be treated as the individual under HIPAA, unless the covered entity reasonably believes that doing so would endanger the individual.39 In fact, the Department of Health and Human Services' Office for Civil Rights has made it clear that, as long as a "personal representative" is authorized under state or other law to act on an individual's behalf, that person may access the individual's protected health information.40 The Office for Civil Rights has stated, "Nothing in the Privacy Rule changes the way in which an individual grants another person power of attorney for health care decisions. . . . The intent of the provisions regarding personal representatives was to complement, not interfere with or change, current practice . . . .'*"

Therefore, with few exceptions, a parent or guardian "stands in the shoes of a minor" and holds all of the rights afforded to the minor patient under the HIPAA Privacy Rules. The general rule is that because a parent or a guardian must make medical decisions on behalf of a minor, it is the parent or guardian who may authorize the use and disclosure of the minor's health information.42 Likewise, an adult patient's personal representative, such as a health care surrogate, may exercise the patient's right to request access to or copies of health information, and may authorize the use and disclosure of the patient's health information. Again, the personal representative for this purpose is a person who, under applicable state law, has the authority to act on behalf of the adult patient to make decisions related to the adult's health care.43

Notably, a deceased individual's health information is protected under the HIPAA Privacy Rules in the same manner as if the individual patient were alive.44 If an executor, administrator, or other person has authority to act on behalf of a deceased individual or the individual's estate under applicable state law, then a covered entity is required to treat that person as a personal representative for purposes of the HIPAA Privacy Rules.45 However, the covered entity is only required to treat the executor or administrator as the individual's personal representative to the extent that protected health information is needed by the personal representative in connection with the administration of the estate or other affairs of the decedent.46 Hence, when a request for protected health information is from the executor, administrator, or other person who has the authority to act on behalf of a deceased individual or the individual's estate, only protected health information that is necessary to allow the requestor to fulfill the responsibilities of personal representation, such as administration of the estate or the affairs of the decedent, may be disclosed by the covered entity.47

The HIPAA Privacy Rules related to personal representatives indicate that it is not necessary to require an individual to sign an authorization form when that person's personal representative, properly designated under state law as someone having the authority to make health care decisions, is requesting the information. Therefore, if estate planning or corporate documents clearly identify the persons or entities who are considered personal representatives of the individual, the identified personal representatives may obtain health information from a covered entity if the document has not expired or the pati\ent is not deceased. To avoid problems or delays, the documents should specifically empower a representative to act as the "personal representative" for purposes of HIPAA and control decisions related to health care information. For example, a trust document showing that three siblings are serving as co-trustees could include a provision that stated:

For purposes of this disability section, I appoint each of the above-listed trustees as my personal representative under 45 C.F.R. 164.502(g), a portion of the regulations implementing the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended, to have the power to make health care decisions as they relate to the disclosure of my medical records and information, including demanding, obtaining, reviewing, and releasing to others protected health information, medical records, or any similar information or documents governed by HIPAA and applicable state laws.

Although HIPAA does not permit compound authorizations under most circumstances,48 references to the HIPAA Privacy Rules or to personal representatives in a document do not appear to qualify as HIPAA-compliant authorizations, and thus, there is reason to believe that these references will be permissible.

However, like the suggestions above, this designation of HIPAA personal representatives ("designation form") will not work in all situations and may result in additional problems. First, a health care provider is required to review and maintain requests for the release of protected health information and the permission related to any release (whether it is in the form of an authorization or some other form). Thus, the covered entity may need access to the entire document to demonstrate that the release or disclosure is permitted, and the covered entity may need to include the document in the individual's medical record. If the protected individual objects to the disclosure of the entire trust document, the covered entity could refuse to release or disclose the protected health information. Thus, this language in a trust or similar document may be problematic.

second, some health care providers may be uncomfortable with a designation form showing the individual's designated personal representatives because the provider doesn't understand the terms used in the designation form (for example, "my attorney-in-fact,") or because of the complexity of the HIPAA Privacy Rules applicable to personal representatives. Typically, if there is any doubt about a right to obtain protected health information, most covered entities will refuse the request for protected health information until the covered entity's privacy official or legal counsel can review the designation form and the applicable regulations, resulting in a delay.

These designations may incorporate a very broad group of individuals, such as health care surrogates, alternative health care surrogates, attorneysin-fact, trustees, and successor trustees, who the protected individual never intended to give access to. Thus, if a bank or other entity is acting as an individual's agent for a limited purpose, but the designation form incorporates broader powers, the designation form becomes problematic. For these reasons, these designation forms may be more appropriate if the designated personal representatives are family members who may already know about the patient's medical diagnoses and mental health conditions, but they will not be useful when the individual wishes to limit the amount of health information that is released to non-family members.

When using these designation forms, a protected individual should understand that the forms give immediately effective full authority to the personal representatives to obtain protected health information without limitations. Unlike HIPAA-compliant authorization forms, a designation form similar to the one shown above is not limited in scope and will not include an expiration date or event.

VI. DISABILITY PROVISIONS THAT Do NOT REQUIRE ACCESS TO PROTECTED HEALTH INFORMATION

Under certain circumstances, it may be best to modify the disability provisions in estate planning or corporate documents to avoid the effects of the HIPAA Privacy Rules, as opposed to supplementing the documents to include an authorization or designation that would permit disclosure of health care information.49 As noted above, many of the alternatives that can be used to avoid HIPAA barriers have downsides that will create large risks for certain individuals or situations; it will be difficult to persuade the individual who is the subject of the protected health information to agree to implement the alternative and sign the appropriate documentation.

One alternative would be to use family members as the decision makers or to list automatic and concrete events instead of relying on a health care provider's determination. This sample provision permits the family to act as the decision maker with respect to disabilities, thus ensuring that the protected health information will not be disclosed to an outsider:

In the absence of a judicial determination, if a majority of my wife, my son, and the co-trustee serving with me (or the next successor Trustee) reasonably believe that I am suffering from any mental or physical disability that would affect my judgment concerning management of the Trust, they may give written notice to that effect. Upon delivery to me of that written notice, my personal rights reserved in this article will be suspended immediately until the persons entitled to give such written notice rescind it.

The alternative of using non-physicians as decision makers is not without risk. While this alternative will give the individual some security that health information will not be disclosed to non- family members, there is a risk that family members or other committees of laypersons will make disability determinations based on extraneous facts or for self-serving reasons.

Another alternative is to include a procedure in the document that gives the protected individual the option of ceasing to serve as a trustee or authorizing the release of the individual's protected health information from a covered entity. This alternative serves two purposes: ( 1 ) it ensures the protected individual from having to disclose information about a diagnosis or sensitive medical problem, and (2) it protects the persons, trustees, or entities from needing to retain an individual with a disability for a position with fiduciary obligations. A trust document could set forth the following procedure:

If a Trustee fails to sign a release and authorize the disclosure of relevant medical information to determine the Trustee ' s capacity or to produce evidence of capacity in the form of a letter from a licensed physician (or such other documentation as is acceptable to all other Trustees), that Trustee will be suspended thirty days after the request for such a release is delivered to the Trustee by the named successor Trustee, or if none, by the persons then entitled to appoint a successor Trustee. If a Trustee who ceases to serve because of a disability, or who is suspended as provided above, thereafter recovers from that disability or consents to the release of relevant medical information and disability is not determined, the Trustee may elect to become a Trustee again by giving written notice to the then serving Trustees, and the last successor Trustee who undertook to serve will then cease to be a Trustee until another successor Trustee is required.

In addition, a corporation or employer may want to interpret a person's disability or capacity using objective criteria instead of needing to request health information that would need to be secured and protected from redisclosure. A corporation or employer could use a specific time period as a triggering event for a termination or buyout. The following is an example of a triggering provision in the context of a physician's employment contract:

Upon the Physician's absence from work for ninety (90) or more consecutive or nearly consecutive days because of Disability (hereinafter defined), this Agreement shall terminate upon the end of the ninety day period. The period of absence from work because of Disability shall not commence for purposes of this paragraph until the Physician has taken all applicable sick leave and vacation days, if any, provided under this Agreement. "Disability" means the Physician's inability to perform all, or substantially all, of the Physician's Professional Services duties under this Agreement because of accident or sickness, even with reasonable accommodation.

Another sample provision follows:

"Total Disability" and "Totally Disabled" means that due to injuries or sickness, a Shareholder performing Active Full-time Work as a Physician employed by the Corporation is not able to perform the substantial and material duties of a Physician by rendering Professional Services, including treatment, consultation, and advice, and services incident thereto, for forty hours per week (on an average weekly basis). A "Disability Determination" means a finding that a Shareholder, because of injuries or sickness, is Totally Disabled and the Total Disability has lasted for a continuous period of eighteen (18) months.

The obvious downside related to these sample provisions is that a health care provider's professional opinion is not required. In other words, there is no flexibility or exception for the one unusual situation that may occur when an all or nothing or zero- tolerance approach is used in place of a process that allows for subjective opinions.

Under certain circumstances, it may be best to converge these suggestions into one, and amend existing agreements to give the protected individual several options when the individual's abilities or health are in question. Under this alternative, the protected individual will retain control over \his or her own health information and decide whether to disclose the information, sign a HIPAA-compliant authorization, or permit the requesting entity or group to make a determination without access to the individual's protected health information. This sample provision suggests that the protected individual whose health is in question will retain as much control over protected health information as desired:

In the event an individual Employee employed by the Corporation becomes Disabled or is alleged to be Disabled, or if the Employee's Disability is in question, the Employee agrees that he or she must, within ten (10) days of the Corporation's request:

Provide to the Corporation, or its authorized designee, relevant medical information or other evidence of the individual's ability and lack of Disability ("Disability Information") in the form of a letter from a licensed physician (or such other documentation as is acceptable to Corporation); or

Provide to the Corporation, or its authorized designee, a signed HIPAA-compliant authorization form that enables the Corporation, or its authorized designee, to obtain from the Employee's physician or other health care provider the Disability Information needed for the Disability determination; or

Notify the Corporation in writing that the Employee will not provide or authorize the release of Disability Information, and instead authorizes the Corporation to make its own final and binding Disability Determination without the Disability Information. The Employee agrees that the Corporation's Disability Determination under this provision may be based on the Corporation's reasonable belief that the Employee is suffering from any mental or physical disability that may affect the Employee's judgment or skills, the Employee's absences from work, the Employee's inability to perform the substantial and material duties of an employee, and/or other factors in the sole discretion of Corporation.

Similar to using a procedure that turns on an objective time frame, this sample provision does not require a health care provider's professional opinion and may result in a decision by the corporation that is not based on the totality of the individual's health or that is based on an unrelated or self-serving factor. However, under this alternative, the protected individual need not prematurely give access to protected health information to a group of persons, and can authorize a disclosure at the time of a disability, presumably a time when the individual is aware of the diagnosis or condition at issue.

Overall, amendments to estate planning or corporate documents may be needed because of the HIPAA Privacy Rules. The need for changes to current templates or future documents revolves around whether protected health information is needed from a covered entity. The HIPAA Privacy Regulations do not contain any "grandfather" provisions. This means that existing arrangements that trigger the need to obtain health care information from a covered entity, such as a physician practice, hospital, surgery center, or health plan, should be reviewed to ensure that the need to obtain such protected health information can be realistically met.

The health care industry is beginning to understand the HIPAA Privacy Rules and how the rules can affect others outside of healthcare. However, whether health care organizations empathize with individuals and entities when they attempt to obtain protected health information or relish the fact that the rules are causing headaches outside of their field, the bottom line is that existing and future estate planning and corporate documents will need to be reviewed to avoid future difficulties in document implementation. A variety of alternatives exist for each arrangement; some suggestions were mentioned above. All things considered, there is no perfect answer to balancing the various HIPAA safeguards with the ability to acquire protected health information for purposes of estate planning or corporate-related functions. Nevertheless, it is better to address in advance how HIPAA will affect your estate planning and corporate documents and the need to access protected health information.

1 See Health Insurance Reform: Standards for Electronic Transactions, 65 Fed. Reg. 50,312 (Aug. 17, 2000).

2 See id.

3 See id.

4 Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462 (Dec. 28, 2000).

5 Id. at 82,464.

6 45 C.F.R. pts. 160, 164 (2004).

7 45 C.F.R. pts. 160, 162 (2004).

8 The term "health plan" is defined broadly to mean "an individual or group plan that provides, or pays the cost of, medical care." 45 C.F.R. 160.103. This term includes, but is not limited to group health plans, health insurance issuers, health maintenance organizations (HMOs), issuers of long-term care policies, excluding nursing home fixed-indemnity policies, and employee welfare benefit plans or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers. Id. The term "health plan" specifically excludes "[a]ny policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits," which include "workers' compensation or similar insurance,""coverage only for accident, or disability income insurance, or any combination thereof,""liability insurance, including general liability insurance and automobile liability insurance," and several other types of insurance. Id. (quoting 42 U.S.C. 300gg-91(c)(1) (2000)).

9 A healthcare clearinghouse is an entity, such as a billing service or repricing company, that "[processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction," or that "[Receives a standard transaction . . . and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity." 45 C.F.R. 160.103 (2004).

10 The Medicare Prescription Drug Improvement and Modernization Act of 2003 added Medicare prescription drug sponsors as a new category of Covered Entities. Medicare Program; Medicare Prescription Drug Discount Card, 68 Fed. Reg. 69,840,69,870 (Dec. 15, 2003); 42 C.F.R. 403.812 (2004).

11 A health care provider will be a Covered Entity for purposes of HIPAA if the provider transmits health information in electronic form in connection with a transaction covered by the HIPAA Administrative Simplification Act (including transactions related to: health care claims or equivalent encounter information, health care payment and remittance advice, coordination of benefits, health care claim status, enrollment and disenrollment in a health plan, eligibility for a health plan, health plan premium payments, or referral certification and authorization). 45 C.F.R. 160.103 (2004). Additionally, if the health care provider uses another entity, such as a clearinghouse or billing service, to conduct covered transactions in electronic form on its behalf, then the provider is considered to be conducting the transaction and would be categorized as a Covered Entity. Id.

12 "Protected health information" means health information that is transmitted or maintained by a Covered Entity in any form or medium that can identify an individual. 45 C.F.R. 160.103 (2004). Some examples of direct identifiers include a patient's name, postal or email address, telephone or fax number, social security number, medical record number, or health plan beneficiary number. see, e.g., 45 C.F.R. 164.514(e)(2) (2004).

13 45 C.F.R. 164.502(b)(2004);45C.F.R. 164.514(d) (2004).

14 45 C.F.R. 164.524(2004).

15 45 C.F.R. 164.502(g) (2004).

16 For more information about obtaining protected health information via a subpoena or discovery request, see 45 C.F.R. 164.512(e) (2004).

17 For example, Covered Entities are required to develop notices of privacy practices, policies and procedures, and business associate agreements. 45 C.F.R. 164.504(e)-(f), 164.520, 164.530(c), (i), (j) (2004).

18 The regulations promulgated under HIPAA are often referred to collectively as the Administrative Simplification Act.

19 45 C.F.R. pts. 160, 164 (2004).

20 45 C.F.R. 164.502 (2004).

21 Unintentional violations may result in fines of up to one hundred dollars per violation. see 42 U.S.C. 1320d-5(a)(1) (2000). Intentional violations can draw more severe fines or criminal sanctions. See 42 U.S.C. 1320d-6(b)(1) (2000).

22 42 U.S.C. 1320d-6(b) (2000).

23 A covered entity is permitted to use and disclose information for its own treatment, payment, or operations purposes, but all other uses or disclosures must be authorized by another provision of the HlPAA Privacy Rules or by the individual. 45 C.F.R. 164.502(a), 164.506(a) (2004).

24 The term "personal representative" as used in the HIPAA Privacy Rules, and in this Article, is different from the term as it is commonly used for estate planning purposes.

25 45C.F.R. 164.508(c)(2004).

26 For purposes of the HIPAA Privacy Rules a "use" of information refers to the sharing of information internally or within a covered entity, and a "disclosure" of information occurs when data is shared with persons or organizations outside the covered entity. see 45 C.F.R. 160.103(2004).

2745C.F.R. 164.508(c).

28 45 C.F.R. 164.508(c)(3).

29 45 C.F.R. 164.508(b)(3).

30 In general, state laws will apply in conjunction with HIPAA. If state privacy laws or regulations are more restrictive than HIPAA, the state law must be complied with to ensure compliance. A discussion of the HIPAA preemption rules is beyond the scope of this article. For more detail, see 45 C.F.R. pt. 160, subpt. B.

31 see, e.g., 45 C.F.R. 164.508 (2004) (indicating that a covered entity "may" use or disclose protected he\alth information after receiving a valid authorization form from the individual who is the subject of the information).

32 45 C.F.R. 164.502(a)(l)(iv) (2004).

33 45 C.F.R. 164.508(b)(5) (2004).

34 45 C.F.R. 164.524 (2004). Most state laws regulating physicians or other health care providers also contain language suggesting that the patient has a right to his or her own health care information. see, e.g., FLA. STAT. ANN. 456.057 (2001).

35 45 C.F.R. 164.524.

36 45 C.F.R. 164.501 (2004) (defining "designated record set").

37 45 C.F.R. 164.524(a).

38 45 C.F.R. 164.524.

39 45 C.F.R. 164.502(g) (2004); see also Office for Civil Rights Frequently Asked Questions ("FAQ") No. 223 (7/18/2003), available at http://www.hhs.gov/ocr/hipaa/.

40 See Office for Civil Rights, supra note 39, FAQ No. 226 & No. 219.

41 See id., FAQNo. 219.

There are some situations under state law where minors may make their own health care decisions independent of parental or guardian knowledge or consent, and the HIPAA Privacy Rules include exceptions to show that the minor also has the authority to make decisions about the health information related to such health care and treatment. 45 C.F.R. 164.502(g) (2004). State laws will vary with respect to the rights of minors, but one example would include a minor who is married, pregnant, or a parent, and who seeks maternal health and contraceptive services of a nonsurgical nature. see, e.g., FLA. STAT. ANN. 381.0051(5) (2002).

43 45C.F.R. 164.502(g)(2).

44 45C.F.R. 164.502(f).

45 45C.F.R. 164.502(g)(4).

46 Id.

47 Id.; see also 45 C.F.R. 164.512 (2004); Office for Civil Rights, supra note 39, FAQ No. 222.

48 45 C.F.R. 164.508(b)(3) (2004).

49 Caution is required, however, as a result of the recent codification of Internal Revenue Code ("Code") section 409A, which addresses "nonqualified deferred compensation plans." The statute has a specific definition of the term "disability," which could result in the violation of Code section 409A. A discussion of disability compensation or defining the term "disability" for purposes of compensation is beyond the scope of this Article.

Jacqueline Myles Crain*

* Jacqueline Myles Grain graduated cum laude from Florida State University and earned her M.B. A. and her J.D. cum laude from Stetson University College of Law, where she was the research editor of the Stetson Law Review. She practices in the area of health care law at Holland & Knight LLP in St. Petersburg, Florida.

Copyright American Bar Association, Real Property, Probate and Trust Law Section Summer 2005

Source: Real Property, Probate and Trust Journal

More News in this Category