What follows is my own understanding of the HIPAA Privacy Rule, which leads to my conclusion that it does not apply to Scout troops. This isn’t legal advice, it’s just something that seems obvious to me after reading the text of the regulation itself. It would be a rare troop indeed that would somehow fall under HIPAA’s privacy rule. Even though Scoutmasters should not worry about jumping through HIPAA hoops, Scoutmasters should still keep confidential the medical records of individual Scouts, just as they always have. Also, Scoutmasters should give more attention to the possibility that HIPAA paranoia will indirectly affect troops by, for example, preventing some health care providers from talking to a Scoutmaster about a Scout’s condition if the Scoutmaster has to bring the Scout in for care from a Scout activity. Even though HIPAA does not prohibit the doctor from telling the Scoutmaster how to take care of the Scout upon release, some people just can’t grasp that the law does allow such a commonsense discussion. Releases and permission slips may be more important than before, to deal with such situations.
Congress passed the Health Insurance Portability and Accountability Act in part to reduce the cost of health care by creating “Administrative Simplification” requirements. These optimistically titled requirements were intended to deal with the confusing welter of claims forms and codes used by the various health care providers and plans across the country, by requiring use of standardized forms and codes for electronic claims processing. As part of this effort, Congress felt it needed to address security and privacy issues related to the transfer of medical information. However, Congress never passed a specific privacy law. Instead, it left it to the U.S. Department of Health and Human Services to promulgate a privacy regulation. Most of the “Privacy Rule,” found at 7 C.F.R. Parts 160 and 164, became effective on April 14, 2003.
The Privacy Rule requires “covered entities”—health care providers that transmit protected health information electronically, health care plans, and health care clearinghouses (centralized claims processing facilities)—to use privacy policies, along with such things as staff training on those policies and physical security of records, to keep private what the law calls “protected health information.” The Privacy Rule does not apply to entities that are not “covered entities.” Covered entities can use protected health information with minimal restrictions for treatment purposes, and with few restrictions for billing and health care operations purposes (in-house training, quality control, etc.). Other uses of protected health information are possible, such as listing a patient’s name in a hospital directory. However, a covered entity cannot use protected health information in such ways without at least notifying the patient that the entity will use the information that way, and in some cases getting express authorization. Making sure patients know how their information may be used, and what their privacy rights are, leads to the aspect of the Privacy Rule many patients have already encountered: the Notice of Privacy Practices.
Covered entities must now notify patients of their privacy rights and of the entity’s policies regarding use of protected health information. This typically comes in the form of a printed Notice of Privacy Practices that is either mailed to the individual or handed to them at their next visit. Such a notice will usually paint with the broadest possible brush the picture of the ways in which protected health information may be used. It will also explain—among other things—that an individual may receive confidential communications regarding medical appointments, request specific restrictions on disclosure of records, receive a list of all non-routine disclosures, inspect her records, and add amendments to a record, all to the extent allowed by law.
Because the Privacy Rule includes civil and criminal penalties for noncompliance, the health care industry is eager to comply. However, since the regulation is a bit complex there is considerable confusion about who it applies to and what they are required to do to protect privacy. This has caused frequent overreaction in which health care personnel try to take the safest possible path. Unfortunately, this leads to such foolishness as—to use a few real life examples of things not required by the privacy rule—refusing to discuss medical matters with a patient’s family members or to let them pick up a prescription without the patient’s express authorization, requiring individuals to sign a privacy form to get medication for their dog, agreeing to a HIPAA consultant’s suggestion that bulletproof glass needs to be installed around medical records areas, requiring anyone with whom a provider interacts to sign a business associate confidentiality agreement, and demanding a patient sign written authorization to allow a doctor to consult with a specialist about the patient’s condition. Perhaps notices of privacy practice should state that noncovered entities (most day cares, schools, Scout troops, nutrition programs like WIC, etc.) need not worry about HIPAA; that patients can have their records sent nearly anywhere they please (although sometimes without privacy protections following those records); that the doctor, pharmacist, or whoever else should usually be willing to discuss medical conditions with friends and family as needed to help the patient; and that the billing department often can discuss billing matters over the phone. Hopefully, people will figure this out.
It bears mention that other state and federal laws, professional ethical standards, and so forth still bear on confidentiality obligations. Some of these may provide more stringent privacy protections than the Privacy Rule.
The Privacy Rule itself is available online at http://www.hhs.gov/ocr/combinedregtext.pdf. A relatively short summary of the rule is at http://www.hhs.gov/news/facts/privacy.html and a more detailed summary is at http://www.hhs.gov/ocr/privacysummary.pdf. Links to specific information about the privacy rule are at http://www.hhs.gov/ocr/hipaa/. There is a tool at http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp for determining whether an entity is a covered entity. Information on the relationship between HIPAA and public health concerns in particular is at http://www.cdc.gov/mmwr/pdf/other/m2e411.pdf.
Return to Troop 139’s home page.
Created by Paul Wake.
Last updated September 10, 2003.