December 1999 

Classifieds
Letters
Display Ads
Archives
Article Index
Dec '99 Issue
Latest Issue
MSBA Home Page

Protecting Personal Health Information: Emerging Standards for the
Electronic Age

As we contemplate the new millennium one of the greatest concerns shared by individuals, organizations, communities, and indeed governments is the protection of electronic data that contain sensitive information. Protecting such data presents numerous legal challenges, whether to prevent the theft of nuclear secrets by foreign countries or to assure that personal health information is not misused. Although individuals may find it difficult to relate personally to national security concerns, everyone has a very personal interest in how their health information is safeguarded by its various custodians from individual providers to national health care corporations.

A 1995 Louis Harris & Associates Poll found that 82 percent of people were concerned about the privacy of health information.1 Except for former Senator Bob Dole, few people want the world to know about their personal medical problems. The potential use of genetic information by insurers or employers to "red-line" individuals is just one example of many areas of concern where there are significant fears that personal medical information residing in computer data banks can be misused.

Legislative and regulatory efforts to protect the privacy of personal health information are rapidly emerging as data on health care information move from "Dead Tree Media"2 (paper records or "DTM") to the bits and bytes of computers and the Internet. This is reflected in the recently unveiled federal Privacy Standards and related Security Standards issued under HIPAA, the Health Information Portability and Accountability Act of 1996. The HIPAA standards serve as a lighthouse on the issue of electronic data privacy and security: providing guidance and at the same time warning of danger.

Protection of personal privacy is a fundamental legal concept that continues to evolve in Minnesota and nationally. It was only in 1998 that the Minnesota Supreme Court recognized a common law right to privacy in Eli Lake, et al., v. Wal-Mart Stores, Inc, 582 N.W.2d 231 (Minn. 1998). The Supreme Court recognized that the right to privacy exists in the common law of Minnesota, including causes of action in tort for intrusion upon seclusion, appropriation, and publication. The Court eloquently stated:

Today we join the majority of jurisdictions and recognize the tort of invasion of privacy. The right to privacy is an integral part of our humanity; one has a public persona, exposed and active, and a private persona, guarded and preserved. The heart of our liberty is choosing which parts of our lives shall become public and which parts we shall hold close.

All 50 states to varying degrees have laws and regulations that address the privacy of medical information. In some states, the unauthorized disclosure of medical information is a felony. In other states, the unauthorized disclosure is not treated as harshly. In Minnesota, Minn. Stat. §13.42 (Medical Data) of the Government Data Practices Act and Minn. Stat. §144.335 (Access to Health Records) generally govern access to health information, but have very little in the way of enforcement "teeth." This system worked well during a time when medical information in DTM paper records rarely was accessible outside the doctor's office or a hospital. Unfortunately, it does not work well at all in the world of Electronic Data Interchange (EDI), integrated delivery systems, and multistate health-care networks and corporations. Nor does it work well when medical data are ''mined" to determine clinical pathways, effective drug formularies, or targeted marketing opportunities. The term "data mining" refers to the practice of sifting through massive amounts of patient data to develop a refined data set; a task that is all too easy with modern information systems.

Until recently, the federal government had enacted only limited protections for personal health information. In 1996, however, Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in an effort to address privacy concerns. HIPAA is a response to the lack of uniformity at all levels in the regulation of medical information. HIPAA required Congress to develop legislation to protect the privacy of individually identifiable health information by adopting national Privacy Standards for the electronic exchange of health information in the health-care system. If Congress did not act by August 23, 1999, President Clinton was given the authority and obligation to develop federal regulations through the Department of Health and Human Services (DHHS).

Congress did not act in time and DHHS issued proposed final regulations on November 3, 1999, (64 Fed. Reg. 59918 ) that will become final in February of 2000. Together with the related HIPAA Security Standards that were first proposed on August 12, 1998, (63 Fed. Reg. 43242) the privacy regulations will affect almost every health plan and health care provider in the United States and countless other "business partners" who work with or represent them, including attorneys when protected health information is provided to them. The regulations will preempt any state law that is contrary to them, unless the state law is "more stringent."

HIPAA represents an emerging standard for the protection of electronic data that in a very short time will apply not only to "health information" but in some form to all electronic data where there are legitimate and protected expectations of privacy. Attorneys who represent health-care providers and other organizations involved in the processing and maintenance of electronic "health information" on individuals will soon be asked for their advice and counsel on how to comply with the HIPAA data security and privacy standards.

Gordon J. Apple is an attorney in private practice in St. Paul. A former chair of the MSBA Health Law Section, he concentrates his practice in the areas of health law and alternative dispute resolution as an arbitrator and mediator.

Copyright © 1999 by Gordon J. Apple. All Rights Reserved

"everyone has a very personal interest in how their health information is safeguarded by its various custodians from individual providers to national health care corporations"

The recently proposed HIPAA standards are designed to protect the privacy of electronic "health information" that is stored, maintained or transmitted on any media such as the Internet, intranets, or even computer diskettes. HIPAA does not cover DTM paper records unless they are printouts of electronic files. In reviewing the HIPAA regulations it is important remember that there are distinct rules for data security and for data privacy that are designed by DHHS to be part of an overall coordinated approach to protecting "health information."

The term "health information" is broadly defined under section 1171 of HIPAA and the proposed regulations as:

any information, whether oral or recorded in any form or medium, that:

1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

2. Relates to the past, present, or future physical or mental health or condition of an individual; or the past, present, or future payment for the provision of health care to an individual.

As noted above, the Security Standards under HIPAA were proposed in August 1998 and will be finalized, according to DHHS, by the end of year. The definition of "Security" in the regulation’s glossary of terms is useful in understanding the government’s overall approach to assuring that private health information is secure.

Security encompasses all of the safeguards in an information system, including hardware, software, personnel policies, information practice policies, disaster preparedness, and the oversight of all these areas. The purpose of security is to protect both the system and the information it contains from unauthorized access from without and misuse from within.

Under the proposed HIPAA standards, only "covered entities" are required to meet the "Security Standards" embodied in proposed 45 CFR §142.308. Among affected entities are health plans that provide or pay the cost of medical care -- including almost all employee welfare benefit plans, government programs, and health insurance or health maintenance organizations. In addition, the regulations apply to all "providers" and health care clearinghouses that either process any electronic transmission between any combination of listed health care entities or electronically maintain any health information used in an electronic transmission that has been sent or received between the same listed entities. The Security Standards would apply to all health care information electronically maintained or used in electronic transmissions, regardless of format. No distinction is made between communications internal to a corporate entity and communications external to the corporate entity.

In the real world, this means that both a rural physicians’ practice that submits electronic claims to a clearinghouse and a major health system submitting electronic claims to its Medicare carrier for payment would have to meet the Security Standards.

Fortunately, the proposed regulations recognize the need for "scalability." In effect, both the health system and the rural physicians’ practice would need to address specific concerns relative to electronic data security, but the rural doctors would not be expected to dedicate the same level of resources as a much larger organization. The expectation is that an entity addressing the specified concerns will assess potential risks and vulnerabilities to the individual health data in its possession and will develop, implement, and maintain appropriate security measures.

The regulations outline four key areas both in text and in matrices that identify the minimum procedures that need to be implemented to meet the HIPAA Security Standards.

1. Administrative procedures to guard data integrity, confidentiality, and availability. The administrative procedures encompass a vast array of requirements that will have to be documented. These requirements range from certification that appropriate security has been implemented to training for all staff on health information privacy, vulnerabilities within an entity’s system, and steps that need to be followed to protect information. Attorneys will have a vital role assisting their clients in drafting these policies and procedures and making sure they are properly integrated with existing policies contained in employment manuals or medical staff bylaws. Perhaps the most significant role attorneys will play is in the drafting or review of so-called "chain of trust partner agreements." These will be contracts between entities to ensure that all parties in the electronic line of data transmission agree to protect the data in accordance with HIPAA. As discussed below, similar contracts will be required under the Privacy Standards with so-called "business partners."

2. Physical safeguards to guard data integrity, confidentiality, and availability. The physical safeguards to guard data go far beyond backup tapes and disks. The proposed rule requires the documented designation of an individual responsible for physical safeguards and then outlines what is necessary " to insure total control of media containing health information." One very obvious control is limiting physical access. Incorporated in this requirement are documented polices and procedures to address areas such as disaster recovery, a security plan for the facility, and need-to-know procedures for determining which personnel have access.

3. Technical security services to guard data integrity, confidentiality, and availability. Key concerns under HIPAA are that only those with the need to access health information are provided access and that when access is provided, data are not altered or destroyed in an unauthorized matter. These concerns are addressed by the technical security services standards governing access control, audit control, authorization control, and data authentication and entity authentication. This is an area that lawyers will need to integrate into the chain of trust agreements in a manner that provides for a right to monitor compliance and remedies when a party fails to abide by the Security Standards.

4. Technical security mechanisms to guard against unauthorized access to data that is transmitted over a communications network. This part of the security regulation requires organizations to have documented mechanisms in place to ensure that health information sent over the Internet or on other so-called open networks is secure from unauthorized access. For example, open lines will have to be protected by appropriate "firewalls" and virus-checking software to maintain the safety and integrity of the data.

In essence, the HIPAA Security Standards serve to recognize and highlight the vulnerabilities of electronic data. They make clear that for every benefit attributable to having health-care information in electronic form there is a parallel universe of potential pitfalls that need to be avoided. The same internal network that benefits members of the care team can be accessed by unauthorized insiders and outsiders. The same growth in data storage capacity that can accommodate thousands of medical records allows the unauthorized copying of huge amounts of information relatively quickly and cheaply. Unauthorized access, unauthorized copying, malicious destruction, ease of corruption, and potential for infection from viruses and worms are only a few of the potential problems with electronic data that the HIPAA Security Standards are designed to address.

The HIPAA Privacy Standards are designed to establish a regulatory structure that will protect from unauthorized use and disclosure individually identifiable health information "that is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form" such as when a computer screen has been printed out on paper.

The Privacy Standards establish a floor for the protection of electronic health information. There is no limitation placed on states that prohibits enactment of more comprehensive protections, provided that a party can in fact comply with the state and federal laws and the state laws do not impede the purposes and objectives of the federal law. "Individually Identifiable Health Information" is defined as "information that is a subset of health information, including demographic information from an individual and that:

1. Is created by or received from a health-care provider, health plan, employer, or health-care clearinghouse; and

2. Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and

• Which identifies the individual, or
• With respect to which there is a reasonable basis to believe that the information can be used to identify the individual

Out of this data set " protected health information" is defined as:

[I]ndividually identifiable health information that is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form.

The HIPAA Privacy Standards bow to the realities of modern medicine while at the same time granting significant new rights to individuals. Use and disclosure of protected health information without patient authorization is permitted for treatment, to obtain payment, and for internal administrative and peer review purposes that are all part of ensuring appropriate treatment and payment. Public health, research and law enforcement exceptions to individual authorization are also outlined. What is significant, however, is how the privacy standards set out a string of individual rights ("fair information practices") that may make compliance by covered entities exceedingly difficult.

A general rule of disclosure is that covered entities have to make "all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure." This provision can be seen as a response to perceived carte blanche practices where the segregation of data is seen as a bother on one end of the data disclosure spectrum and cost prohibitive on the other.

One of the Privacy Standards that will be applauded by intellectual property lawyers relates to the use or disclosure of "de-identified protected health information." The regulations set out what elements of protected health information need to be removed from the data set in order to make it truly anonymous. It is no secret that significant economic value is associated with the ability to develop proprietary health-care databases that can be mined and sold. By identifying the data elements that need to be effectively stripped from protected health information to classify it as "de-identified," the regulations will make it easier to assert ownership rights on data that can be sold or licensed.

The Privacy Standards have a very broad reach. Except for needed medical referrals or consultations, covered entities may not disclose protected health information to business partners without adequate safeguards. Lawyers, accountants, and others who receive protected health information in the course of representing covered entities are classified as business partners and will have to enter into privacy contracts. Among the various terms these contracts must include are requirements to:

• establish the permitted and required uses and disclosures of the data;
• forbid use or disclosure of the data outside of the boundaries of the contract and privacy regulations;
• use appropriate safeguards.

The most controversial of the terms relates to a requirement that the business partner "make its internal practices, books, and records relating to the use and disclosure of protected health information received from a covered entity available to the Secretary of DHHS for purposes of determining the covered entity's compliance" with the regulations. Obviously attorneys are going to have a very difficult time with this requirement to the extent it conflicts with obligations under the attorney-client-privilege and work-product doctrines. If inspections are allowed, lawyers will need to properly segregate privileged information, on one hand, from administrative materials relative to safekeeping, on the other.

"The regulations will preempt any state law that is contrary to them, unless the state law is "more stringent."

"No distinction is made between communications internal to a corporate entity and communications external to the corporate entity."

Individual rights encompassed in the fair information practices will require covered entities to provide "adequate notice" to individuals of an entity’s information policies and individual rights and procedures relative to those policies. Fortunately, the proposed privacy standard contains a draft "Provider Notice of Information Practices" that is likely to become the de facto standard for providing notice.

The specific right to access to protected health information contained in the regulations may prove troublesome for lawyers. This is because the right extends to "such information in a business partner’s record set that is not a duplicate of the information held by the provider or plan, for so long as the information is maintained." In practical terms this right of access will apply to numerous medical liability and other case files containing expert and other reports.

Individuals will also have the right to an accounting of nonroutine disclosures of protected health information. Together with the Security Standards, this essentially means that systems will have to be developed to track all disclosures. Business partners will also have to provide an accounting.

Another very significant right relates to the ability of individuals to request amendment or correction of protected health information. This will require covered entities to have procedures in place that will enable individuals to request changes to the records and determine whether requests should be granted or denied. Significantly, covered entities will also be required to disseminate amendments to their business partners and others to whom erroneous information has been disclosed.

The HIPAA Security and Privacy Standards try to balance the realties of the electronic transmission and maintenance of protected health information with the competing needs of individuals, the health care community, and society. It is too early to tell whether the balancing of interests inherent in the regulations is fair or even workable. What is important to remember, however, it is that the HIPAA Standards represent a significant step to outline what the right to privacy with respect to health care information will look like in the 21st Century and how that right will be protected.

Attorneys who are willing to devote the time, energy and resources to successfully integrate their knowledge of both law and technology will be well-positioned to advise health care and other clients on the various facets of protecting electronic data. As the much anticipated eve of Y2K approaches, the HIPAA Security and Privacy Standards demonstrate that the weaving together of the disparate threads of law, technology, and the protection of privacy will provide challenges for lawyers on both a professional and personal basis.

1 Louis Harris & Associates, Harris-Equifax Consumer Privacy Survey (1995); cited in Principles for Health Privacy, A Report of the Health Privacy Working Group, Institute for Health Care Research and Policy, Georgetown University (1999).

2 Phrase coined by Alan Goldberg of Goulston and Storrs in Boston, MA.

3 "Business Day" in The New York Times, Monday, October 25, 1999, section C-10.