In response to concerns regarding information privacy and security (including, but not limited to, security breaches leading to identity theft, leaked or lost personal information), and recognizing the benefits achieved by keeping certain information private, a number of jurisdictions have enacted or proposed legislation to regulate the protection of, and access to, the personal, medical and financial information of individuals.
By way of example, the United States has enacted provisions under the Health Insurance Portability and Accountability Act to protect the confidentiality of individually identifiable health information, and new legislation has been introduced in the Senate (“The Specter-Leahy Personal Data Privacy and Security Act of 2005), to protect the confidentiality of personal information in general.
The concern for the protection of personal information is not limited to the United States. For example, the Parliament of the European Union issued a directive in 1995 (“Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995”) regarding the protection of individual privacy in the processing of personal data, which included the following (inter alia) recitals: “Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals”; and “Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community.”
Furthermore, by way of example, Canada has enacted legislation, referred to as Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA's stated purpose is to “establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
Even state, territory, and local governments are recognizing the need to address privacy issues. For example, Alberta, Canada, has passed the Health Information Act, which provides individuals with the right to request access to their health records in the custody or under the control of a custodian, while providing custodians with a framework within which they must conduct the collection, use and disclosure of health information. Similarly, Manitoba, Ontario and Quebec, Canada's Health Privacy Information Acts provide rights for individuals to access their personal health information and protects individual privacy rights based on the Canadian Standards Association “Fair Information Practices”.
Common to the laws enacted or proposed by the jurisdictions referred to above, are a number of fundamental provisions regarding the collection, use or disclosure of personal information including, but not limited to: requirements that entities maintaining personal data establish policies to protect such data; requirements that entities maintaining personal data establish policies to regulate access to such data; requirements permitting individuals access to, and the opportunity to correct, any personal information held by entities; and requirements that entities maintaining personal data give notice to individuals regarding a breach involving such personal data.
By way of example, the privacy of personal health information is of fundamental importance to individuals.
Health plans, hospitals, pharmacies, doctors and other health care entities generally have used a wide array of systems to process and track health care bills and other information. Hospitals and doctors' offices may treat patients with many different types of health insurance and would have to spend time and money ensuring that each claim contains the format, codes and other details required by each insurer. Similarly, health plans spend time and money to ensure their systems can handle transactions from various health care providers and clearinghouses.
Enacted in August 1996, the Health Insurance Portability and Accountability Act (“HIPAA”) was designed to make health insurance more affordable and accessible. With support from the health care industry, Congress also included provisions in HIPAA to require the Department of Health and Human Services (“HHS”) to adopt national standards for certain electronic health care transactions, code sets, identifiers and the security of health information. HIPAA also set a three-year deadline for Congress to enact comprehensive privacy legislation to protect medical records and other personal health information. When Congress did not meet this deadline, HIPAA required HHS to issue health privacy regulations.
In August 2000, HHS issued final electronic transaction and code sets standards to streamline the processing of health care claims, reduce the volume of paperwork and provide better service for providers, insurers and patients. HHS adopted modifications to some of those standards in final regulations published on Feb. 20, 2003. Overall, the regulations establish standard data elements, codes and formats for submitting electronic claims and other health care transactions. By promoting the greater use of standardized electronic transactions and the elimination of inefficient paper forms, these standards are expected to provide a net savings to the health care industry of $29.9 billion over 10 years. All health care providers will be able to use the standardized transactions to bill for their services, and all health plans will be required to accept these standard electronic transactions.
All covered entities must be in compliance with the electronic transaction and code set standards as of Oct. 16, 2003. However, HHS' Centers for Medicare & Medicaid Services (CMS)—the agency charged with overseeing the implementation of these standards—issued guidance in July 2003 regarding the enforcement of the HIPAA transactions and code set standards after Oct. 16, 2003. The guidance clarified that covered entities, which make a good faith effort to comply with the standards, may implement contingency plans to maintain operations and cash flow. Specifically, as long as a health plan demonstrates a good-faith effort to come into compliance through active outreach and testing efforts, it can continue processing payments to providers using non-standard transactions.
In December 2000, HHS issued a final rule to protect the confidentiality of individually identifiable health information. The rule limits the use and disclosure of certain individually identifiable health information; gives patients the right to access their medical records; restricts most disclosure of health information to the minimum needed for the intended purpose; and establishes safeguards and restrictions regarding the use and disclosure of records for certain public responsibilities, such as public health, research and law enforcement. Improper uses or disclosures under the rule may be subject to criminal or civil sanctions prescribed in HIPAA.
After reopening the final rule for public comment, HHS Secretary Tommy G. Thompson allowed it to take effect as scheduled, with compliance for most covered entities required by Apr. 14, 2003. (Small health plans have an additional year.) In March 2002, HHS proposed specific changes to the privacy rule to ensure that it protects privacy without interfering with access to care or quality of care. After considering public comments, HHS issued a final set of modifications on Aug. 14, 2002. Most covered entities were required to comply with the privacy rule by Apr. 14, 2003; small health plans had until Apr. 14, 2004 to come into compliance, as required under the law. Detailed information about the privacy rule is available at www.cms.gov/hipaa/hipaa2/enforcement.
In February 2003, HHS adopted final regulations for security standards to protect electronic health information systems from improper access or alteration. Under the security standards, covered entities must protect the confidentiality, integrity and availability of electronic protected health information. The rule requires covered entities to implement administrative, physical and technical safeguards to protect electronic protected health information in their care. The standards use many of the same terms and definitions as the privacy rule to make it easier for covered entities to comply. Most covered entities must comply with the security standards by Apr. 21, 2005, while small health plans have an additional year to come into compliance.
Privacy and security standards promote higher quality care by assuring consumers and/or patients that their health information will be protected from inappropriate uses and disclosures. In addition, uniform national transaction and code set standards will save billions of dollars each year for health care businesses by lowering the costs of developing and maintaining software and reducing the time and expense needed to handle health care transactions.