The privacy provisions of the federal regulations that implement the Health Insurance Portability and Accountability Act of 1996 represent a tremendous challenge for correctional institutions, but the exact nature of the challenge remains a source of controversy and confusion.

Many correctional systems and institutions are uncertain whether HIPAA’s requirements apply to them—that is, whether they fit the definition of a covered entity under terms of the act. Adding to the confusion, institutions that acknowledge "covered entity" status differ widely in their interpretations of the impact of HIPAA, as well as the steps they must take to assure compliance.

The privacy rules have been a moving target. HIPAA required Congress to prepare rules to guide covered entities in complying with its requirements, but when Congress failed to act, the Clinton administration released the privacy rules on Dec. 28, 2000, at the 11th hour of its term, to become mandatory on April 14, 2003.

The privacy rules were strongly criticized by both the health care industry and public interest groups, so the Bush administration reopened the rule-making process. The result was a "guidance," issued from the US Department of Health and Human Services last spring, and new proposed modifications to the HIPAA privacy regulations, released on March 27 of this year [2002]. The timing is significant because it gives HHS just enough time to gather public opinion and publish a final rule to take effect by the mandatory compliance date in April 2003.

The proposed modifications of the privacy rule are viewed by many in the health care industry as a kinder, gentler approach to assuring patient privacy. A presumption of guilt in the old privacy rule has been replaced by a presumption of innocence and, in many cases, the proposed rule now relies upon the judgment of the health care provider. Nevertheless, the requirements are demanding and far-reaching, and will impact the operations and finances of health care providers and payers for many years to come.

Sorting It Out
What does all this mean for departments of corrections and what are correctional institutions doing in preparation? HIPAA’s privacy requirements under the old rule were discussed in CorrectCare last year (Fall 2001, page 8), and little has changed for correctional institutions between the publication of the final privacy rule nearly two years ago and the release of the proposed changes in March.

The reason is simple: Correctional institutions were already exempt from most sections of the rule that have changed. Correctional institutions that are covered by HIPAA must still appoint a privacy official, must still develop and implement policies and procedures to assure the privacy of an inmate’s health information, must still train staff in these policies and procedures, and under most circumstances must still allow inmates access to their medical record.

The most significant changes that HHS has proposed are in the area of general consent and notification of privacy practices. Under the old privacy rules, a health care provider could not use a patient’s protected health care information (PHI) for purposes of treatment, payment and health care operations without first obtaining a written, general consent for these uses. Providers also were required to provide patients with notification of their privacy practices.

Under the new rules, the consent requirement for use of PHI is eliminated while the notice requirements are significantly expanded. However, inmates are specifically excluded from the general consent and the privacy practice notification requirements, both in the old rule and under the proposed changes, so these changes should not affect correctional institutions’ HIPAA preparation activities.

Some Welcome Relief
There are a few areas in which correctional institutions will see some relief, particularly with respect to parolees and business associates.

Under both the old and proposed rules, an inmate regains all privacy rights when he or she is paroled. Under the old rule, if a physician needed access to a parolee’s institutional health record, the institution could not release that record without first giving notice to the parolee of its privacy practices and then obtaining a written general consent, even if the request was received months or years after the date of parole. When the proposed modifications take effect next April, the institution must only make a good faith effort to notify the parolee of its privacy practices, and in the case of an emergency, notice can be delayed until reasonably practical. No consent is required.

Other proposed changes that will help correctional institutions include up to a one-year delay in updating contracts with business associates to include privacy protections. This will give correctional institutions some control over which of its components must be brought into compliance with HIPAA’s privacy requirements, and will insulate custody and security functions unrelated to health care from these requirements.

What About You?
Before embarking on an expensive HIPAA compliance assessment and plan, each correctional health care system and each correctional institution must determine whether it is a covered entity. This is a critical question, and one that may be difficult to answer. Covered entities are health plans, clearinghouses or providers who transmit any health information in electronic form in connection with one of 10 standard transactions defined by HIPAA (see box at right).

Taking these criteria one at a time, correctional institutions are not health plans established to pay the cost of care, according to official explanations of the regulations, nor do they perform clearinghouse functions. However, since inmates have a constitutional right to health care, all correctional institutions must function as providers, either directly or by contracting with others. A provider becomes a covered entity when it transmits health information in electronic format, in connection with a standard transaction.

To determine if you are a covered entity under HIPAA you must answer this question: Does my institution transmit health information in electronic form in connection with a standard transaction?

For many institutions the answer will be no because, in general, standard transactions occur between providers and insurers. Most correctional institutions are self-insured and self-pay, so they do not engage in standard transactions and therefore are exempt from covered entity status.

The proposed modifications to the privacy rule also clarify that employment records, even those containing health care information, are excluded from HIPAA protections, even if the employer is a covered entity.

Survey of State DOCs
As the California Department of Corrections begins to prepare for HIPAA compliance, we are grappling with a number of questions.

• What is our covered entity status?
• How far are our institutions from compliance, and what steps must be taken to close the gaps?
• Should our remediation efforts be managed in-house, or should we outsource to a consultant?
• Do we have funds available for these efforts?

To help answer these questions, we conducted a nationwide survey of state prison systems to evaluate their view of HIPAA’s relevance to their operations and to explore how different states were managing their approach to compliance. The survey was conducted by questionnaire via telephone, with a follow-up e-mail to verify each DOC’s HIPAA status. We received responses from all 50 states.

Results
Survey results are summarized below. Our analysis of these results is based upon definitive yes or no responses. Uncertain responses are included only where explicitly indicated.

If there is one word that sums up the survey results, it is "uncertainty." States are unsure about:

• Their covered entity status (36%)
• Whether they will perform a risk assessment (28%)
• Whether compliance will be handled in-house or contracted out to a vendor or consultant (32%)
• Whether they will be impacted by transaction standards (40%)

Covered States
Study respondents identified their states as covered or noncovered, but we recognize that these assertions remain to be validated.

Across the country, about half of the states identify themselves as covered entities, and fewer than one in 5 has taken the bold step to declare itself not covered and not directly subject to HIPAA.

However, even state correctional systems that are not covered entities may be forced to comply if they share protected health information with business associates who are covered entities. This follows from HIPAA’s requirement that covered entities execute privacy contracts with their business associates, in effect extending HIPAA’s reach beyond covered entities to all entities exchanging protected health information.

Our study found that...

• Approximately half (46%) of states said they are covered entities.
• Fewer than 1 state in 5 (18%) is noncovered.
• More than 1 state in 3 (36%) is unsure.

Availability of Funding
The one area of certainty is that funding to implement the privacy requirements will be hard to find:

• 62% of states have no funding available for HIPAA compliance.
• Only 14% are unsure about the availability of funds.

Availability of funds appears to have little impact on a state’s determination of its covered entity status. The percentages of covered states and noncovered states that have access to funding are identical: 22%.

Impact of Privatization on Status
Study results support the idea that some states believe privatization of medical care may shield them from HIPAA compliance requirements.

• 40% of states are not privatized.
• 38% are fully privatized.
• 22% have a mixed private/public model.
• Only one-third of fully privatized states acknowledge covered entity status, compared to just over half of states with no privatization.

Privatization affects the path pursued by entities in regard to compliance. Although some of the state representatives we talked to believe that outsourcing medical services exempts them from HIPAA, this opinion is not universal and may be a risky course. A provider furnishes health care. Even if a prison system accomplishes this through contracts with others, an argument can be made that the prison system is still a provider and subject to HIPAA. This may explain why almost one-third of states with fully privatized correctional systems have identified themselves as covered entities.

Who’s Doing a Risk Assessment?
Covered states have been more proactive than others in their preparations, with 70% of covered states reporting that they are performing a risk assessment. How they will fund the work is a big question, since most of them lack funding for HIPAA compliance. Risk assessments were reported by ...

• 44% of all states
• 70% of covered states
• 22% of noncovered states
• 22% of states unsure about their covered entity status

The large difference between covered and noncovered states could have been anticipated. Why do a risk assessment if you are not subject to HIPAA and not at risk?

It may come as a surprise that any noncovered states are performing a risk assessment. Perhaps states claiming exemption from HIPAA are laying the groundwork for compliance should this claim be denied. Moreover, there may be pressure from business associates who are covered entities, since they must write contracts to extend HIPAA protections from covered entities to their noncovered business associates.

Transactions and Code Sets
An area of much confusion relates to HIPAA’s requirements concerning transactions and code sets.

• 38% of all states believe that transactions and code sets apply to their operations.
• Of the 23 states that identified themselves as covered entities, only 30% responded that transactions and code sets apply.
• Despite the fact that a provider becomes a covered entity only if it transmits standard transactions electronically, fully 58% of the 19 states that say they are not impacted by the transactions and code set requirements believe that they are covered entities.

Contractors
Perhaps because of lack of funding, few respondents said they’d be using a contractor to help them gain compliance with the privacy rules.

• Only 1 state in 4 said they will use a contractor or consultant.
• Although almost 40% of covered states will be using a contractor, only 1 (11%) of the 9 noncovered states will do so.

Summing Up
The privacy provision of the Health Insurance Portability and Accountability Act of 1996 will become mandatory early next year. Correctional institutions are struggling to determine the relevance and applicability of HIPAA to their health care operations, and uncertainty surrounds this struggle. But one thing we know for sure: Few state correctional systems have set aside funds to support compliance efforts.

— About the Authors:  Debi Orr and David Hellerstein, MD, PhD, work for the Health Care Services Division of the California Department of Corrections, Sacramento. Orr is an associate governmental program analyst and HIPAA coordinator. Hellerstein is a physician and surgeon who serves on on the quality management assessment team. For more information about the study, contact Orr at DOrr@healthcare.corr.ca.gov.

[This article first appeared in the Fall 2002 issue of CorrectCare.]