HIPAA is the Health Information Portability and Accountability Act, first passed by the U.S. Congress in 1996 and administered and regulated by the federal Department of Health and Human Services (HHS). The law and its associated regulations are complex and were recently changed and expanded per a 2009 law known as HITECH (the Health Information Technology for Economic and Clinical Health Act).1
HIPAA was originally enacted to assist in reducing the waste, fraud, and abuses found in health insurance and health care delivery, as well as to establish standards to promote the efficiency of health care data processing, maintenance, and exchange. The result is an evolving national framework for privacy, security, and transmission standards. Importantly, Congress recognized that advances in electronic technology could erode the privacy of health information. Individuals, organizations, and agencies that meet the definition of a “covered entity” under HIPAA must, among other things, follow established electronic data interchange standards and comply with rules and establish policies intended to protect the privacy and security of health information. If a covered entity engages a “business associate” to assist with its health care activities and functions, the business associate is subject to the HIPAA laws as well. The laws are most frequently applied in the context of those organizations that are commonly connected with the health care industry, such as hospitals, doctors’ offices, and HMOs.
What about camps?
The passage of recent regulations and the increasing electronic collection of camper health information have caused many camps to ponder whether HIPAA applies to their camp operations. Our intent is to provide some clarity and pose questions that spur camps to investigate these issues with their legal counsel. Let us be clear at the outset: We do not believe that HIPPA applies to those camps we deal with on a day-to-day basis. Obviously, camps will want to confer with their legal counsel and reach their own conclusions in this regard. Ultimately, applicable or not, HIPAA and its regulations contain some important and useful concepts and principles regarding privacy and security of medical (and other) records.
CampLine has included articles in the past that a ddress HIPAA’s a pplication to camps — most recently, “Electronic Medical Records in the Camp Setting: HIPAA Considerations,” by Tracey Gaslin and Stuart Weinberg, in the Winter 2012 issue. Our effort is not to analyze the content of this or other articles, but, rather, to provide some independent thoughts. Coming from our legal perspective, we do in fact differ with some of that article’s conclusions in regard to HIPAA’s application. However, questions posed by the authors regarding a camp’s general considerations for both privacy and security are constructive and helpful — particularly in light of camper family expectations, applicable state privacy, security breach notification or other laws, and prudent business practices.
Basically, if an individual or organization fits the criteria of a “covered entity,” it must comply with the privacy and security rules under HIPAA (including the expanded requirements of HITECH — discussed below). A covered entity is defined as: 1) a health plan, 2) a health care clearinghouse, or 3) a health care provider who transmits any health information in electronic form in connection with a “covered transaction” (as those terms are defined in HIPAA regulations).2 As mentioned above, “business associates” (those assisting a covered entity regarding protected health information) must also comply with many of the HIPAA/HITECH requirements. Covered entities are further defined under HIPAA as follows:
- A “health plan” is an individual or group plan that provides, or pays the cost of, medical care — but excludes plans with under fifty employees or those that are administered solely by the employer.
- A “health care clearinghouse” is a public or private entity that processes or facilitates the processing of health information into a standard or nonstandard format.
- There are two components involved in determining whether a health care provider is a covered entity under the HIPAA regulations. First, the provider must fall within the definition of a health care provider, that is: a “provider of services” or of “medical or health services” (as those terms are separately defined in the law3), OR any other person or organization who furnishes, bills, or receives payment for health care4 in the normal course of business. Secondly, if the health care provider is conducting these activities, it must ALSO (to meet the covered entity definition above), be transmitting health information in connection with “covered transactions,” in electronic form.
What is a covered transaction? A covered transaction is any of the following, for which the Secretary of HHS has established standards5:
- Health care claims
- Eligibility for a health plan
- Referral certification and authorization
- Health care claim status
- Enrollment or disenrollment in a health plan
- Health care electronic funds payment and remittance advice
- Health plan premium payment
- Coordination of benefits
- Medicaid pharmacy subrogation
These categories are further described in the regulations.
As should be apparent, in order to qualify as a covered entity, and thus be required to comply with HIPAA, an organization must fit within some very specific definitions and categories. Camps may take some comfort in these observations:
- A camp does not meet the definition of a health care clearinghouse.
- A camp is unlikely to fall within the health plan category (but check with your legal counsel, and refer to the HHS covered entity chart,6 a helpful guide, if you have a health plan for your employees that you believe may qualify).
- If a camp is a covered entity, the most likely category is that of a qualifying health care provider. However, to fall into this category, the camp must meet several conditions, as outlined in the law and as discussed here.
How likely is it that a traditional camp will fall within the health care provider covered entity category? As we have noted, the original and continuing focus of HIPAA was and is on the health care industry and those engaging in “electronic data interchange” — exchanges between and among organizations like doctors’ offices, HMOS, insurance companies, and hospitals. A camp certainly provides health care to its campers — but that alone is insufficient to trigger HIPAA. A camp may collect health information in electronic form, via its Web site or e-mail communications with campers and their parents, regarding the camper’s health information. That exchange, also, is insufficient to trigger HIPAA. Finally, even if the camp furnishes, bills, or receives payment for health care in the normal course of its business, HIPAA is not triggered unless that is done in electronic form, in connection with a covered transaction.7
But what if the camp is routinely (and electronically) submitting claims, making claims inquiries, electronically billing insurance companies for reimbursement, or other activities involving what appear to be covered transactions? In that event, the camp may need to investigate HIPAA’s application to their business. However, a bit of background here will help.
If a camp determines it must comply with HIPAA laws and rules, that compliance includes using the assigned “code sets,” “identifiers,” and “electronic data interchange” (EDI) standards that are outlined in the regulations for covered entities engaging in covered transactions.8 Covered transactions are literally defined as “the transmission of information between two parties to carry out financial or administrative activities related to health care.” These activities are very specific and are outlined in the bulleted list above. Consider this perspective provided from the Centers for Medicare and Medicaid (accessible from the HHS Web site):
HIPPA named certain types of organizations as covered entities, including health plans, health care clearinghouses, and certain health care providers. In the HIPAA regulations, HHS adopted certain standard transactions for EDI of health care data. . . . [Refer to the bulleted list above.] Under HIPAA, if a covered entity conducts one of the adopted transactions electronically, they must use the adopted standard. . . . [and] adhere to the content and format requirements of each transaction. Under HIPAA, HHS also adopted specific code sets for diagnoses and procedures to be used in all transactions. The HCPCS (Ancillary Services/Procedures), CPT-4 (Physicians Procedures), CDT (Dental Terminology), ICD-9 (Diagnosis and hospital inpatient Procedures), ICD-10, and NDC (National Drug Codes) codes, with which providers and health plans are familiar, are the adopted code sets for procedures, diagnoses, and drugs. Finally, HHS adopted standards for unique identifiers for [e]mployers and [p]roviders, which must also be used in all transactions.9
You should be getting the picture. HIPAA was intended for a pretty defined group. Nonetheless, if you believe your camp may be covered, considering your camp’s health care activities, you should check the HHS Web site and seek advice from informed legal counsel or other experts.
If you determine your camp is a covered entity, all of the HIPAA compliance requirements will apply — the “privacy” rule, the “security” rule, the “security breach notification” rule (included in HITECH), and all other aspects of the law. Here is a helpful summary of the basics of the rules/law:
- Notice of privacy practices.
- Appropriate safeguards to protect the privacy of “protected health information (PHI),”10 including establishing limits on the use and disclosure of that information.
- Note that if you are a covered entity, the privacy rule applies to PHI exchanged or held in electronic form, written form, or any other form.11
- Appropriate rules, procedures, and methods for protecting electronic PHI12 (e-PHI), including administrative, physical, and technical safeguards. The security rule applies to e-PHI that a covered entity creates, receives, transmits, or maintains.
- The security rule focuses on, among other matters:
- The confidentiality, integrity, and availability of e-PHI.
- Identifying and protecting against reasonably anticipated threats to the security or integrity of e-PHI.
- Protecting against reasonably anticipated impermissible uses or disclosures.
- Ensuring compliance by the covered entity’s workforce.
HITECH (Including Security Breach Notification Rule13)
Among other things, HITECH modifies and expands HIPAA to:
- Apply the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates.
- Establish mandatory federal privacy and security breach reporting requirements for covered entities and business associates.
- Expand the scope of HIPAA privacy and security rules for covered entities and business associates.
- Establish new/increased criminal and civil penalties for HIPAA noncompliance as well as new enforcement methods.
Use of Code Sets and Identifiers and Compliance with EDI Standards
Transmission of health information in covered transactions must comply with EDI standards and use specific Code Sets and Identifiers (see above).
HHS’s power (via HIPAA, as amended by HITECH) through the Office of Civil Rights (and other enforcing bodies) to take action, including imposing civil or criminal penalties, for HIPAA violations.14
This is a person or entity, other than the organization’s employees, that performs functions or activities on behalf of a covered entity, involving the use or disclosure of PHI. This includes things like claims processing, data analysis, and billing. Both HIPAA and HITECH impose responsibilities and liabilities on business associates.15
So, what does responsible camp management do with these admittedly complex and sometimes confusing laws and regulations?
Have a lawyer review your activities to determine if HIPAA applies to your camp. Ultimately, even if you and your lawyer conclude that your camp is NOT a covered entity, recognize that you are handling potentially sensitive information. Understand other applicable laws dictating the need to protect the privacy and security of health or other information, and e-data security (see below). Also consider camper family expectations that sensitive information will be handled sensitively. Even if HIPAA appears not to apply to your camp, consider developing a sensible and appropriate privacy and security policy. Consider the following:
- Some folks have suggested simply complying with HIPAA privacy and security requirements, even if the camp is not a covered entity. Adherence to those requirements, in the absence of required compliance, is likely overkill.16 However, reviewing suggested HIPAA policies and crafting a modified version of those policies may be a practical way to address these concerns.
- Consider the basis and means for appropriately protecting the data, including e-data, that your camp creates, receives, transmits, or retains. This is not simply health information, but includes other camper/family personal information, participant agreements, payment and enrollment information, your staff employment or other records, or other information. Considering other state and federal laws governing privacy and security breach notification (outside the context of HIPAA) and the need to preserve e-files as electronic records or for evidentiary or discovery purposes, developing and implementing guidelines to address administrative, physical, and technical safeguards for the protection of e- (or other) data is a prudent course.
- Assure you are in compliance with state or federal privacy and security breach notification laws or other applicable laws.
- In addition to the endnotes of this article, consider these basic references:
- An overview of the various HIPAA rules: www.hhs.gov/ocr/privacy/hipaa/administrative/index.html
- A good summary of the HIPAA privacy and security rules for covered entities and business associates: www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html
- Another very helpful Web site that is clearly and simply written: www.hipaa-101.com/
We will conclude as we began: We believe that the camps with which we are most familiar are likely not covered by HIPAA. However, HIPAA and its recent HITECH amendments are expansive laws affecting the health care industry, which are complex and widely misunderstood by many in the camp industry. As a result, we recommend that any camp that believes it may be subject to HIPAA work with its legal counsel to examine the issues carefully, based upon the camp’s specific operations. Even if you believe or determine your camp is not legally obligated to comply with HIPAA, take the time to develop prudent privacy and security policies regarding medical or other sensitive information you possess — whether that information is created, received, transmitted, or maintained electronically or otherwise by your camp.
*This article contains general information only and is not intended to provide specific legal advice. Camps and related organizations should consult with a licensed attorney regarding application of relevant state and federal law as well as considerations regarding their specific business or operation.
Charles R. (Reb) Gregg is a practicing attorney in Houston, Texas, specializing in outdoor recreation matters and general litigation. He can be reached at 713-982-8415 or e-mail email@example.com; www .rebgregg.com.
Catherine Hansen-Stamp is a practicing attorney in Golden, Colorado. She consults with and advises recreation and adventure program providers on legal liability and risk management issues. Hansen-Stamp can be reached at 303-232-7049, or e-mail firstname.lastname@example.org; www.hansenstampattorney.com.
- HIPAA, Public Law 104-191; HIPAA regulations: 45 C.F.R. 160-164. HITECH, 42 U.S.C. 17901, et seq. (2009) (Title XIII of the American Recovery and Reinvestment Act [“ARRA”]); HITECH regulations modifying 45 C.F.R. parts 160 and 164: Federal Register Vol. 17, No. 7, 1/25/2013. For simplicity in this article, our general references to “HIPAA” intend to include the changes implemented via HITECH law and regulations.
- 45 C.F.R. 160.103 definitions.
- Id., as those terms are further defined in 42 U.S.C. 1395x(s) and (u).
- Id. “Health care” is defined as care, services, or supplies related to a person’s health, including but not limited to preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to a physical or mental condition or functional status of a person, or that affects the structure or function of the body; and the sale/dispensing of a prescription drug, device, equipment, or other item.
- 45 C.F.R. 160.103 and 162.1101-1901.
- www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html. Consider a potential typo in the chart discussing health care plans — page 5, middle box at the top, we believe should read “OR” and not “AND” to be consistent with the applicable regulation definition at 45 C.F.R. 160.103. Discuss with your legal counsel.
- Office of Civil Rights (“OCR”) Summary of the HIPAA Privacy Rule, 2003, p. 2; id. at note 2.
- 45 C.F.R. 162.404 and 406; 162.920 (as referenced in 162.1101- 1802), 162.1000-02.
- Centers for Medicare and Medicaid Web site (“CMS”) at: www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/TransactionCodeSetsStands/index.html?redirect=/transactioncodesetsstands/.
- Id., endnote 2 definition for PHI. PHI is defined as “individually identifiable health information,” (IIHI) except for information in certain categories. Note that the regulations define 1) health information, 2) IIHI, 3) PHI, and 4) e-PHI in 45 CFR 160.103. 2) is a subset of 1), and 4) is identical to 3), but exclusively e-PHI. PHI is a subset of IIHI, because some IIHI is NOT protected.
- Id. See also 45 C.F.R 164.306; OCR Summary of the HIPAA Security Rule.
- See note 1, text of HITECH Act and regulations; see also www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html.
- 45 C.F.R. 160.400, et seq., and HITECH modifications (see sources in note 1) and www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/index.html.
- Id., see endnote 2 definition for business associate. Under the definition, a business associate DOES NOT include a health care provider, in a situation where a covered entity (like a doctor) has disclosed information to the health care provider concerning the individual’s treatment. (Similar to a camp nurse who receives information from a doctor’s office about a camper.)
- Conversation with Philip L. Gordon, Esq., Littleton, Colorado, 3/14/13.