Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
On April 14, the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) went into effect, requiring compliance from 'health plans,' 'health care clearinghouses' and most 'health care providers' (collectively, covered entities).
The Act includes some flexibility for small plans to reach compliance. For instance, the April 14 deadline applied to all health plans with more than $5 million in annual premiums; plans with $5 million in annual premiums or less must comply by April 14, 2004.
Such entities must comply with HIPAA's standards for electronic health care transactions ' unless the entity received an extension ' and adhere to the Act's privacy rule.
HIPAA is narrow in application and deep in compliance obligations. The Federal Trade Commission (FTC) provides an additional regulatory backdrop for all entities other than so-called covered entities that collect, use, disclose and receive consumers' sensitive personal information, including their medical and health information.
This column focuses on federal regulation of sensitive personal health and medical information, addressing the privacy aspects of HIPAA as it applies to covered entities, and the FTC's regulation of the collection, use and disclosure of consumers' sensitive personal information by everyone else.
Effect on Covered Entities
HIPAA prohibits a covered entity from using or disclosing protected health information, which is defined as information created or received by a covered entity that relates to the treatment, condition or payment of an individual's health care, and which is traceable to the individual. A covered entity may use or disclose personal health information only when:
A covered entity must disclose personal health information only to the individual (or his or her personal representative) when the individual requests access to or an accounting of disclosures of the information, or to the U.S. Department of Health and Human Services under certain enumerated situations. On the other hand, a covered entity may, but is not required to, use and disclose personal health information without an individual's authorization in the following situations:
Covered entities must have in place policies and procedures that restrict internal access or uses of personal health information and that identify the employees, or classes of employees, who require access to the information to perform their jobs. Such policies must limit the amount of access to the 'minimum necessary' for the employees' work, the Act states. Likewise, covered entities must implement policies and procedures for recurring external disclosure requests that limit the amount of personal health information disclosed to the minimum amount necessary. When such procedures are in place, individual review of each disclosure is not necessary. Individual review is, however, necessary for infrequent, nonroutine disclosure requests.
Notice
Covered entities must provide notice of their privacy practices to individuals affected by those practices. The notice must describe:
The notice must provide a contact point for procuring additional information and for making complaints, and must be distributed pursuant to specific guidelines set forth in HIPAA.
Authorization
Covered entities must obtain an individual's written authorization for any use or disclosure of personal health information that is not intended to be used for treatment, payment or health care operations, or is otherwise permitted or required by HIPAA (see above). Generally, covered entities may not condition treatment, payment, enrollment or benefits eligibility on an individual granting authorization.
Third-Party Transfers
HIPAA substantially limits the extent to which most health information may be used by or disclosed to third parties (ie, entities other than health plans, health care clearinghouses and health care providers). The most common situation is that in which the covered entity enters into a business associate contract with a third party to:
Also, no authorization is required where the use or disclosure is for the third party's handling of treatment, payment or health care operations, or where the use or disclosure is for other functions, such as marketing, in which case it must be made pursuant to an authorization and be made in writing. In such instances, the authorization must describe:
Effect on Everyone Else
There are two ways HIPAA affects a business. First, if the business has an employer-sponsored health care plan that has annual premiums of $5 million of more, it is regulated by HIPAA. This means that the plan must give employees appropriate notice, obtain their written authorization for any use of personal health information that is not to be used for treatment, payment or health care options, and that the plan must abide by HIPAA's restrictions on the transfer of personal health information to third parties.
Second, while third-party 'business associates' (that are not also covered entities) are not directly subject to HIPAA requirements, a third party's use or disclosure of personal health information outside the terms of the contract (including beyond the scope of the patient's authorization) breaches that contract and could subject the third-party to a private contract action brought by the covered entity. The covered entity in this situation could face HIPAA enforcement action and monetary penalties for noncompliance, which could then be pointed to as damages in the contract action with the third party. The third party (who is not also a covered entity) is not subject to HIPAA's complaint procedure or monetary penalties.
As this situation illustrates, HIPAA does not apply to all entities that handle health information regarding individual consumers. Its reach is limited to how covered entities use and disclose health information. So, where the information, no matter how sensitive, is used or disclosed to a third party that obtains such information via a different information source (not a health plan, health care clearinghouse or a health care provider), that information is not subject to HIPAA and likely will not involve any HIPAA-related business-associate contract.
This does not mean that all personally identifiable health information outside of HIPAA's reach is unregulated. Recognizing HIPAA's limitations, the FTC has stepped in with a general regulatory framework for 'sensitive personal information,' which includes personally identifiable health information. The FTC's framework, which is based on its general authority to regulate 'unfair and deceptive acts and practices,' is simple, elastic and applicable most directly to the collectors of such information. Of course, misrepresentations regarding the nature of information collected, its use, and whether the collector will transfer the information to third parties (and for what purposes) are prohibited.
The more interesting question, though, is whether the FTC's general deception authority requires collectors of sensitive personal information to affirmatively disclose such factors. The safe answer, of course, is to do so, whether information is collected online or offline, provided the disclosures are truthful and complete. But the minimum necessary appears to be an affirmative disclosure of any uses of sensitive personal information a third party transfers for purposes other than for which the consumer provided it. A good test in this regard is to ask whether an ordinary consumer would reasonably anticipate:
If the answer to any of these issues is yes, then a disclosure is likely necessary.
Other Considerations
What if an entity is not covered and does not collect any sensitive personal information, but receives sensitive health-related information from another business? This is where the rules get murky. The safest course is to insist that the entity from whom information is obtained represents and warrants in a contract that the individuals to whom the information relates affirmatively agreed to allow the collector to transfer sensitive personal information to unaffiliated third parties for purposes stated the information will be used. The information provider should also indemnify any costs (including reasonable attorneys' fees) that might be incurred as a result of action or threatened action relating to receipt and use of the information. This action will provide some protection from a private lawsuit, but will provide no protection from exposure to a regulatory action.
To guard against that, the safest course is (in addition to the contractual provisions described above) to require the entity who is providing the information to show all representations made to consumers. These include online or offline pages where consumers provided their information and in any then-effective privacy policy of the collector for uses consistent with the reason the consumer provided the information. Look for clear and conspicuous notice for uses inconsistent with the reason the consumer provided the information, and at a minimum, an easy-to-see, easy-to-read, and easy-to-understand opportunity to opt-out. Under all circumstances, ensure that the collector honors all consumer opt-out requests.
Conclusion
Congress and federal agencies are increasingly focusing on privacy in general, and on the privacy of sensitive personal information in particular. Now is the time to determine whether information a business has collected or received such information and, if so, to understand which regulatory framework governs activities and to ensure standards within that framework are being met.
D. Reed Freeman Jr. is a partner in the competition group of Collier Shannon Scott in Washington, DC. He counsels clients on a wide range of consumer-protection issues, including privacy, information security, advertising and consumer-credit law. He is a member of E-commerce Law & Strategy's editorial advisory board. Alysa N. Zeltzer is an associate at Collier Shannon Scott.
On April 14, the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) went into effect, requiring compliance from 'health plans,' 'health care clearinghouses' and most 'health care providers' (collectively, covered entities).
The Act includes some flexibility for small plans to reach compliance. For instance, the April 14 deadline applied to all health plans with more than $5 million in annual premiums; plans with $5 million in annual premiums or less must comply by April 14, 2004.
Such entities must comply with HIPAA's standards for electronic health care transactions ' unless the entity received an extension ' and adhere to the Act's privacy rule.
HIPAA is narrow in application and deep in compliance obligations. The Federal Trade Commission (FTC) provides an additional regulatory backdrop for all entities other than so-called covered entities that collect, use, disclose and receive consumers' sensitive personal information, including their medical and health information.
This column focuses on federal regulation of sensitive personal health and medical information, addressing the privacy aspects of HIPAA as it applies to covered entities, and the FTC's regulation of the collection, use and disclosure of consumers' sensitive personal information by everyone else.
Effect on Covered Entities
HIPAA prohibits a covered entity from using or disclosing protected health information, which is defined as information created or received by a covered entity that relates to the treatment, condition or payment of an individual's health care, and which is traceable to the individual. A covered entity may use or disclose personal health information only when:
A covered entity must disclose personal health information only to the individual (or his or her personal representative) when the individual requests access to or an accounting of disclosures of the information, or to the U.S. Department of Health and Human Services under certain enumerated situations. On the other hand, a covered entity may, but is not required to, use and disclose personal health information without an individual's authorization in the following situations:
Covered entities must have in place policies and procedures that restrict internal access or uses of personal health information and that identify the employees, or classes of employees, who require access to the information to perform their jobs. Such policies must limit the amount of access to the 'minimum necessary' for the employees' work, the Act states. Likewise, covered entities must implement policies and procedures for recurring external disclosure requests that limit the amount of personal health information disclosed to the minimum amount necessary. When such procedures are in place, individual review of each disclosure is not necessary. Individual review is, however, necessary for infrequent, nonroutine disclosure requests.
Notice
Covered entities must provide notice of their privacy practices to individuals affected by those practices. The notice must describe:
The notice must provide a contact point for procuring additional information and for making complaints, and must be distributed pursuant to specific guidelines set forth in HIPAA.
Authorization
Covered entities must obtain an individual's written authorization for any use or disclosure of personal health information that is not intended to be used for treatment, payment or health care operations, or is otherwise permitted or required by HIPAA (see above). Generally, covered entities may not condition treatment, payment, enrollment or benefits eligibility on an individual granting authorization.
Third-Party Transfers
HIPAA substantially limits the extent to which most health information may be used by or disclosed to third parties (ie, entities other than health plans, health care clearinghouses and health care providers). The most common situation is that in which the covered entity enters into a business associate contract with a third party to:
Also, no authorization is required where the use or disclosure is for the third party's handling of treatment, payment or health care operations, or where the use or disclosure is for other functions, such as marketing, in which case it must be made pursuant to an authorization and be made in writing. In such instances, the authorization must describe:
Effect on Everyone Else
There are two ways HIPAA affects a business. First, if the business has an employer-sponsored health care plan that has annual premiums of $5 million of more, it is regulated by HIPAA. This means that the plan must give employees appropriate notice, obtain their written authorization for any use of personal health information that is not to be used for treatment, payment or health care options, and that the plan must abide by HIPAA's restrictions on the transfer of personal health information to third parties.
Second, while third-party 'business associates' (that are not also covered entities) are not directly subject to HIPAA requirements, a third party's use or disclosure of personal health information outside the terms of the contract (including beyond the scope of the patient's authorization) breaches that contract and could subject the third-party to a private contract action brought by the covered entity. The covered entity in this situation could face HIPAA enforcement action and monetary penalties for noncompliance, which could then be pointed to as damages in the contract action with the third party. The third party (who is not also a covered entity) is not subject to HIPAA's complaint procedure or monetary penalties.
As this situation illustrates, HIPAA does not apply to all entities that handle health information regarding individual consumers. Its reach is limited to how covered entities use and disclose health information. So, where the information, no matter how sensitive, is used or disclosed to a third party that obtains such information via a different information source (not a health plan, health care clearinghouse or a health care provider), that information is not subject to HIPAA and likely will not involve any HIPAA-related business-associate contract.
This does not mean that all personally identifiable health information outside of HIPAA's reach is unregulated. Recognizing HIPAA's limitations, the FTC has stepped in with a general regulatory framework for 'sensitive personal information,' which includes personally identifiable health information. The FTC's framework, which is based on its general authority to regulate 'unfair and deceptive acts and practices,' is simple, elastic and applicable most directly to the collectors of such information. Of course, misrepresentations regarding the nature of information collected, its use, and whether the collector will transfer the information to third parties (and for what purposes) are prohibited.
The more interesting question, though, is whether the FTC's general deception authority requires collectors of sensitive personal information to affirmatively disclose such factors. The safe answer, of course, is to do so, whether information is collected online or offline, provided the disclosures are truthful and complete. But the minimum necessary appears to be an affirmative disclosure of any uses of sensitive personal information a third party transfers for purposes other than for which the consumer provided it. A good test in this regard is to ask whether an ordinary consumer would reasonably anticipate:
If the answer to any of these issues is yes, then a disclosure is likely necessary.
Other Considerations
What if an entity is not covered and does not collect any sensitive personal information, but receives sensitive health-related information from another business? This is where the rules get murky. The safest course is to insist that the entity from whom information is obtained represents and warrants in a contract that the individuals to whom the information relates affirmatively agreed to allow the collector to transfer sensitive personal information to unaffiliated third parties for purposes stated the information will be used. The information provider should also indemnify any costs (including reasonable attorneys' fees) that might be incurred as a result of action or threatened action relating to receipt and use of the information. This action will provide some protection from a private lawsuit, but will provide no protection from exposure to a regulatory action.
To guard against that, the safest course is (in addition to the contractual provisions described above) to require the entity who is providing the information to show all representations made to consumers. These include online or offline pages where consumers provided their information and in any then-effective privacy policy of the collector for uses consistent with the reason the consumer provided the information. Look for clear and conspicuous notice for uses inconsistent with the reason the consumer provided the information, and at a minimum, an easy-to-see, easy-to-read, and easy-to-understand opportunity to opt-out. Under all circumstances, ensure that the collector honors all consumer opt-out requests.
Conclusion
Congress and federal agencies are increasingly focusing on privacy in general, and on the privacy of sensitive personal information in particular. Now is the time to determine whether information a business has collected or received such information and, if so, to understand which regulatory framework governs activities and to ensure standards within that framework are being met.
D. Reed Freeman Jr. is a partner in the competition group of
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.