Risk Management

Clinton Privacy Rules May Reach Into Corporate Pockets

Employers must get employee permission before giving out medical data.
Michelle GabrielleJanuary 19, 2001

A warning to all employers: mum’s the word on your employees’ medical data.

The punishment for simply giving out such data without a worker’s permission may be as severe as paying out $50,000 and spending a year in prison. That’s one of the penalties mandated under the new medical privacy rules that are one of President Clinton’s last hurrahs.

If, however, an employer obtains or discloses protected health information under “false pretenses,” the maximum penalties rise to $100,000 and up to five years in prison. And if the company obtains such data “with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm,” the top penalties rise to $250,000 and up to 10 years in prison.

“If someone requests information, before giving it out, you better be sure you have permission,” warns Eileen T. Boyd, senior manager at KPMG Corporate Communications in Washington D.C.

Even if an employer gets an employee’s permission, the employer should only answer what’s asked. “The whole point is to make sure that you are always disclosing [a] minimum amount of information,” advises Boyd.

Announced on Dec. 20, 2000, the rules aim to protect the privacy of Americans’ health records — paper, oral and electronic. As required by HIPAA (The Health Insurance Portability and Accountability Act of 1996), the rules require all entities and medical practitioners—including doctors, nurses, insurance companies, or employers—to obtain permission from patients before disclosing their medical information. Click here to read a complete outline of the new rules.

The Clinton administration estimated that it would cost $17.6 billion over 10 years for the health care industry and employers to comply with this rule. But eliminating paperwork and filing claims electronically could offset the costs by $30 billion in savings, the administration claims.

Despite the costs, employers might benefit from indirect gains. Before the rules were established, for instance, some employers may have been burdened by excessive absences and health insurance costs incurred by employees who, out of fear that their medical records would be disclosed to the company, waited too long to go to the doctor. The rules might dispel some of that fear.

Nevertheless, there will be work for employers to do in assuring that they comply with the rules. “Training and education is going to be very important,” says Boyd. Employers are going to have to establish specific medical- privacy procedures and clearly disseminate them to employees who may have access to other workers’ medical information.

If an employer works with a third-party administrator [TPA] handling employee medical claims, for example, “you are going to be considered a business partner [of the claims handler], a repository of coverage information,” says Boyd.

Employers will have to assure that their own computers are secure and “that the people at the computers realize the significance of the rules,” she adds. Employers must also make sure that the TPA’s operations are secure.

One way for employers to comply efficiently is to create a preliminary form for their employees to sign that authorizes employers or supervisors to access employees’ records, even if a request by a third party has not been made, according to Boyd.

“However,” she notes, “be aware that under the rules, an individual is also permitted at any time to change his or her mind” and take back the initial agreement.

In that case, the employer should ask the employee for permission each time it seeks access to medical records.

As few employees as possible should have access to their co-workers’ information. “Employers are going to have to put in alternative and more efficient business practices to monitor information that they provide to and receive from any individual or organization,” says Boyd.

Another possible efficient way to deal with the rules is to install software to make sure that compliance is continual. One such system is hypersend, “a HIPAA-ready, data-transfer solution,” according to Matt Gray, co-founder and president of Monroe, Michigan-based Hilgraeve Inc., which sells the software.

To insure privacy control, large businesses that require TPAs to handle their medical claims or compensation are already using services such as hypersend.

With the use of such software, although the information is being exchanged between employers and insurance companies electronically, asserts Gray, “it cannot be intercepted by other parties as it flows through the Internet.”

Hypersend sends data directly to designated recipients by means of a secure data channel. All deliveries are encrypted and can be tracked to confirm the identity of the recipient and the time the data is received. To use the software, a Windows PC, an Internet connection, and a Web browser are needed. Deliveries can be sent, received, and tracked.

If employers can insure privacy electronically, they can eliminate the need for physical exchanges of information such as faxing, packaging, and mailing, as well as the need for labor to carry out the exchanges. Thus, both time and money are saved.

“Generally, I believe that the health-care providers will probably take the lead in implementing electronic means of exchanging information. But employers will surely benefit from that,” Gray says.