Author(s): Sean Fosmire

CHANGES TO HIPAA UNDER THE STIMULUS LAW?

There are several new modifications to the December 2000 HIPAA regulations that have been included in the American Recovery and Reinvestment Act of 2009 (ARRA), popularly known as the “stimulus” legislation. Two of them are of potential interest to our clients, particularly in light of statements made in articles that have been published very recently in magazines and on internet sites. On careful review of the language, we have concluded that neither of these new provisions will affect attorneys or claims personnel handling liability, no-fault, or workers compensation cases.

As we have noted in previous Law Fax issues, the Final Privacy Rule under the 1986 HIPAA legislation places restrictions on how and when physicians, hospitals, and other medical providers can release medical records and provide medical information about their patients. See, for example:

HIPAA and Requests for Medical Information in Litigation – February 21, 2003

HIPAA and its Effect on the Sharing of Medical Information by Insurers – May 5, 2003 Ex Parte Interviews of Treating Doctors after HIPAA – March 18, 2005 Ex Parte Interviews of Treating Doctors Disallowed Without Formal Waiver by Patient – November 7, 2005

HIPAA and Discovery Requests for PIP Files – August 24, 2007

Section 13405 of the ARRA statute imposes a new requirement on a medical care provider. If the patient asks the provider not to disclose protected medical information to specific insurers, the provider must comply with the request. This section, however, applies by its terms only to disclosures by the provider to health plans, and does not mention any other insurer. As we noted in the May 2003 article, PIP and workers’ compensation insurers are not covered by the HIPAA requirements that apply to “health plans”, even though they may pay the cost of health care for covered treatment.

This new section will not affect the validity or use of authorizations signed by claimants or plaintiffs to allow an insurer or an attorney to obtain medical records.

The second new provision, Section 13408, extends the scope of the requirements that currently, under the HIPAA regulation, apply to “business associates” of a health care provider to other entities that receive protected health information. Some of the articles that have been recently published about the new HIPAA provisions have broadly asserted that these new requirements will apply to “entities that regularly access” medical information. Since both attorneys and insurers regularly have access to medical information, these articles suggest that the new requirements will apply to them.

Careful examination of the actual language of the statute, however, tells us otherwise.

SEC. 13408. BUSINESS ASSOCIATE CONTRACTS REQUIRED FOR CERTAIN ENTITIES.

Each organization, with respect to a covered entity, that provides data transmission of protected health information to such entity (or its business associate) and that requires access on a routine basis to such protected health information, such as a Health Information Exchange Organization, Regional Health Information Organization, E-prescribing Gateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record, is required to enter into a written contract (or other written arrangement) described in section 164.502(e)(2) of title 45, Code of Federal Regulations and a written contract (or other arrangement) described in section 164.308(b) of such title, with such entity and shall be treated as a business associate of the covered entity for purposes of the provisions of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this title.

Consideration of this language leads us to conclude that it will not change the current law as to lawyers or claims personnel who have access to medical records. This section covers only companies which engage in two specific activities:

• providing data transmission to a provider or its business associates • entering into agreements to provide medical information to patients in electronic form

Thus, we continue to believe that attorneys, law firms, claims personnel, and liability or no-fault insurers are not Business Associates of health care providers, and will not be subject to the new requirements applying to quasi-Business Associates under section 13408.

As we noted in our May 2003 article, hospitals and doctors may not read the new statute as carefully as we do. You may be asked to sign a Business Associate agreement in order to receive copies of medical records pertaining to an insured. If you do so, you may be subjecting yourself and your company to additional limitations and requirements that would not otherwise be imposed by the HIPAA Final Privacy Rule or other provisions of law.