Things happen fast in a digital world. In a fraction of a second an individual’s entire identifiable healthcare information can be disseminated to millions of people through the miracle of the world-wide web. Instant access to patient healthcare information has advanced the art of medicine and undoubtedly decreased patient morbidity and mortality. But the potential for abuse of this information by insurance companies, HMO’s, employers, governmental entities, and others, has caused concern for individual security and privacy, and has required some control on who may have access to an individual’s protected medical information. Thus was born the Health Insurance Portability and Accountability Act of 1996, or “HIPAA”, with the objective of improving the access, portability and continuity of medical insurance coverage, while providing patient’s with control over their own personal “protected health information”, or “PHI”. HIPAA, now codified as 45 CFR Sections 164.502(b), et. seq., provides control for patients regarding how their personal information is used by their healthcare insurers or healthcare providers, and while at the same time giving those patients greater access to their own medical records. The privacy provisions under HIPAA, apply to “covered entities” defined as individual or group healthcare plans, prescription drug uses, HMO’s, Medicare, Medicaid, and long-term healthcare providers. HIPAA also covers “providers of services” which include hospitals, physicians, dentists, and other healthcare practitioners. While creation of the privacy provisions of HIPAA did not differ greatly from pre-existing State statutes requiring that a patient’s written consent be obtained before disseminating protected health information, the criminal and civil penalties for non-compliance under HIPAA are severe to the point of being draconian. Should a “covered person or entity” fail to comply with this privacy rule under provisions of HIPAA, the Department of Health and Human Services may impose a civil penalty of $100.00 per violation with an aggregate of $25,000.00 per annum. Any person found knowingly disclosing individually identifiable health information in violation of the privacy rule may face a criminal penalty of up to ten years in prison, and could be fined up to $250,000.00, if the offending party intended to profit from the transfer of the individually identified health information. Criminal sanctions are enforced by the United States Department of Justice.
Passage of HIPAA in 1996, certainly got the attention of healthcare providers HMO’s, and medical insurers. It even got the attention of individuals considered “business associates” of healthcare providers, including lawyers, accountants, consultants, managers, and financial advisors working with or at the direction of healthcare providers. Those individuals or entities are also held accountable under the civil and criminal penalty provisions of the Act. The medical community’s initial response to the privacy provisions of “HIPAA” was paradoxical: For a time there was a significant reduction in information sharing between healthcare providers and their business associates out of fear of violating the privacy provisions of the act. Numerous legal opinions were sought and seminars on HIPAA were conducted. Practitioners and business associates were advised that the privacy provisions of HIPAA applied to a patient’s protected health information in any form, including written, verbal or electronic communications. This information includes the patient’s name, address, social security numbers and other identifying data. The Act and the privacy rule, for some reason, did not include any standard form HIPAA-compliant authorization. Without a standard form authorization for guidance, healthcare providers or “covered entities,” were left to create their own HIPAA-compliant authorization. The failure to create a standard form HIPAA-compliant authorization, predictably resulted in hundreds of unique medical authorizations, in Bexar County alone. The end result was that healthcare providers and other covered entities routinely rejected all authorizations other than their own uniquely designed document.
Therein lay the problem. Each doctor, hospital, healthcare institution or governmental entity created their own HIPAA–compliant authorization, and refused to accept authorizations from other healthcare providers, covered persons, or business associates. In virtually every instance the authorizations differed only in form, not in substance or content. Nevertheless, the fear generated by criminal penalties set out in the statutes, and the horror stories presented at medical and legal seminars, caused healthcare providers to reject signed medical authorizations that had not been approved by their own lawyers or legal departments.
For the most part, fear of civil or criminal penalties for non-compliance with the privacy provisions of the HIPAA statute were exaggerated and unfounded. There appear to be no reported cases in Texas where a healthcare provider was convicted of criminal conduct, or found civilly liable for providing medical information, after having received a written authorization to do so from a patient or that patient’s legal guardian or representative. Simply put, a patient’s medical information disclosed by a healthcare provider is the good-faith belief of the adequacy of the signed medical authorization has never resulted in civil or criminal liability in the State of Texas.
Currently, the problems resulting from the numerous uniquely-designed medical authorizations still substantially slow the exchange of medical information between healthcare providers, insurance companies, lawyers or other business associates. These one-of-a-kind authorizations delay the exchange of medical and billing information between doctors, healthcare institutions, HMO’s, insurance companies, and governmental entities. These individualized medical authorizations delay information gathering by lawyers on behalf of their clients, and increase the litigation expenses and court costs associated with the prosecution or defense in both civil and criminal litigation.
The problem created by these uniquely designed HIPAA-compliant authorizations was addressed earlier this year by members of the Medical/Legal Liaison Committee. The Medical/Legal Liaison Committee is made up of doctors from the Bexar County Medical Society and lawyers from the San Antonio Bar Association who meet several times a year for the purpose of openly exchanging information, and working to resolve problems that arise from time to time between the two professions. The problem presented the committee, by the numerous uniquely designed HIPAA-compliant authorizations, was one such problem. The solution is obvious. Since the statute had failed to include a standard form authorization, the doctors and lawyers of the committee, working together, created a HIPAA-compliant medical authorization which the committee felt would satisfy the requirements of the statute, and which could be approved for use by both the San Antonio Bar Association and the Bexar County Medical Society. A subcommittee was appointed, draft documents were prepared, amendments and changes were made, and two suggested standard form authorizations were approved and voted out of committee. One of the authorizations is intended for the use of physicians or healthcare providers. The second authorization is intended for use by hospitals or healthcare facilities. The committee felt that two different medical authorizations were needed because of the uniquely different type of records and materials retained by physicians and hospitals. These standard form HIPAA-compliant authorizations were submitted to the San Antonio Bar Association and to the Bexar County Medical Society, and both organizations approved the suggested standard form HIPAA-compliant authorizations for use by healthcare providers in this community. Copies of suggested forms are appended to this article and may also be found at the San Antonio Bar Association and Bexar County Medical Society’s websites.