GENERAL HIPAA QUESTIONS

Q. Who must comply with these new HIPAA privacy standards?

A. As required by Congress in HIPAA, the Privacy Rule covers:

• Health plans
• Health care clearinghouses
• Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.

These entities (collectively called “covered entities”) are bound by the new privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions.


Q. Are the following types of insurance covered under HIPAA: long/short term disability; workers' compensation; automobile liability that includes coverage for medical payments?

A. No, the listed types of policies are not health plans. The HIPAA Administrative Simplification regulations specifically exclude from the definition of a “health plan” any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits, which are listed in section 2791(c)(1) of the Public Health Service Act, 42 U.S.C. 300gg-91(c)(1). See 45 CFR 160.103. As described in the statute, excepted benefits are one or more (or any combination thereof) of the following policies, plans or programs:

• Coverage only for accident, or disability income insurance, or any combination thereof.
• Coverage issued as a supplement to liability insurance.
• Liability insurance, including general liability insurance and automobile liability insurance.
• Workers’ compensation or similar insurance.
• Automobile medical payment insurance.
• Credit-only insurance.
• Coverage for on-site medical clinics
• Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits.

Q. Must an Authorization include an expiration date?

A. The Privacy Rule requires that an Authorization contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. For example, an Authorization may expire "one year from the date the Authorization is signed," "upon the minor’s age of majority," or "upon termination of enrollment in the health plan." An Authorization remains valid until its expiration date or event, unless effectively revoked in writing by the individual before that date or event. The fact that the expiration date on an Authorization may exceed a time period established by State law does not invalidate the Authorization under the Privacy Rule, but a more restrictive State law would control how long the Authorization is effective.



Q. Are State, county or local health departments required to comply with the HIPAA Privacy Rule?

A. Yes, if a State, county or local health department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity. For example, a state Medicaid program is a covered entity (i.e., a health plan) as defined in the Privacy Rule. Some health departments operate health care clinics and thus are health care providers. If these health care providers transmit health information electronically in connection with a transaction covered in the HIPAA Transactions Rule, they are covered entities. For more information, see the definitions of covered entity, health care provider, health plan and health care clearinghouse in 45 CFR 160.103.



Q. Does the HIPAA Privacy Rule preempt State laws?

A. The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals' individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law (1) relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information, (2) provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or (3) requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.

It is important to recognize that only State laws that are "contrary" to the Federal requirements are eligible for an exemption determination. As defined by the Administrative Simplification Rules, contrary means that it would be impossible for a covered entity to comply with both the State and Federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.
See 45 C.F.R. Part 160, Subpart B, for specific requirements related to preemption of State law.



Q. Can the fact that a patient has been "treated and released," or that a patient has died, be released as part of the facility directory?

A. Yes. The fact that a patient has been "treated and released," or that a patient has died, may be released as part of the directory information about the patient’s general condition and location in the facility, provided that the other requirements at 45 CFR 164.510(a) also are followed.