September 2003
THE HIPAA QUAGMIRE:
Compliance Guidelines for the
Health Insurance Portability and Accountability Act
by Cynthia M. Masbaum, Joseph J. Perkoski and Laura M. Sinars, attorneys
Robbins, Schwartz, Nicholas, Lifton & Taylor, Ltd.
The Illinois Association of School Boards gratefully acknowledges the permission of the authors
to publish this document. Please note that this material is not a substitute for legal counsel and
is published for informational purposes only. Please contact your district's attorney for legal
advice.
For more information, visit the HIPAA web site of the U.S. Department of Health and Human
Services www.hhs.gov/ocr/hipaa.
______________________
I. INTRODUCTION
In 1996, the Health Insurance Portability and Accountability Act (“HIPAA”) was signed into
law. The primary focus of HIPAA is to guarantee the continuity of health insurance benefits
for individuals changing employment. The other major component of HIPAA is to promote
the standardization and efficiency in the manner in which health care claims are submitted,
processed, and paid. The law was designed to streamline the administration of health care
claims by requiring compliance with consistent rules for the manner in which many
transactions and claims are processed electronically.
Recognizing that advances in technology could quickly erode the privacy of health
information, Congress also included within HIPAA the requirement for the U. S. Department
of Health and Human Services to establish security and privacy standards for electronic
transmissions that contain health information. As a result, the Department has issued
regulations, known collectively as the “Privacy Rule” to establish such standards [45 C.F.R.
§§ 160 and 164.] There is a good deal of confusion regarding the Privacy Rule and whether
– and, if so, how – it applies to school districts and cooperatives.
II. OVERVIEW OF THE PRIVACY RULE
A. Purpose
To limit the use and disclosure of health records
To provide patients greater notice and control concerning the distribution of their
private health information
B. Requirements
Under the Privacy Rule, “covered entities” must:
Re-printed with permission. 1
© 2003, Robbins, Schwartz, Nicholas, Lifton & Taylor, Ltd.
1) provide information to patients about their privacy rights and how their
information will be used;
2) adopt and implement clear privacy procedures;
3) train employees to understand and follow the privacy procedures;
4) designate individuals responsible for ensuring the adoption and implementation of
the privacy procedures and complaint processes; and
5) secure patient records containing individually identifiable health information so
that they are accessible only by those who are required to access them in order to
carry out their duties.
C. Covered Entities
1. Covered entities include:
a) health plans;
b) health care clearinghouses; and
c) health care providers who transmit any health information in electronic form in
connection with any transaction covered by the Privacy Rule.
2. Application to educational entities
The definition of “covered entities” has raised many issues as to whether educational
entities might be considered a covered entity for purposes of the Privacy Rule either
through health and/or benefit plans offered to their employees or through the
provision of health care services to students. Of the three categories of covered
entities, only the first and third would apply to educational entities.
D. Enforcement
1. Civil Penalties
The Office for Civil Rights has been provided authority to impose significant civil
monetary penalties and criminal penalties against covered entities that fail to comply
with the Privacy Rule. The Rule allows for individuals who believe their privacy
rights have been violated may file a complaint with the Office for Civil Rights.
Fines and penalties can be steep. The Office for Civil Rights may impose civil
monetary penalties of $100 per failure to comply with any Privacy Rule requirement.
This type of penalty may not exceed $25,000 per year for multiple violations of the
same requirement within a calendar year.
2. Criminal Penalties
Criminal penalties, which are more steep than the civil penalties, may also be
imposed, through the Department of Justice. These penalties range from $50,000 and
Re-printed with permission. 2
© 2003, Robbins, Schwartz, Nicholas, Lifton & Taylor, Ltd.
up to a one-year jail sentence for any person found to have knowingly obtained or
disclosed protected health information in violation of HIPAA to $250,000 and up to a
ten-year jail sentence for being found guilty of attempting to sell, transfer, or
otherwise use protected health information for commercial advantage, personal gain,
or malicious harm.
Because of the serious penalties, which may be imposed under the Privacy Rule, it is
essential for school districts and cooperatives to carefully analyze the plans and services
provided in order to determine whether steps must be taken to comply with the Privacy
Rule.
III. HEALTH PLANS
A. Definition
Defined broadly to mean any individual or group plan that provides medical care or
pays the cost of medical care.
The regulations include seventeen categories of examples of what the Department of
Health and Human Services considers a health plan. The relevant consideration for
educational entities is that the definition of a health plan includes any “employer-
sponsored group health plan” which is defined as an “employee welfare benefit plan
... including insured and self-insured plans, to the extent that the plan provides
medical care, including items and services paid for as medical care, to employees or
their dependents directly or through insurance, reimbursement, or otherwise, that (1)
has 50 or more participants or (2) is administered by an entity other than the employer
that established and maintains the plan.
B. Factors to Consider to Determine Whether Educational Employers are Considered Health
Plans
Does the school district have a self-insured group health plan?
Educational employers that are self-insured for hospitalization and physician services
are considered health plans and must comply with HIPAA’s Privacy Rules. There is
debate whether educational employers that are self-insured for dental and vision care
are health plans that must comply with the Privacy Rule. However, a careful district
would err on the side of caution and treat the dental and vision care as health plans
that must comply with the Privacy Rule.
Is the school district in a self-funded health care trust or health care insurance
cooperative?
Educational employers that participate in self-funded health care trusts or health care
insurance cooperatives may be health plans. The trust or cooperative can choose to
deem itself the health plan, which makes it responsible for Privacy Rule compliance.
Alternatively, it may deem the school or district the health plan. Educational
administrators should contact the board of the cooperative or trust to determine who
the health plan has then determined it to be. The party that is not the health plan is
Re-printed with permission. 3
© 2003, Robbins, Schwartz, Nicholas, Lifton & Taylor, Ltd.
called a “business associate,” which is described below. Health plans must ensure
that business associates also comply with the Privacy Rule either through the trust or
cooperative agreement itself, or through a separate business associate agreement.
Does the school district or college sponsor a flexible spending account (FSA)?
Educational employers sponsoring a self-insured FSA or health reimbursement
account are health plans and are obligated to comply with the Privacy Rule, unless it
has fewer than 50 participants and is self-administered.
C. Plan Sponsors
1. Definition
Educational employers that are fully insured for hospitalization and physician
services are considered “plan sponsors” of a health plan under the Privacy Rule, and
not “health plans.” Plan sponsors include the following:
The employer, in the case of an employee benefit plan established or maintained
by a single employer;
The employee organization, in the case of a plan established or maintained by an
employee organization;
The association, committee, joint board of trustees, or other similar group of
representatives of the parties who establish or maintain the plan, in the case of a
plan established or maintained by two or more employers or jointly by one or
more employers or one or more employee organizations.
Therefore, under most situations it appears that an educational entity that pays health
care insurance premiums on behalf of employees and dependents would most likely
be considered a “plan sponsor” and not a “health plan”.
2. Plan sponsors’ access to information
If the educational entity is considered a plan sponsor, that entity may no longer
have access to information from the health insurance company that they
previously were able to access. According to the Privacy Rule, any “group health
plan” is required to restrict the “use and disclosure of [health information] by the
plan sponsor.”
However, health plans may disclose participants’ health information to plan
sponsors in certain circumstances. These include the following:
1) Enrollment and dis-enrollment information so that the plan sponsor has
knowledge of the participants in the group health plan;
2) Information relating to the amendment and termination of plan documents;
3) Information on plan participants when needed for the purpose of obtaining
bids for insurance purposes; and
Re-printed with permission. 4
© 2003, Robbins, Schwartz, Nicholas, Lifton & Taylor, Ltd.
4) Protected health information with the written authorization of the plan
participant.
The health plan may require the plan sponsor to sign a certification agreeing to
safeguard participants’ protected health information and promising not to use the
information in employment and benefits decisions. This is different from a
“business associate agreement,” which is described below.
IV. HEALTH CARE PROVIDERS
Health care providers who (1) transmit health information in electronic form (2) in
connection to a transaction covered by the Privacy Rule (3) related to providing health care
services are considered “covered entities” who must comply with HIPAA’s Privacy Rule.
A. Definitions
1. Health care provider
“A provider of medical or health services ... and any other person or organization who
furnishes, bills, or is paid for health care in the normal course of business.”
2. Health care
Any services that are preventative, maintaining, diagnostic, therapeutic, and/or
rehabilitative concerning any aspect of a person’s physical or mental condition.
This broad definition means that any physician, nurse, occupational therapist,
physical therapist, social worker, and/or psychologist who provides such services
would all be considered health care providers.
Further, recall that “health care provider” includes any organizations that
furnishes, bills, or is paid for health care.
3. Health information
Any information, whether oral or recorded in any form, that is created or received by a
health care provider, health plan, public health authority, employer, life insurer, school
district or university, or health care clearinghouse and which relates to the physical or
mental health of an individual, the provision of health care to an individual, or the
payment of health care services to an individual.
4. Covered transaction
The transmission of information between two parties to carry out financial or
administrative activities related to health care. This includes:
processing of health care claims (a request to obtain payment and necessary
accompanying information, from a health care provider to a health plan, for health
care);
Re-printed with permission. 5
© 2003, Robbins, Schwartz, Nicholas, Lifton & Taylor, Ltd.
benefit eligibility inquiries (inquiries into eligibility to receive health care
services, level/amount of coverage, benefits associated with the benefit plan,
along with responses to any such inquiries);
requests for referral authorizations (a request from the health plan to obtain
authorization to provide health care services and/or to refer an individual to
another health care provider, along with the response to such a request);
health care claim status inquiry (inquiry and response into the status of a health
care claim);
transmission of enrollment/ disenrollment information in order to establish or
terminate insurance coverage;
health care payment and remittance advice (transmission of payment, information
concerning transfer of funds, payment processing information, Explanation of
Benefits, and/or remittance advice);
health plan premium payment (transmission of payment, information concerning
transfer of funds, detailed remittance information concerning premiums being
paid, payment processing information);
coordination of benefits (transmission of information to determine relative
payment responsibilities).
Note: If a health care provider uses another entity to conduct the covered
transactions on the health care provider’s behalf, the health care provider still
continues to be considered as conducting such a transaction.
B. Interplay with FERPA
1. Exceptions within the Privacy Rule:
The definition of “protected health information” includes an explicit exception for
education records that are covered under the Family and Educational Rights and
Privacy Act (“FERPA”);
Another exception includes “records on a student who is 18 years of age or older
or who is attending a post-secondary school, which are made or maintained by a
physician, psychiatrist, psychologist, or other recognized professional or
paraprofessional and our made in connection with the provision of treatment to
the student, if such records are not made available to anyone other than people
providing such treatment.”
2. The current debate concerning the FERPA exception
Although these exceptions exist within the definitions of the Privacy Rule, the
Department of Health and Human Services has indicated that it did not intend a
categorical exemption based upon the FERPA exception for school districts from
the Privacy Rule.
Re-printed with permission. 6
© 2003, Robbins, Schwartz, Nicholas, Lifton & Taylor, Ltd.
The information transmitted to Medicaid and/or a parents’ insurance policy for
billing purposes would not normally be considered an educational record and
maintained under FERPA. Given the requirements under FERPA, it does not
seem advisable for an educational entity to attempt to modify their practices to
treat such billing records as a record which must be maintained under FERPA.
Educational records which fall under the definition of FERPA continue to be
covered under FERPA and are exempt from HIPAA’s Privacy Rule, even if such
educational records contain health-related information.
The Department of Health and Human Services is currently analyzing the
interplay between HIPAA and FERPA as it applies to educational entities and will
be issuing guidance on this matter. Lobbying efforts are underway at the national
level to encourage an interpretation, which would exempt educational entities
from the requirements of the Privacy Rule altogether.
3. Factors to consider to determine whether activities engaged in by educational entities
trigger compliance with the Privacy Rule
Does the educational entity electronically bill for services provided to students
with disabilities?
Although as stated above, debate continues concerning the impact of the FERPA
exception, the current interpretation of the Privacy Rule would likely require
compliance if the educational entity transmits any health information
electronically to Medicaid or private insurance for billing purposes or for any
other transaction that falls under one of the “covered transactions.” Since billing
and administrative records are not maintained as “educational records” under
FERPA, compliance with the Privacy Rule would be advised. However, an
educational entity may declare itself a “hybrid,” as described below, which will
serve to limit compliance with the Privacy Rule to the specific departments or
divisions, which undertake activities which trigger compliance.
Does the educational entity have a nurse or on-campus medical clinic?
Educational employers that provide health care services to their employees and/or
students through a school nurse or on-campus medical clinic must assess the
nature of their transactions to determine whether they are considered health care
providers. If the school nurse or clinic transmits health information in electronic
form for any transaction covered by HIPAA, the nurse or clinic would be
considered a health care provider subject to the Privacy Rule.
V. BUSINESS ASSOCIATES
A. Definition
A person or organization, other than a member of a covered entity’s work force,
that performs certain functions or activities on behalf of, or provides certain
Re-printed with permission. 7
© 2003, Robbins, Schwartz, Nicholas, Lifton & Taylor, Ltd.
services to, a covered entity and which functions involve the use or disclosure of
individually identifiable health information.
These functions or activities may include claims processing, data analysis,
utilization review, and billing.
The Privacy Rule mandates that covered entities ensure that their business
associates comply with their privacy practices.
B. Business Associate Agreement
When a covered entity uses a contractor to perform business associate services or
activities, the Privacy Rule requires that the covered entity include certain
protections for the health information in a business associate agreement.
The covered entity must impose specified written safeguards on the individually
identifiable health information used or disclosed by its business associates.
VI. HYBRID ENTITIES
A. Definition
1. A single legal entity that is a covered entity and whose covered functions are not its
primary functions.
2. Use of “hybrid status”
The benefit of declaring hybrid status is to insulate non-covered functions from
covered functions so that only functions that trigger compliance with the Privacy
Rule are required to comply.
To become a hybrid entity, the covered entity must designate in writing its
operations that perform covered functions as one or more “health care
components.” After making this designation, the requirements of the Privacy
Rule will apply only to the health care components. Failing to designate those
components which are covered by the Privacy Rule would cause the covered
entity to be subject in its entirety to the Privacy Rule.
It is important to carefully identify which functions will be considered as the
“health care components,” taking into account that health information may be
shared between persons involved in covered and non-covered functions.
Consideration should be given whether to be over-inclusive in identifying which
components are “health care components,” which may be easier for administrative
purposes and continuity. If the educational entity chooses not to include all such
functions within the privacy policy, it is recommended that business associate
agreements are executed between the departments that may exchange protected
health information.
Re-printed with permission. 8
© 2003, Robbins, Schwartz, Nicholas, Lifton & Taylor, Ltd.
VII. STEPS TO COMPLIANCE
Educational entities that are required to comply with the HIPAA Privacy Rule, even as a
hybrid entity, can follow these steps toward compliance:
1. Organize a team to oversee and control HIPAA compliance.
2. Set a target compliance date.
3. Determine health plan and health care provider components.
4. Assess the current uses and occurrences of protected health information.
5. Identify the parties that view and have access to participants’ protected health
information, including outside parties.
6. Require business associate agreements of outside parties with access to protected
health information.
7. Develop and implement privacy policies and procedures in accordance with the
Privacy Rule which include:
a. Declaration of hybrid entity;
b. Privacy rights for individuals;
c. Appropriate uses and disclosures of protected health information;
d. Instructions on the minimum necessary standard (limiting the release of
information to the minimum reasonably needed for the purpose of the disclosure);
e. Procedures to document, monitor and audit the use of protected health
information;
f. Procedures for record retention;
g. Complaint procedures;
h. Discipline for violations;
i. Mitigation steps for improper use or disclosure of protected health information;
j. Anti-retaliation provisions;
k. Individual and personal representative inspection of protected health information;
l. Individual and personal representative amendment of protected health
information;
m. Training of employees on the privacy policy and underlying procedures;
n. Distribution of privacy notices to affected individuals and their personal
representatives; and
Re-printed with permission. 9
© 2003, Robbins, Schwartz, Nicholas, Lifton & Taylor, Ltd.
o. Employee confidentiality.
8. Amend the health plan to allow for the disclosure and receipt of protected health
information for bidding plans.
9. Appoint a Privacy Officer to oversee and implement the privacy policy and to
safeguard and control the disclosure of participants’ protected health information.
10. Train employees on the privacy policy, security of protected health information and
disclosure of protected health information.
11. Develop internal discipline sanctions for employee violations of the privacy policy.
12. Contact prospective business associates and enter into business associate agreements.
13. Send Privacy Notices to participants in the health plan.
14. Maintain records of disclosures of protected health information.
15. Create security measures for the physical files and computer files of protected health
information.
16. Develop the following documentation for compliance:
a. School Board Resolution adopting Privacy Policy
b. Privacy Officer Job Description
c. Privacy Policy
d. Privacy Notice to Participants
e. Amendments to health plan
f. Training Documents for those employees in contract with protected health
information
g. Confidentiality pledge or agreement with employees in contact with protected
health information
h. Business Associate Agreements
i. Authorization Forms
j. Personal representative forms
k. Individual Request for Inspection of Health Information
l. Individual Request for Amendment to Health Information Forms
m. Denial Forms
n. Disclosure logs
Re-printed with permission. 10
© 2003, Robbins, Schwartz, Nicholas, Lifton & Taylor, Ltd.