The fact that HIPAA traces its origins back to 1996, seems almost insignificant. In fact, in the various presentations I have seen or participated in that begin with the history of HIPAA, my general reaction is – why bother, who cares about its origins.
However, I can identify one particular point about HIPAA’s origins that is of current interest.
The origins of HIPAA and the privacy of patient records began at a time when the digital world was relatively in its infancy, and the general focus of the law was on paper records. The HITECH component was later added in an attempt to catch up with the then emerging digital technology.
However, HIPAA legislation starts with and focuses on information that is in the possession of a covered entity.
The HIPAA definition of a Covered entity is:
- A health plan.
- A health care clearinghouse.
- A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter of the Omnibus rule.
Typically, this straightforward definition is meant to mean a doctor or healthcare provider, or the entities referenced in (1) and (2) that by their nature receive or transmit health information. However, there are many other individuals and/or entities that are provided with an individual’s medical records. Obviously, the privacy and HIPAA coverage is extended to Business Associates and subcontractors with the caveat that they are downstream from Covered Entities. Medical information that does not flow from a Covered Entity may be covered by laws regarding the privacy of information, but they would not necessarily be covered by HIPAA, HITECH or the Omnibus Rule.
This gap seems to be mostly attributable to the genesis and development of HIPAA.
Based on the general understanding of HIPAA and its definition of a “Covered Entity” a plaintiff’s personal injury law firm that came into possession of its client’s medical records would not be subject to HIPAA. While the attorney might be subject to other restrictions on the privacy of legal records, as a general proposition those rules are not as restrictive as HIPAA, do not require a risk analysis, do not require privacy security and breach protocols and do not necessarily have the fines associated with HIPAA violations.
Texas recently passed revisions to the Texas Medical Records Privacy Act which in section 181 incorporates HIPAA but broadens the definition of a covered entity as follows:
“Covered entity” means any person who:
(A) for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;
(B) comes into possession of protected health information;
(C) obtains or stores protected health information under this chapter; or
(D) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.
It seems that based on the expanded definition, Texas plaintiff’s personal injury attorneys would be subject to the additional requirements and/or restrictions and increased fines. Obviously, this expanded definition goes well beyond plaintiff’s personal injury attorneys. Examples might be cloud-based storage companies that become subject to the Texas law, software applications that store and/or utilize an individual’s medical records supplied directly by the individual, and the list goes on.
There may be other state laws which further expand the requirements of individuals or entities that possess ePHI, however these additional states are beyond the scope of this post.
Obviously, it is important to carefully read the Texas statute in its entirety, and understand its applicability on a case specific basis. However there is very little doubt that it dramatically expands the people and/or entities that are subject to HIPAA equivalent analysis, safeguards, and protection of ePHI and ePHI.
In addition, the importance of reviewing individual state laws is becoming more important and raises the question if the federal government will broaden the applicability of the current Omnibus Rule.
What do you think?