A Commission for Case Manager Certification (CCMC) “Issue Brief” discussing the 2015 update of the Code of Professional Conduct for Case Managers noted that
Because the revised Code includes updated language calling for knowledge of and compliance with local, state, and federal laws dealing with patient privacy and security, the principles require judgment and assume that case managers possess a certain level of knowledge (CCMC, 2015, 2015a).
Principle 7 of the Code states that “Board-Certified Case Managers (CCMs) will obey all laws and regulations,” and Section 4 of the Code’s Standards focuses on Confidentiality, Privacy, Security and Recordkeeping, with six guiding steps (CCMC, 2015).
While all healthcare workers need to be familiar with the basics of the Health Information Portability and Accountability Act of 1996 (HIPAA), case managers will benefit from a more detailed and nuanced understanding of HIPAA, and of several critical concepts that underlie it. Case managers frequently must balance the needs of patients and families with the requirements of a variety of healthcare entities and the vagaries of technology, including social media. The more thoroughly case managers have internalized their codes of ethics, the rules and guidelines of their employer(s), and the fundamentals of health information management and HIPAA, the better prepared they will be to manage the complexity and challenge of modern patient information management.
Confidentiality, Privacy, and Security
Confidential, private, and secure are terms we hear discussed in relation to many kinds of information, including financial, educational, personal, employment, and medical. The concepts of confidentiality, privacy, and security are related to each other, yet there are differences and they apply somewhat differently depending on the sphere of information we are talking about.
In regard to health information, confidentiality refers to the obligation of professionals to hold patient information in confidence. Privacy is the right of the individual to be left alone and to be allowed to make their own decisions about how their information is shared. Security refers to both protection of the privacy of health information, and the means by which that security is accomplished (Prater, 2014; Nass et al., 2009).
Confidentiality “safeguards information that is gathered in the context of an intimate relationship,” and also addresses how to keep that information from being disclosed to third parties (Nass et al.2009). The concept is old, going back to Hippocrates in the fourth century B.C., and it is at the root of patient-provider confidentiality; as such, it has been incorporated into the codes of ethics of healthcare professional associations. State laws may provide additional guidance and requirements for confidentiality, especially in more complex situations such as mental health (Prater, 2014).
Privacy may be defined as “who has access to personal information and under what conditions” (Nass et al, 2009). The right to privacy, while not in the U.S. Constitution, has been codified in federal and state law, court decisions, accrediting organization guidelines, and professional codes of ethics. The quintessential privacy example is the federal HIPAA Privacy Rule, which is designed to “define and limit the circumstances in which an individual’s protected health information may be used or disclosed” (Prater, 2014).
Security refers to protection of and the means used to protect personal health information and help healthcare professionals to keep that information confidential (Prater, 2014). Proper security prevents unauthorized access to, use of, changes to, or dissemination of health information, and in terms of HIPAA is specifically referring to electronically stored information. For example, if someone hacks into your employer’s computer system, that is a breach of security and there may also be a breach of confidentiality (Nass et al., 2009).
What Is HIPAA?
When most people hear the term “HIPAA” they likely think of the privacy forms they are always signing at medical offices and perhaps heave a collective sigh of frustration. HIPAA regulations are complex and often not well understood even by those to whom they apply; but there is a great deal more to HIPAA than just those forms. A closer look at HIPAA’s origins and purpose, its content, and the subsequent development of rules and enforcement procedures can give case managers the tools to be sure they are HIPAA-compliant as well as the ability to offer better explanations to co-workers and patients.
Originally known in Congress as the Kassebaum-Kennedy or Kennedy-Kassebaum Act, after two of its main sponsors, the Health Information Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted by Congress and signed into law by President Bill Clinton on August 21, 1996. It has been described in retrospect as having “two essential goals: making healthcare delivery more efficient and increasing the number of Americans with health insurance coverage” (Nass et al, 2009; Univ of Chicago Med Ctr, 2010). Although correct, this is a deceptively broad and simple description.
What the HIPAA law says:
To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets; to combat waste, fraud, and abuse in health insurance and healthcare delivery; to promote the use of medical savings accounts; to improve access to long-term care services and coverage; to simplify the administration of health insurance; and for other purposes.
For years, supporters of the legislation had heard repeated complaints from consumers about the very problems outlined in that paragraph, and they believed there were cost savings and efficiencies to be gained from standardization, and electronic storage and transmission, of records. Healthcare reformers had advocated for these changes for a long time, but elements of the healthcare industry had exerted a lot of pushback, and the failure of the industry to make meaningful changes finally led Congress to act (Bowers, 2001). Several years of politicking in Congress among elected representatives, insurers and insurance groups, large employers, state entities, and individuals finally resulted in HIPAA (Atchinson & Fox, 1997).
A primary purpose of the act was to protect health insurance coverage for workers and their families when they change or lose their jobs. This is called portability and is covered by Title I of the act (Bowers, 2001; Univ of Chicago Med Ctr, 2010).
Title II, known as Administrative Simplification (AS), required establishing national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers, with the goal of ensuring security and confidentiality of patient information. This is the “accountability” portion. The law mandated the development of privacy and security Rules for these transactions to make the public feel safe (Univ of Chicago Med Ctr, 2010; Bowers, 2001).
The act’s three remaining sections (Titles III, IV, and V) are concerned with guidelines for pre-tax medical spending accounts, guidelines for group health plans, and for company-owned life insurance policies, respectively.
Who Does HIPAA Apply To?
HIPAA applies to health plans, healthcare clearinghouses, and healthcare providers who conduct certain healthcare transactions electronically (CDC, 2018; HHS/CMS, 2016; HHS, 2003). These are known as covered entities.
Individual and group plans that provide or pay the cost of healthcare are covered entities. Health plans include health insurance companies, company health plans, health maintenance organizations (HMOs), and government programs that pay for healthcare such as Medicare, Medicaid, and the military and veterans’ healthcare programs (HHS/CMS, 2016; HHS, 2003).
Every healthcare provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which the Department of Health and Human Services (HHS) has established standards under the HIPAA Transactions Rule (HHS, 2003).
Healthcare providers include any provider of medical or other healthcare services or supplies, including institutional providers such as hospitals and nursing homes; physicians, dentists, chiropractors, and other practitioners; pharmacies; and psychologists (HHS/CMS, 2016; HHS, 2003).
Healthcare clearinghouses are entities that process nonstandard information they receive from another entity into a standard format, or vice versa. These include billing services, repricing companies, value added networks, and community health management information systems (HHS/CMS, 2016; HHS, 2003).
An additional important entity category is that of business associate. In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Services provided include accreditation, billing, claims processing, consulting, data analysis, financial services, legal services, management administration, and utilization review. Arrangements are covered by a business associate contract. The written contract must detail uses and disclosures of personal health information (PHI) that the business associate is allowed to make, and require the safeguarding of that information (HHS/CMS, 2016; HHS, 2003).
Individually Identifiable Health Information (IIHI)
Individually identifiable health information is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of healthcare to the individual, or
- the past, present, or future payment for the provision of healthcare to the individual,
and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (eg, name, address, birth date, SSN#) (HHS/CMS, 2016; HHS, 2003).
Protected Health Information (PHI) is identified in the HIPAA Privacy Rule as “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral (HHS/CMS, 2016; HHS, 2003). Electronic PHI is also now referred to as e-PHI.
To improve the efficiency and effectiveness of the healthcare system, HIPAA included Administrative Simplification provisions that required HHS to adopt national standards for electronic healthcare transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information, so it incorporated into HIPAA provisions that mandated the adoption of federal privacy protections for individually identifiable health information (HHS, 2017). Rule revisions have been made several times since HIPAA was enacted and the procedure to do so usually involves preliminary forms, public comment periods, and then final forms, which can be confusing when looking at a history of the rules.
HIPAA Rules address five main areas:
- Transactions and Code Sets (TCS)
- Unique Identifiers
Case managers will find the details of the Privacy Rule most consistently relevant to their work but each of the other rules will affect them as well. Internal security and IT departments, legal advisors and training officers, and billing departments have all been heavily impacted by HIPAA requirements, as have outside companies and contractors that provide these same services. Understanding more of the details can provide useful insight into the roles others play in HIPAA compliance across the entire healthcare field.
Omnibus and Breach Notification Rules
The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, had a variety of effects on HIPAA rules and enforcement.
In January 2013, HHS enacted a final Omnibus Rule that implemented provisions of the HITECH Act to strengthen the privacy and security protection of individuals’ health information, modify the Breach Notification Rule (Breach Notification for Unsecured Protected Health Information), and strengthen the privacy protections for genetic information (Federal Register, 2013; HHS, 2017).
The six essential modifications were:
- Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
- Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
- Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
- Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
- Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced immediately below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
HHS published a final Privacy Rule in December 2000, which was modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by the three types of covered entities. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans) (HHS, 2017; HHS/CMS, 2016). There have been revisions proposed several times since then, most recently in 2013 as part of what is sometimes referred to as the Omnibus Rule (Chesanow, 2013).
The basic principle of the Privacy Rule is to define and limit the circumstances in which an individual’s PHI may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either (1) as the Privacy Rule permits or requires, or (2) as the individual who is the subject of the information, or the individual’s personal representative, authorizes in writing (HHS, 2003).
The Privacy Rule gives patients the right to view and obtain a copy of their medical records in the form and manner they request, and to ask for corrections to their information (HHS/CMS, 2016).
A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to promote high quality healthcare and to protect the public’s health and well-being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the healthcare marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed (CDC, 2018; HHS, 2013).
The Privacy Rule identifies some 18 items as PHI, ranging from the obvious such as name, address, and social security number, to the not so obvious such as vehicle serial numbers and URLs and IP addresses. All of which must be protected.
As noted by one hospital in its guidelines for employees: “PHI is part of everything you do.” It exists in verbal and written communication, interactions with technology, and activities related to the privacy rules. For example, workers come in contact with a patient’s health information when they speak to a colleague about a patient’s treatment, review a patient’s medical record or bill, and when they access information using a computer (Univ of Chicago Med Ctr, 2010).
As noted above, there are situations when HIPAA permits or requires PHI to be disclosed by covered entities:
PHI must be disclosed in two cases:
- when the individual or their representative requests information, or an accounting of disclosures of their PHI;
- to HHS when it is performing a compliance audit or an enforcement action (CDC, 2018; HHS, 2003).
A covered entity is permitted, but not required, to use and disclose PHI, without an individual’s authorization, for the following purposes or situations:
- to the individual (unless it falls under (1) above as required);
- treatment, payment, and healthcare operations;
- opportunity to agree or object;
- incident to an otherwise permitted use and disclosure;
- public interest and benefit activities; and
- limited data set for the purposes of research, public health or healthcare operations (CDC, 2018; HHS, 2003).
Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make (HHS, 2003).
HHS provides considerable guidance on its “HIPAA for Professionals” website, including explanations of terminology, up-to-date rule language—in summary and in full, fact sheets with case discussion, and detailed FAQ discussions.
“Treatment, payment, and healthcare operations” are of particular relevance for case managers when they are working with one or more covered entities (or business associates) to coordinate additional care for a patient. Two fact sheets available from the Office of the National Coordinator for Health Information Technology are particularly useful for their case scenarios: https://www.healthit.gov/sites/default/files/exchange_health_care_ops.pdf AND https://www.healthit.gov/sites/default/files/exchange_treatment.pdf.
Business Associates and the Privacy Rule
By law, the HIPAA Privacy Rule applies only to covered entities. But most of them do not carry out all of their healthcare activities and functions by themselves. As noted earlier, a variety of support services may be carried out by contractual arrangements with business associates, and the Privacy Rule allows covered entities to disclose PHI when they have assurances that a business associate will:
- use the information only for the purposes for which it was engaged by the covered entity
- safeguard the information from misuse, and
- help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.
Covered entities may disclose PHI to an entity in its role as a business associate only to help the covered entity carry out its healthcare functions—not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate (HHS, 2013b).
As noted earlier, Title II of HIPAA—Administrative Simplification—required the Secretary of HHS to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI (not PHI transmitted orally or in writing) that is held or transmitted by covered entities. The final regulation, the Security Rule, was published February 20, 2003. The Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI (CDC, 2018; HHS, 2017, 2017a, 2013).
The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that covered entities must put in place to secure individuals’ e-PHI. Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties (HHS, 2013a).
Security measures and procedures include such things as having an assigned chief security officer, workforce training, controlling access to information systems, protections on computer systems, limitations on physical access to computers and servers, appropriate backups and storage, encryption, automated processes, and others (Univ of Chicago Med Ctr, 2010).
Prior to HIPAA, the healthcare industry had no generally accepted set of security standards or general requirements for protecting health information. Yet new technologies were evolving, and the healthcare industry began moving away from paper processes and came to rely more and more on systems such as computerized physician order entry (CPOE), electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are using self-service programs for members to access claims information and manage care, among other features. This allows the medical workforce to be more mobile and efficient but, as more and more entities adopt these technologies, the potential security risks increase (HHS, 2013a).
A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the healthcare marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI (HHS, 2013a).
Business Associates and the Security Rule
The HITECH Act of 2009 expanded the responsibilities of business associates under the HIPAA Security Rule. HHS developed regulations to implement and clarify these changes making business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
Transactions (TCS) and Identifiers Rules
Other HIPAA Administrative Simplification Rules are administered and enforced by the Centers for Medicare & Medicaid Services, and include:
- Transactions and Code Sets Standards
- Employer Identifier Standard
- National Provider Identifier Standard
These govern the creation and use of standard codes to identify transactions common to healthcare across the board and for creating unique identifiers for employers and providers to streamline and help secure recordkeeping.
The Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules. The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings (HHS, 2017b).
Since April 2003, OCR has received over 186,453 HIPAA complaints and has initiated over 905 compliance reviews. Ninety-six percent of these cases (178,834) have been resolved. OCR investigated and resolved 26,152 cases by requiring changes to privacy practices and corrective actions or by providing technical assistance, with actions intended to result in systemic changes. As of July 31, 2018, OCR has settled or imposed a civil money penalty in 55 cases for a total dollar amount of $78,829,182.
Early intervention and technical assistance avoided investigation in 29,042 cases. No violation was found in another 11,581 cases after investigation, and the remainder of cases were not eligible for investigation for a variety of reasons. Investigated complaints have involved many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices (HHS, 2018).
The compliance issues investigated most (cumulatively in order of frequency) are:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronic protected health information;
- Use or disclosure of more than the minimum necessary protected health information.
The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are (in order of frequency):
- General Hospitals
- Private Practices and Physicians
- Outpatient Facilities
- Health Plans (group health plans and health insurance issuers) (HHS, 2018)
Civil Money Penalties
The HITECH Act modified the HHS Secretary’s authority to impose civil money penalties for violations occurring after February 18, 2009, significantly increasing the penalty amounts the Secretary could impose for violations of the HIPAA rules and encourage prompt corrective action (HHS, 2011/2009).
Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. A covered healthcare provider, health plan, or clearinghouse could also bar the Secretary’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules. The HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery (HHS, 2011/2009).
HIPAA Issues and Concerns
HIPAA’s broad goals and complexities have made it the subject of concern and confusion since it was enacted, for everyone involved although not for the same reasons. Those who had waited and worked for change in the healthcare field were happy that the days of open access to individuals’ personal health information would be over. The industry was afraid that the cost of compliance would be burdensome. Healthcare providers were concerned that privacy regulations would make it harder to treat patients effectively. One writer observed that no one seemed especially concerned about the issues of data standardization and security, seemingly certain the “technical professionals” could manage all that (Bowers, 2001).
Complacency about security, whether inadvertent and deliberate, looks to have been a mistake. Covered entities that have been careless with the need for security, including everything from insecure passwords and insecure devices to systems poorly protected against hacking and ransomware, continue to be serious issues.
A recent report on multi-industry data breaches found that “58% of incidents involved insiders—healthcare is the only industry in which internal actors are the biggest threat to an organization.” That same report noted several other important issues: while stories about medical device hacking may be featured in the media, databases and paper documents are “the assets most often affected in breaches,” ransomware infections are the top malware involved in breaches, and even after all these years and all the training “basic security measures are still not being implemented.” Unencrypted laptops that are subsequently lost or stolen are a continual problem (Verizon, 2018; Hogue, 2018).
As noted earlier, lack of patient access to their own records is a significant factor in enforcement investigations and actions. A recent study noted that “US hospitals continue to place cost and processing obstacles in the way of patients requesting their personal medical records.” Inconsistent information about patient rights to request information and the formats and costs of that information are widespread as is a failure to comply with federal and state regulations and recommendations (Swift, 2018).
The OCR has in recent years proceeded against some large, and not so large, entities and been able to levy considerable fines. The MD Anderson Cancer Center in Houston, Texas, was fined $4.3 million for HIPAA violations involving three separate data breaches involving lost and stolen unencrypted laptops and USB thumb drives. Despite policies in place, the Center had failed to implement encryption in a timely manner and on all devices (Nelson, 2018).
While enforcement cases are important and with the changes from the HITECH Act, OCR now has more teeth in its rules, there are other issues that concern both providers and patients.
Perhaps one of the biggest concerns is the widespread belief that you can’t tell anyone anything. This was not the intent of the law and is a routine misunderstanding (Chesanow, 2013). FAQ discussions on the HIPAA website and by other HIPAA experts often involve attempts to clarify these concerns. For example, many doctors believe that they cannot communicate with patients by regular postal service mail or by unsecure email, neither of which is correct. Misunderstanding is also widespread about communications with family and friends regarding a patient’s condition and about the penalties for an innocent mistake (Chesanow, 2013).
From another perspective an individual who believes they are the victim of a HIPAA violation has only a complaint to the OCR as recourse. HIPAA does not give a patient the right to sue a doctor, nurse, or hospital. A lawsuit under state law alleging a privacy violation is possible but has nothing to do with HIPAA (Chesanow, 2013).
Other concerns that have been raised about HIPAA involve real problems for mental health patients and their caretakers where information sharing problems can be life threatening; obstacles to research where patient data is needed, and arguments that, especially in the field of mobile health, HIPAA “stifles innovation” (Chesanow, 2013).
HIPAA is now more than two decades old and, while it has its problems, few advocate for a return to the old ways. Changes have been made and more will no doubt be made in the future. Case managers with an understanding of how the various parts of HIPAA have evolved and where confusion and misunderstanding are common may find it easier to negotiate solutions to complex problems. A great deal of plain-English, commonsense information on the development of and current operation of the law is available from the HIPAA website for professionals at: https://www.hhs.gov/hipaa/for-professionals/index.html.Back Next