Arkansas Bar Association

Publications
The Arkansas Lawyer

Home

HIPAA for Ostriches or the Otherwise Uninitiated
by Elizabeth Andreoli, Charles B. Cliett, Jr. and
Elisa M. White

      HIPAA Privacy Rule Compliance: Can you pass the test? The new federal rules governing the privacy of health information ("Privacy Rules") have been in effect for about six months now, but there still is a learning curve for the health provider and health insurance industries as everyone discovers how these rules affect their everyday operations.¹ This article first provides background on the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the legislation that led to implementation of the Privacy Rules, and a brief summary of the Rules. The article then tests your knowledge of key Privacy Rule compliance issues by presenting an imaginary set of facts raising these issues and asking a series of multiple choice questions. The article discusses the issues raised by each question and provides the answer.
     Good luck. Don't cheat.

Background and Introduction
     The stated purpose of the Administrative Simplification provisions of HIPAA is to improve the efficiency and effectiveness of the health care system through establishment of standards and requirements for electronic transmission of certain health information. Electronic transmission of sensitive information raised privacy concerns, so HIPAA contained a provision that gave Congress until August 21, 1999, to pass comprehensive privacy legislation. When Congress failed to do so, the law required the Department of Health and Human Services ("HHS") to create privacy protections by regulation. HHS developed the Privacy Rules, a comprehensive regulatory scheme to control disclosure of protected health information. Although the Privacy Rules are the focus of this article, HIPAA's administrative simplification scheme involves at least three other sets of regulations: (i) electronic transaction standards; (ii) electronic data security rules; and (iii) national identifiers.
     Entities subject to the HIPAA Privacy Rules (called "covered entities" by the Rule) include health plans, health care clearinghouses, and health care providers, if the providers transmit health information electronically in connection with a "standard transaction." Standard transactions are certain financial and administrative transactions associated with health care claims or their processing, which HIPAA requires to conform to specified electronic formats.
     The Privacy Rules require covered entities to adopt comprehensive privacy policies and procedures to safeguard protected health information and to inform and preserve the rights of the individuals who are the subjects of protected health information. "Protected health information" or PHI is information that may identify an individual and relates to the past, present, or future physical or mental health condition of that individual; the provision of health care to that individual; or the past, present, or future payment for such health care.
     The central requirement of the Privacy Rules is that a covered entity may not use or disclose PHI, except as authorized by the patient or permitted or required by the Privacy Rules. The regulations allow a covered entity to use or disclose PHI without written consent or authorization from the patient to carry out treatment, payment, or health care operations. Health care operations are certain business activities that include obtaining legal, accounting or practice management services; performing quality assurance, utilization review, or internal auditing; and providing educational or training programs. Uses and disclosures for purposes other than treatment, payment or health care operations are permissible if they are expressly permitted or required under the Privacy Rules or if the covered entity obtains the individual patient's written "authorization." In addition, when using or disclosing PHI, the covered entity must make reasonable efforts to disclose the "minimum necessary" PHI to accomplish the intended purpose, except when treating the individual or when authorization has been granted.
     The Privacy Rules do not preempt all state laws relating to medical privacy. HIPAA provides a "baseline" for medical privacy that can be further tailored at the state level. If the states' regulations are more restrictive than those recommended by HIPAA, state regulations control. If the state regulations are more permissive, then HIPAA is the appropriate standard.²
     Covered entities are taking HIPAA compliance seriously, as they are subject to investigations and enforcement actions by the HHS Office of Civil Rights, discussed in more detail below. Although HIPAA does not authorize private actions for violations of the Privacy Rules, the regulations create duties of care with respect to PHI, and violation of the Rules undoubtedly will be used as a basis for state law tort actions.

The Scenario
     Patient is a 25-year-old man who was riding his motorcycle when he collided with a car owned by Passenger and driven by Driver. Following the accident, the police investigate the scene, and Patient, who is unconscious, is taken to Hospital Emergency Department by ambulance. The Ambulance Provider leaves its Notice of Privacy Practices with the Emergency Department to give to Patient, as well as forms for the Hospital to complete so that Ambulance Provider can bill Patient's insurance company for emergency services.
     The police are able to identify Patient at the accident scene and notify his parents, who arrive at the Emergency Department about one hour later. Patient's mother asks for Patient by name and is told that he has been taken to surgery. Mother gives billing clerk Patient's insurance information. The Emergency Department Physician meets with Patient's parents and tells them the known extent of Patient's injuries and prognosis of condition.
     The local newspaper investigates the accident and learns that Patient is a notorious professional hockey player. A reporter calls the Hospital and states he is writing an article about the collision. Reporter asks about Patient's condition. Reporter also states he understands that Driver might have been intoxicated and asks the hospital representative to confirm this.
     Patient is covered by Insurance Company through an employer sponsored preferred provider benefit plan. Hospital is under contract with Insurance Company as a preferred provider. Insurance Company requires preauthorization for admissions, so Hospital medical staff faxes medical information with a preauthorization form to Insurance Company's offices.
     Patient has a lengthy hospital stay, and Utilization Management ("UM") Nurse at Insurance Company asks for medical records to document the medical necessity of Patient remaining hospitalized. UM Nurse reviews the records and takes them to the office of the Insurance Company's Medical Director to discuss the matter, leaving the door to the office open. A Credentialing Specialist happens to be passing by the office and stops in his tracks when he hears Patient's name and briefly listens to the conversation. He believes that Patient may be his old friend and fraternity brother from college, and he becomes very concerned.
     Credentialing Specialist checks his training materials and realizes he can't disclose Patient's PHI outside the company. That evening, he calls another old fraternity buddy and asks if he has heard about "anything happening" to Patient. The friend tells Credentialing Specialist about the accident and Patient's current medical condition, and gives him the telephone number of Patient's parents. Credentialing Specialist calls their home and offers to help in any way he can. Over the next few weeks, he starts cutting Parents' lawn, running errands, and visiting his old friend. Very grateful, Parents allow Credentialing Specialist to use their season tickets for home football games at Patient and Credentialing Specialist's alma mater.
     After a lengthy hospital stay, Patient's parents admit Patient to a Nursing Home, where he remains in a semi-vegetative state. The Nursing Home asks Hospital to fax a copy of Hospital's treatment records to Nursing Home.
     One of Patient's treating physicians at the hospital, an internist, is also Patient's personal physician. Personal Physician files a claim with Insurance Company for his services, and Insurance Company's UM Nurse calls Personal Physician's office and requests a list of specific medical records to document care provided for particular services. Patient had rarely been sick prior to the accident, and Personal Physician's Billing Clerk decides to just copy Patient's entire medical record and let the UM Nurse find what she wants in the file.
     Parents subsequently become co-guardians of Patient's person and estate, and sue Driver and Passenger for causing personal injury to Patient. Parents' attorney writes both Hospital and Nursing Home for Patient's complete medical records. With the request for records, attorney encloses an authorization signed by both Parents along with an affidavit that Parents are Patient's next-of-kin. Nursing Home forwards the Request for Records to its attorney to review for validity of the authorization. Attorney tells Nursing Home Administrator to not release the records until Attorney can obtain evidence of Parents' legal power to authorize disclosure.
     The next day, a person claiming to be Parents' attorney shows up at the Nursing Home asking for Patient's records. While there, he corners Nurse's Aide and asks her about the quality of nursing care Patient is receiving. He tells her he has an authorization on file allowing him to talk to her. Nurse's Aide refers him to Nursing Home's Privacy Officer.
     Driver's attorney subpoenas Patient's records from Hospital and Nursing Home, and then, upon request by Passenger's attorney, gives a copy of Patient's records to Passenger's attorney.
     During Patient's nursing home stay, Parents tell Nursing Home Administrator that staff members are not providing the necessary therapy, and consequently, Patient is not making the progress Parents believe is possible. Mother asks for a copy of Patient's medical records.
     Based on Mother's complaint, Administrator conducts an investigation and files a report of alleged neglect with the State Survey Agency. Surveyors come to the facility and ask to see all Patient's records. In addition, they ask to see all investigation reports involving neglect by Nurse. As they are leaving, the surveyors encounter a person alleging to be Parents' attorney, who asks them for a copy of their written findings.
     Nursing Home's internal investigation shows that Nurse has not been providing Patient's therapy as ordered by Patient's physician. When questioned by Administrator, Nurse explains that she has been distracted from her job duties because she is involved in a fierce child-custody suit with her ex-husband. The Administrator now understands why she received a subpoena from Ex-husband's attorney requesting Nurse's personnel records, including Nurse's medical information maintained by the Nursing Home. When Ex-husband's attorney shows up at the Nursing Home to collect Nurse's personnel records, Clerk unwittingly gives him Patient's records, believing him to be Parents' attorney.
     When Ex-husband's attorney realizes he has Patient's records, he sends Parents a letter of condolence along with his business card. Parents are very angry about the disclosure of Patient's records to Ex-husband's attorney.
     Parents also are very upset about an unexpectedly large bill from Hospital, showing no payment at all from Insurance Company. Parents, feeling overwhelmed at this point, ask Patient's older sister to figure out why Insurance Company hasn't paid. Sister drives to Insurance Company's offices and demands to see someone who can tell her why her brother's claims are not being paid. Before talking with her, Customer Services Manager asks to see Sister's driver's license, then calls and speaks with Mother, with whom she has spoken on several occasions and whom she knows to be Patient's Personal Representative because of documentation received by Insurance Company. Mother provides Patient's account number and social security number, verifies Sister's identity as a sibling of Patient and indicates that she wants Insurance Company to discuss the claims issue with Sister. Customer Services Manager researches the matter and tells Sister that Insurance Company has not received a claim for the days of service covered by the Hospital's bill. Sister then demands to see "every piece of paper you have about my brother." Customer Services Manager tells Sister that this request must be in writing, and that producing the records could take at least 30 days. Sister fills out a request for access to the records and leaves.
     Upon review of the investigation of alleged neglect, Nursing Home's Quality Assurance Committee decides to hire Consultant to investigate, further, Nurse's care of residents in the Home. Consultant comes to Home and reviews all records pertaining to residents under Nurse's care. Consultant also interviews staff who have worked with Nurse, and residents who reside on Nurse's assigned wing, or their families. Consultant completes her investigation and writes a report of findings with recommendations to the Quality Assurance Committee.

The Test
NOTICE OF PRIVACY PRACTICES AND ACKNOWLEDGEMENT

1. Ambulance Provider acted properly in leaving its Notice of Privacy Practices for the unconscious Patient with Emergency Room.
a. False, because Emergency Room is not the patient.
b. True, if Emergency Room agrees to make the Notice available to Patient, and     Ambulance Provider documents why it did not receive an acknowledgment of     the Notice from Patient.
c. False, because Ambulance Provider did not obtain an acknowledgment from     Patient or Patient's personal representative.
d. Both a. and c.
     Overview of issues. With very few exceptions, such as inmates, patients have a right to know how a covered entity will use and disclose PHI, and what the covered entity's legal duties are regarding PHI.³ Notice is given in a written document, usually called a "Notice of Privacy Practices," upon the patient's first encounter with the covered entity. The Privacy Rules dictate specific content of the Notice and PHI may not be disclosed in any manner that is inconsistent with this Notice. The Notice must be made available to all patients initially and upon a material revision. As if this were not enough, health care providers also must make a good faith effort to obtain a written acknowledgement from patients that they were offered a copy of the Notice. If the covered entity is unable to obtain this acknowledgement, it must document the reasons no acknowledgement was obtained. Health plans do not have to obtain this acknowledgement.
     In this case, the Ambulance Provider, Hospital, and Nursing Home and any other providers involved in Patient's care, such as pharmacies or therapists, all must offer the patient a copy of their respective Notices and make a good faith attempt to obtain an acknowledgment. Insurance Company would have been required to provide the Notice at Patient's initial enrollment into its plan, but would not have had to obtain an acknowledgment.
     Correct Answer: b. In an emergency, the covered entity must provide the Notice as soon as practicable after emergency treatment.⁴ The Ambulance Provider left a copy of the Notice with the Emergency Department, and this is permitted by the Rules, if the Emergency Department agrees to make the Notice available to the patient. As an alternative, the Ambulance Provider could mail the Notice to Patient's last known address. The Ambulance Provider is not required to obtain an acknowledgment if the encounter is an emergency.⁵
     The Privacy Rules do not prohibit covered entities from distributing their Notices as part of other mailings.⁶ For example, Insurance Company may include its Notice with its policy. A covered entity that e-mails its Notice may include additional information in the e-mail, as long as the Notice is not combined with an Authorization form in the same document.⁷

USES & DISCLOSURES FOR FACILITY DIRECTORY PURPOSES
2. Which of the following disclosures would be proper disclosures under the provisions on facility directories in the Privacy Rules?
a. Emergency Room's Physician tells Mother that Patient is in surgery.
b. Hospital spokesperson tells Reporter that Patient is in serious condition, but     provides no other specifics.
c. Hospital spokesperson tells Reporter that Driver was legally intoxicated     according to blood tests, but provides no other specifics.
d. Both a and b.
     Overview of issues. A covered entity may use or disclose PHI for directory purposes as long as the patient is informed in advance of the use or disclosure and has been afforded an opportunity to agree or object.⁸ Provided there has been no objection, if a person asks about a patient by name, the covered entity is allowed to disclose (a) the patient's location in the provider facility; and (b) the patient's condition described in general terms as long as it does not convey specific medical information. In addition, members of the clergy may have access to directory information, including religious affiliation, even if they do not ask for patients by name.
     Correct Answer: d. It is appropriate for the Emergency Department to disclose that Patient was in surgery because Mother asked about Patient by name. It is also appropriate for a hospital spokesperson to give the newspaper reporter general information about Patient's condition, such as the statement in answer b. It is not appropriate, however, for Spokesperson to disclose any other medical information about Patient or Driver. The statement regarding Driver's state of intoxication is PHI and Hospital cannot disclose it under these conditions.

USES AND DISCLOSURES TO PERSONS INVOLVED IN PATIENT'S CARE
3. Which disclosures to family members were improper under the Privacy Rule?
a. Emergency Department Physician's disclosure of patient's health status to     Parents.
b. The police department's disclosure to Parents that Patient had been in an     accident and transferred to Hospital.
c. Insurance Customer Service Manager's disclosure of claims information to     Sister.
d. None of the disclosures were improper under the Privacy Rule.
     Overview of issues. A covered entity may disclose to a family member, other relative, or a close personal friend of the patient, or any other person the patient identifies, PHI that relates directly to that person's involvement with the patient's care or payment of the patient's care, if the patient is given an opportunity to object to the disclosure and does not object.⁹ If the patient is not present or lacks capacity to object to the disclosure, the covered entity may disclose that information that is directly relevant to the person's involvement in the patient's care, if, in the exercise of professional judgment, the covered entity determines that it is in the patient's best interest to have this information disclosed.
     Correct Answer: d. None of these disclosures is improper under the Privacy Rule. Because Mother is furnishing Patient's billing information, hospital may disclose payment information to Mother. Also, it is appropriate for Physician to disclose to Patient's parents the nature of Patient's injuries and Patient's prognosis. This disclosure is in Patient's best interest, so that his parents can make an informed consent to further treatment and transfers.
     Customer Service Manager at Insurance Company also properly disclosed claims information to Sister, after verifying Sister's identity and involvement in payment for Patient's care and verifying that Patient's Mother, his personal representative, had no objections to the care.¹⁰ Personal representatives are discussed below.
     The police force is not a covered entity governed by the Privacy Rules, and so its disclosure is not improper because the Privacy Rules do not apply.

NO AUTHORIZATION FOR TREATMENT, PAYMENT, HEALTH CARE
OPERATIONS
4. Which of the following providers should obtain a HIPAA-compliant authorization before disclosing Patient's PHI in the following manner?
a. Ambulance Provider and Hospital before disclosing records containing PHI when     they transfer Patient to another health care provider.
b. Hospital and Nursing Home before disclosing PHI to their respective attorneys     to obtain legal advice on responding to the subpoenas, because the lawyers are     not covered entities.
c. Hospital before disclosing PHI to Insurance Company for preauthorization and     medical necessity determinations, because such disclosures do not fall within     the definition of "health care operations."
d. None of the providers need authorizations to make these disclosures.
     Overview of issues. A patient's authorization is not required for uses and disclosures made for treatment, payment, or health care operations ("TPO").¹¹ This is true, whether the use or disclosure is for the covered entity's TPO or whether the covered entity is disclosing it to another covered entity for TPO. If the disclosure is for another entity's health care operations, however, disclosure is permitted without a patient's authorization only if both entities had a relationship with the patient.
     Correct Answer: d. Ambulance Provider did not violate the Privacy Rules when it left forms with the Hospital to complete so that Ambulance Provider could seek reimbursement for its services, because a patient's authorization is not required for disclosures made for payment purposes. Likewise, Hospital did not violate the Privacy Rules by disclosing Patient's PHI to Nursing Home for treatment purposes. The Arkansas Department of Health, however, requires hospitals to obtain a "written consent" from the patient or legal guardian for disclosures of medical information.¹² Because HIPAA does not require a consent or authorization, Hospital need not obtain a HIPAA-compliant authorization. Rather, it may continue to use whatever form of consent it had been using before April 14, 2003. "Authorizations" are discussed below.
     Neither Hospital nor Insurance Company violated the Privacy Rules in the Hospital's disclosure of medical records, and Insurance Company's use of those records, to authorize Patient's hospital admission or to review the medical necessity of Patient's continuing hospital stay. Such uses and disclosures are for payment purposes under the Privacy Rule, not for health care operations.¹³
     Hospital and Nursing Home are permitted to disclose Patient's PHI to their attorneys without an Authorization because this disclosure falls within the health care operations exception for conducting or arranging for legal services.¹⁴

MINIMUM NECESSARY
5. Which of the following disclosures violates the minimum necessary rule?
a. Nursing Home's disclosures to Consultant, because the PHI disclosed was not     limited to the PHI of patient, the alleged subject of the abuse.
b. Disclosure by Personal Physician's office to Insurance Company of Patient's     entire medical record, because the disclosure exceeded the scope of PHI     requested.
c. Hospital's disclosure to Nursing Home, if Hospital did not provide the minimum     PHI reasonably necessary for Nursing Home to provide skilled nursing care to     Patient.
d. All of the above.
     Overview of issues. The Privacy Rules require covered entities to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of its requests for PHI from other covered entities, or for its own uses and disclosures.¹⁵ The minimum necessary rule does not apply to requests or disclosures of PHI by health care providers for treatment, disclosures to the patient, uses or disclosures authorized by the patient or personal representative, disclosures made to the Secretary of the Department of Health and Human Services, or uses or disclosures that are required by law.
     To meet its minimum necessary obligation, a covered entity must identify persons or classes of persons in its workforce who need access to PHI to carry out their job duties and then limit those persons' access to the minimum amount necessary for their duties.¹⁶ The covered entity may rely on representations that the request for PHI is the minimum necessary if the request is from another covered entity, public official, or a professional who is a member of the covered entity's workforce or a business associate and is asking for records in order to provide professional services.¹⁷ However, a covered entity may not request, use or disclose an entire medical record, except when the entire medical record is specifically justified as the amount reasonably necessary to accomplish the purpose of the request, use or disclosure.¹⁸
     Correct Answer: b. Personal Physician's Billing Clerk violated the minimum necessary standard by responding to a request for specific records with disclosure of the entire medical file. Billing Clerk would have been justified in sending Patient's entire medical file only if he had received a request from Insurance Company's UM Nurse that sought the entire file and provided a specific justification for why disclosure of the entire file was necessary.
     Hospital's disclosure of records to Nursing Home was for treatment purposes, and the minimum necessary rule does not apply. However, the minimum necessary rule does govern disclosures to Nursing Home's workforce and to its business associates, such as Consultant. The Nursing Home disclosed PHI to the Consultant hired to help investigate Nurse's behavior and actions towards all residents that she cared for, not just her actions toward Patient. The disclosures to Consultant were for quality assurance purposes (which fall under health care operations) and related only to the task she was contracted to perform. The disclosures thus complied with the minimum necessary rule.

ADEQUATE SAFEGUARDS
6. Which of the following statements are true?
I. UM Nurse and Medical Director did not violate the Privacy Rules because they     had a reasonable expectation that Credentialing Specialist, who had received     training and was an employee of the company, would not use or disclose PHI     improperly.
II. Credentialing Specialist did not violate the Privacy Rules because he did not     actually disclose PHI outside Insurance Company.
III.UM Nurse and Medical Director violated the Privacy Rules by not utilizing a     physical safeguard‹shutting the door‹that was available to them.
IV.Credentialing Specialist may have received inadequate training materials if the     materials emphasized only improper disclosure of PHI.
a. I and II
b. III and IV
c. II and III
d. I and IV
     Overview of issues. A covered entity must have in place adequate administrative safeguards (such as training and policies), physical safeguards (such as locked file cabinets and closed or secure doors) and technical safeguards (such as limiting access to computer files) to protect the privacy of PHI from any intentional or unintentional disclosure that would violate the Privacy Rule.¹⁹ A covered entity also must take reasonable steps to safeguard PHI to limit incidental uses and disclosures made pursuant to an otherwise permissible use or disclosure.²⁰ As discussed above, a covered entity must determine the minimum amount and types of PHI an employee needs to perform his or her job duties and take steps to limit the employee's access to PHI accordingly.
     Correct Answer: b. UM Nurse and Medical Director should have shut the door to the Medical Director's office before discussing Patient's PHI to prevent unintended disclosures to other employees who did not need to know the information. Indeed, some health plans may decide to bar or limit the access of employees such as Credentialing Specialist, who has no need for PHI relating to utilization management, from the entire UM Department. HHS has emphasized that what safeguards are reasonable will vary from covered entity to covered entity, depending on the size of the entity and the financial and administrative burden of implementing particular safeguards.²¹ In any event, UM Manager and Medical Director must take reasonable steps to protect their discussions concerning PHI from others who do not need to know the information to do their job.
     Credentialing Specialist was improperly trained if the training did not emphasize that employees may not use PHI in any manner inconsistent with their job functions or obtain PHI unrelated to their job functions. Covered entities should emphasize that this includes PHI learned about friends or even family members. Credentialing Specialist violated the Privacy Rules when he stopped and listened to hear more information about Patient, and when he used (and arguably indirectly disclosed) PHI to obtain information from his other fraternity buddy and call Patient's parents. Credentialing Specialist may have had the best of intentions in doing this, and probably believes that no harm could come from his actions. His actions nevertheless violate the Privacy Rule, and if Parents should learn that the person using their football tickets obtained and used information about their son improperly disclosed to him within Insurance Company, Insurance Company may have to answer to a significant Privacy Rule violation.

AUTHORIZATIONS
7. Which of the following disclosures would be improper without a HIPAA compliant authorization from Patient or his Personal Representative?
a. Oral disclosures by Nurse's Aide to Parents' attorney, if Parents are given the     opportunity to object and do not.
b. Disclosure by Hospital or Nursing Home of Patient's medical records to Driver's     attorney who subpoenaed the records, if Driver provides satisfactory assurances     that Parents know about the subpoena and do not object to release of the     records.
c. A disclosure by a surveyor to the person claiming to be Parents' attorney.
d. None of the above disclosures would require a HIPAA-compliant authorization.
     Overview of issues. A covered entity may not use or disclose PHI without a HIPAA-compliant ("valid") authorization, unless an exception applies.²² There are many exceptions, but the more common ones include the following: the use or disclosure is for TPO, required by law, for public health activities, for health oversight activities, for law enforcement purposes, and for judicial and administrative proceedings. Some of the exceptions have additional requirements, however, and the Rule should be consulted.
     The Privacy Rules define the content of the authorization, and the Rules must be consulted for the core terms.²³ An authorization is not valid, however, if (a) the expiration date has passed or the expiration event has occurred; (b) the authorization form has not been completely filled out or is missing a required element; (c) the covered entity knows that the patient has revoked the authorization; (d) the authorization is an impermissible compound or conditional authorization, as defined by the Rules; or (e) the covered entity knows that a material representation in the authorization is false.
     Correct Answer: a. Parents' attorney must present a valid HIPAA -compliant authorization that includes the authority to obtain oral disclosures from Nurse's Aide before he can interview her. There is no evidence that attorney is directly involved in Patient's care or payment for his care, so an oral agreement by Parents would not be sufficient. Alternatively, he could subpoena Nurse for a deposition in the lawsuit. However, it is always easier to obtain an authorization from the person you represent rather than complying with the subpoena process, and the minimum necessary rule does not apply to authorizations. Requirements for subpoenas are discussed below. Nurse's Aide drew from her Privacy Rule training²⁴ and correctly referred the person claiming to be Parents' attorney to Nursing Home's Privacy Officer,²⁵ who can evaluate the situation and the authorization the person claims to have on file.
     Without ready access to an authorization by the adverse party in the lawsuit, Driver's attorney subpoenaed Patient's medical records, and this question assumes he also has provided satisfactory assurances that Parents know about the subpoena and do not object. As discussed below, under these circumstances no authorization is required.
     The Survey Agency's surveyor would violate other laws if she were to share her survey notes with the person alleging to be Parents' Attorney. However, the disclosure would not violate the Privacy Rules because the Survey Agency, in its role as a health oversight agency, is not a "covered entity" and, therefore, is not governed by the Privacy Rules.

PERSONAL REPRESENTATIVES
8. Which of the following is sufficient evidence that Parents are the Personal Representatives of Patient, as defined by Arkansas law.
a. The affidavit attesting that Parents are Patient's next of kin is sufficient, as long     as the covered entity verifies each Parent's identity.
b. A power of attorney giving Parents power to act on Patient's behalf in "all     matters" or in health care-related decisions, as long as it is a durable power of     attorney.
c. Letters of guardianship.
d. Both b and c.
      Overview of issues. When a patient's authorization is required to use or disclose PHI, only the patient or the patient's "personal representative" may authorize the use or disclosure. A "personal representative" stands in the shoes of the patient.²⁶ To determine if a person is a "personal representative," HIPAA looks to state law to determine whether a person has authority to act on behalf of an adult, emancipated minor, or deceased person. In Arkansas, attorneys-in-fact operating under a power of attorney for health care; health care proxies; guardians of the person; and administrators or executors of a deceased person's estate are personal representatives for the purposes of the Privacy Rules. A covered entity may elect not to treat a person as a personal representative if to do so could endanger the patient; or if the covered entity believes that the patient has been or may be subjected to domestic violence, abuse, or neglect by that person. To disclose Patient's PHI to Parents' Attorney, Hospital and Nursing Home must ensure that Attorney sent a valid authorization signed by Patient's personal representatives. In addition, they must ensure, by documentary evidence, that Parents are Patient's personal representatives.
     Correct Answer: d. Assuming the authorization signed by both parents is otherwise valid, the Hospital or Nursing Home would still violate the Privacy Rules if either disclosed Patient's PHI in reliance on the affidavit declaring Parents as Patient's next-of-kin. The attorneys for Nursing Home and Hospital should contact Parents' Attorney, and ask for a copy of the Letters of Guardianship or a durable power of attorney granting Parents the authority to act on Patient's behalf in requesting the records. Under Arkansas law, to remain valid after the principal becomes incapacitated, a power of attorney must state specifically that the grant of powers will not be affected by subsequent disability or incapacity of the principal.²⁷ After receiving such evidence, Hospital and Nursing Home may disclose the PHI to Parents' attorney, and may charge a reasonable, cost-based fee, including postage, for copying the records.²⁸

VERIFICATION OF IDENTITY OF
PERSON REQUESTING PHI
9. Which of the following statements are true?
a. Nursing Home may rely on an oral representation that the person claiming to be     Parents'Attorney is telling the truth, because attorneys are professionals and     Nursing Home may reasonably rely on their representations.
b. Nursing Home should not allow a person claiming to be a surveyor into the     facility without presentation of some written identification of the person's     authority.
c. Insurance Company's Customer Service Manager cannot rely on an oral     representation from Mother that Sister is who she says she is.
d. Both a and c.
     Overview of issues. Before disclosing PHI to a person not known to the covered entity, the Privacy Rules require the covered entity to verify the identity of the recipient.²⁹ In addition, the covered entity is required to obtain oral or written representations when representative capacity is a condition of disclosure. Such representations may be subpoenas, warrants, orders, or other legal process; identification badges or letterhead identifying public officials; or oral or written statements of authority by public officials.
     Correct Answer: b. The Nursing Home must verify the identity of the surveyors in a manner that verifies their representation of the Survey Agency. At the very least, the Nursing Home should verify by examining the surveyor's photo ID badge and may also ask for a business card.
     The Nursing Home also is obligated to verify the identity of persons claiming to be Parents' Attorney when that person comes to the Home, and should not rely on an oral representation alone. While there is no single way that this may be done, the Nursing Home may ask the person to produce a copy of the Authorization and Letters of Guardianship, and also may ask for a business card or to examine a photo ID card, such as a driver's license. If Clerk would have verified the identity of the person to whom she handed over a copy of Patient's records, she would not have made the mistake of giving them to Ex-husband's Attorney.
     On the other hand, Customer Service Manager at Insurance Company properly verified the identity of Patient's Sister before discussing claims information by asking for her driver's license and calling Patient's Mother to verify Sister's relationship to Patient and verifying that Mother, whom Customer Service Manager knew to be Patient's personal representative, had no objections to the disclosure. Customer Service Manager knew Mother's voice, but also properly verified her identity by asking for Patient's account number and Social Security Number.

SUBPOENAS AND OTHER LEGAL PROCESS
10. True or False: Hospital and Nursing Home must disclose Patient's records in response to the subpoena issued by Driver's attorney.
a. True, because the law requires that Hospital and Nursing Home comply with a     valid subpoena.
b. False, because HIPAA preempts state laws regarding subpoenas.
c. False, if Driver's attorney did not provide a qualified protective order or     satisfactory assurances with the subpoena.
d. False, because an authorization is always needed in order to disclose patient     records for purposes other than treatment, payment or health care operations.
      Overview of issues. Generally, when PHI is requested in a legal proceeding, the Privacy Rules allow a covered entity to release the information only under one of the following circumstances: (1) pursuant to a court or administrative order or similar directive;³⁰ (2) receipt of a subpoena and HIPAA-required "satisfactory assurances" from the requesting party; (3) pursuant to a HIPAA-compliant authorization; or (4) under the protections of a qualified protective order (as defined by the Privacy Rules).³¹
     Covered entities may continue to comply with subpoenas as well as other discovery requests if such requests are accompanied by "satisfactory assurances" from the requesting party. These "satisfactory assurances" consist of a written statement and accompanying documentation demonstrating that: (1) the requesting party has made a good faith attempt to provide written notice to the patient whose records are being requested (or, if the patient's location is unknown, has mailed notice to the individual's last known address); (2) the written notice included sufficient information about the litigation or proceeding in which the PHI is requested to allow the patient to raise an objection to the tribunal; the time for the patient to raise objections has elapsed, and (3) either no objections were filed or all objections filed have been resolved by the tribunal, and the disclosures being sought are consistent with this resolution.³²
     Alternatively, satisfactory assurances may consist of a written statement and accompanying documentation demonstrating that the parties to the litigation or proceeding have agreed to a qualified protective order and the qualified protective order has been presented to the court or administrative tribunal with jurisdiction over the dispute.³³
     Correct Answer: c. Without an authorization, Driver's attorney must either provide satisfactory assurances or a qualified protective order with his subpoena in order to obtain Patient's medical records. Additionally, because HIPAA requires that covered entities disclose only the minimum amount of PHI necessary to fulfill the purpose of the disclosure, Hospital and Nursing Facility should have supplied Driver's attorney with only those records relating to the car accident. Driver's attorney would need to provide a HIPAA-compliant authorization signed by Patient's personal representative in order to obtain the entire record. There are no limits on the information that can be authorized for disclosure, as long as the authorization is "specific enough to ensure that the individual has a clear understanding that the entire record will be disclosed." The covered entity may disclose any records requested under a proper authorization.³⁴

SUBSEQUENT DISCLOSURES BY ATTORNEYS
11. Did Driver's attorney violate the Privacy Rules by turning the medical records over to Passenger's attorney?
a. Yes. This was not a disclosure for treatment, payment or health care operations     purposes, so Driver's attorney was required to obtain an authorization before     disclosing the records.
b. Yes. If Passenger's attorney wanted the records, the attorney was required to     subpoena them just like Driver's attorney did.
c. Yes. Driver's attorney must return or destroy the records after he has finished     with them.
d. No. Driver's attorney has no duty under the Privacy Rules to keep the records     confidential.
     Overview of issues. HHS has authority to regulate those who initially create and disclose health information, but it has no authority to regulate most other persons or entities who receive that information from a covered entity. It determined that privacy protection was best served by requiring covered entities to obtain certain assurances from entities requesting PHI from them. Thus, the Privacy Rules indirectly govern certain third parties through a requirement that the covered entities enter into contracts with these third party "business associates" binding them to numerous contractual restrictions that must be imposed under the regulations.
     As explained below, a business associate is a person other than a member of the covered entity's workforce who performs or assists in the performance of a function or activity involving the use or disclosure of PHI. As is clear from the definition, attorneys may be business associates if they are providing services to an entity covered by HIPAA and these services involve the use or disclosure of PHI. Those attorneys who fall under the definition must enter into business associate contracts with their covered clients. Attorney business associates would be prohibited by the business associate agreement from subsequently disclosing medical records. However, those attorneys who are not representing a covered entity under HIPAA are not business associates, and therefore, are under no obligation not to disclose medical records they obtain in litigation unless they are prohibited from doing so by a court order.
     Correct Answer: d. Driver's attorney is not regulated by HIPAA because the attorney is not a covered entity. Additionally, because Driver's attorney is not representing a covered entity, the attorney is not bound by the restrictions of a Business Associate Agreement. Therefore, Driver's attorney was not required by the Privacy Rules to maintain the confidentiality of Patient's medical records.

PATIENT RIGHTS
12. Which of the following statements are true under the Privacy Rules and other applicable law?
a. Mother's request for access to Patient's medical records must be honored by     Nursing Home within 24 hours of her request.
b. Sister's request must be honored by Insurance Company, but health plans have     thirty days to retrieve on-site records.
c. Sister's request for access should be rejected, unless Mother provides an     authorization.
d. Both a and c.
      Overview of issues. HIPAA provides patients a bundle of rights regarding their PHI, including the right to request restrictions on uses and disclosures,³⁵ the right to confidential communications,³⁶ the right to access PHI,³⁷ the right to amend PHI,³⁸ and the right to receive an accounting of PHI disclosures.³⁹ Some of these rights are not absolute, and the covered entity may deny the right, under certain circumstances, if reasonable to do so. A covered entity should, and in some cases must, document both requests and responses to patients who are exercising their rights. A nursing home must respond to a request for access to medical records within 24 hours of the request, except for weekends and holidays.⁴⁰ This very short deadline is not preempted by the Privacy Rule, because it provides quicker access by a person or personal representative to requested records.⁴¹ There is no similar shorter deadline for health plans in Arkansas, so health plans may take the full 30 days to produce records located on site and 60 days to produce records off site, with some opportunity for a single 30-day extension.⁴²
     Correct Answer: d. When Mother asks for a copy of Patient's medical record, she is entitled to have it because she is Patient's guardian, and therefore, personal representative. She has all the above listed rights as would Patient if he were medically competent, and a nursing home patient is entitled to access to his or her medical records within 24 hours, excluding weekends and holidays.
     On the other hand, Sister was not entitled to access all of Patient's records without an authorization. She is not Patient's personal representative and Insurance Company could disclose PHI to her only to the extent minimally necessary for Sister's investigation of the Hospital bill. Customer Service Manager should have told Sister to provide the access request form to Mother to fill out. A covered entity may require that access requests for PHI be in writing.⁴³ Customer Service Manager also correctly told Sister that the request could take up to 30 days.
     Even with a valid request for access, an individual probably is not entitled to "every piece of paper" about the individual maintained by a covered entity. The Privacy Rules limit an individual's access to his own PHI that is maintained in a "designated records set," defined by the Rules as those records used in whole or in part to make decisions about the individual.⁴⁴ Under the definition, a designated records set specifically includes medical and billing records maintained by a health care provider and enrollment, payment, claims adjudication and case or medical management files maintained by a health plan. However, a covered entity would not have to provide an individual access under the Privacy Rules to PHI in its quality assurance files, because those files are used to ensure the quality of care provided by the covered entity, not to make decisions about an individual.

HEALTH OVERSIGHT
13. Survey Agency may enter Nursing Home premises and review PHI:
a. Only pursuant to a valid authorization signed by a complainant;
b. Because disclosures to the Survey Agency are required by law;
c. Because the Survey Agency is a health oversight agency with responsibility to     monitor Nursing Home compliance with law;
d. Both b and c.
     Overview of issues. A "health oversight agency" is an agency or a person acting under authority of a federal, state, local government or territory, or Indian tribe, that is authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.⁴⁵
     A covered entity may disclose PHI to a health oversight agency for all activities authorized by law, including audits; civil, administrative, or criminal investigations, proceedings, or actions; inspections; licensure or disciplinary actions; or other appropriate oversight actions.⁴⁶
     When the Survey Agency conducts an investigation of Nursing Home's report of the allegation of neglect, the Privacy Rule permits the Nursing Home to disclose all Patient's records and investigation reports involving Patient's nurse to the surveyors, because the Survey Agency is conducting a health oversight function. Generally, the minimum necessary rule does not apply to limit the amount of disclosure because disclosure to the Survey Agency is required by other law. Also because it is required by other law, HIPAA does not prohibit the Survey Agency from using other patients' PHI while it is conducting its investigation into the neglect allegation.
     Correct Answer: d. No authorization is required because the disclosures are both required by law and to a health oversight agency acting within the scope of its authority.

RIGHT TO AN ACCOUNTING
14. Which of the following ten disclosures would the covered entity have to include in an accounting for disclosure under the Privacy Rules?
I. A health care provider's medical evaluation of Patient disclosed to the court in     support of Parents' petition for guardianship to establish Patient's incapacity.
II. Hospital spokesperson's disclosure to newspaper Reporter about patient's     general condition.
III. Nursing Home's disclosure to Survey Agency.
IV. Disclosure to Sister about claims issues by Insurance Company's Customer     Service Manager.
V. Disclosures pursuant to the subpoena issued by Driver's attorney.
VI. Nursing Home Clerk's improper disclosure to Ex-husband.
VII. Disclosure to Parents' attorney, if the attorney obtains a valid authorization     from one or both parents.
VIII. Nursing Home's disclosure to Consultant.
IX. A disclosure by Insurance Company pursuant to Sister's written request for     access to Patient's PHI.
X. Nursing Home's disclosure to its own attorney.
a. I, III, V, VI, IX
b. All would require an accounting.
c. I, II, III, IV, VI, VIII, IX.
d. None would require an accounting.
     Overview of issues. With some exceptions, patients have a right to receive an accounting of PHI disclosures made by a covered entity on or after April 14, 2003, the effective date of the Privacy Rules, or within the six years preceding the request, whichever is later.⁴⁷ Exceptions to the accounting rule include disclosures to carry out treatment, payment, and health care operations; to the patient or personal representative; in response to an authorization; for the covered entity's directory or to a person involved in the patient's care; for national security; or to correctional institutions.
     If an accounting is required, it must include the date of the disclosure; the name, and if known, the address of the person or entity to whom the PHI is disclosed; a brief description of the type of PHI disclosed; and a brief description of the PHI disclosed.⁴⁸
     Generally, the covered entity must provide the patient with the accounting within 60 days of the patient's request and may not charge the patient for the cost of preparing the first accounting within a 12-month period. Thereafter, the covered entity may impose a reasonable, cost-based fee for each subsequent accounting in the same 12-month period.⁴⁹
     Because covered entities are required to provide accountings upon patient request, they must document the disclosures covered by the accounting rule.
     Correct Answer: a. Disclosures in legal proceedings (I, V) or to health oversight agencies (III) must be documented and accounted for. Disclosures VI and IX are improper because they should not have been made without an authorization, and a covered entity must account for such disclosures.
     The rest of the listed disclosures fall within the following exceptions to accounting requirements: II (hospital directory disclosure); IV (disclosure to family member involved in payment for Patient's care); VII (disclosure made pursuant to a valid authorization); VIII (disclosure made for quality assurance purposeshealth care operations); X (disclosure made to obtain legal serviceshealth care operations).

EMPLOYEE MEDICAL RECORDS
15. Disclosure of medical information in Nurse's employee records to Ex husband's attorney:
a. Will violate the Privacy Rules unless Nursing Home obtains Nurse's     authorization.
b. Will not violate the Privacy Rules because disclosures relating to employment     matters are "health care operations."
c. Will not violate the Privacy Rules because employment records containing     medical information are expressly excluded from the definition of PHI.
d. Will not violate the Privacy Rules because employment records containing     medical information are expressly excluded from authorization requirements.
     Overview of issues. Employee health information maintained by an employer does not fall within the definition of "PHI."⁵⁰ Even employers who are also covered entities are not governed by the Privacy Rules in their uses and disclosures made in the role of employer, although other laws may limit disclosures. On the other hand, the Rules do apply to their uses and disclosures made in their roles as a covered entityfor example, if a hospital provided medical care to a member of its workforce.
     Correct Answer: c. The Nursing Home will not violate HIPAA if it discloses Nurse's employee medical records to Ex-husband's attorney because such records are not PHI, and the Privacy Rules, therefore, do not govern uses or disclosures of such records.

COMPLAINTS
16. To initiate a complaint against Nursing Home alleging a violation of the Privacy Rules based on disclosure of Patient's PHI to Ex-Husband's attorney, Mother:
a. Must first file the complaint with Nursing Home's Privacy Officer, and, if not     satisfied with the resolution, may appeal to a designee of the Secretary of HHS.
b. Must first file the complaint with Nursing Home's Privacy Officer, and, if not     satisfied with the resolution, may appeal to the Arkansas Department of Human     Services, Office of Long Term Care.
c. May simultaneously complain to Nursing Home's Privacy Officer and the     designee of the Secretary of HHS.
d. May sue under HIPAA in federal district court.
     Overview of issues. In addition to designating a contact person or office for receiving complaints,⁵¹ covered entities are required to have policies and procedures for individuals to make complaints.⁵² Complaints and their dispositions must be documented.⁵³ Covered entities may not intimidate, discriminate, or in any way retaliate against any person who files a complaint.⁵⁴
     Correct Answer: c. Mother may file simultaneously a complaint with the Nursing Home's Privacy Official and with the Secretary of HHS. The Secretary has designated the Dallas regional office of the Office of Civil Rights to accept complaints originating in Arkansas.⁵⁵ The Nursing Home's Notice of Privacy Practices must provide information on how to file a complaint, along with the contact information.⁵⁶ The Nursing Home should consult its policies and procedures and provide Mother with information relating to the resolution of her complaint according to its policies. The Home should document its investigation and any corrective action.
     There is no requirement under the Privacy Rules to complain to the covered entity first before complaining to HHS. Mother may wish to sue Nursing Home and Clerk for a privacy violation, but she may not do so under authority of HIPAA, because HIPAA does not provide Mother with a private right of action.

BUSINESS ASSOCIATES
17. Which of the following contractual relationships does not require business associate language in the contract or in an addendum to the contract?
a. Hospital's contractual relationship as a preferred provider for Insurance     Company's benefit plan.
b. Nursing Home's contractual relationship with Consultant.
c. Hospital's contractual relationship with its lawyer.
d. Both b and c.
     Overview of issues. A "business associate" is a person who performs a function or activity that involves using or disclosing individually identifiable health information for or on behalf of a covered entity.⁵⁷ If a person is treated by the covered entity as a member of its work force, then that person is not a business associate. Typical business associate functions include claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management, repricing; or legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. A covered entity may be a business associate of another covered entity, except that health care providers, when providing treatment, are not considered business associates.
     A covered entity may disclose PHI to business associates, who may create and receive PHI on the covered entity's behalf, as long as the covered entity receives satisfactory assurances in a written agreement that the business associate will safeguard the information.⁵⁸ The Privacy Rules lay out the specific elements that must be addressed in a business associate agreement.⁵⁹ The preamble to the August 2003 modifications to the Privacy Rules further states that agreements may not authorize business associates to use or further disclose PHI in a manner that would violate the Rules if done by the covered entity, unless the use or disclosure is for the business associates' management and administration and to carry out its legal responsibilities, or to provide data aggregation services to the covered entity.⁶⁰
     HIPAA does not regulate business associates, unless they are also covered entities. If the business associate commits a HIPAA violation, then, the covered entity is accountable to the HHS Office of Civil Rights if it knew of a pattern of activity or practice that constituted a material breach of the business associate's obligation, and failed to take reasonable steps to cure the breach or end the violation; or if such steps were unsuccessful, failed to terminate the contract or arrangement, or if termination was not feasible, failed to report the problem to the Secretary of HHS.⁶¹
     Correct Answer: a. A health plan's contractual relationship with a preferred provider, in which the provider agrees to accept a certain rate for health care services, is not a business associate relationship because neither party to the contract is performing services on behalf of the other party. Sometimes, a health plan may contract with a provider to perform certain functions on its behalf. For example, a health plan might contract with a professional association of providers to administer claims of providers in the group, or to perform utilization management services on the health plan's behalf. In such circumstances, the health plan would need to enter into a business associate agreement with the professional association.
     Nursing Home's Consultant and Hospital's attorney are each business associates of those entities. Each of them may use and further disclose PHI only as permitted in the business associate agreement, and have obligations to protect health information similar to the covered entity's. In a sense, the Privacy Rules are derivative. For example, if the business associate uses a subcontractor to whom it further discloses PHI, the business associate must observe the minimum necessary and accounting of disclosures rules when disclosing PHI to the subcontractor. In addition, the business associate is required to make sure the subcontractor agrees to the same restrictions and conditions that apply to the business associate. Further, business associates will need to re-examine their record-retention rules because HIPAA documents must be retained for six years from the date of creation, or the date of last use, whichever is later.

PENALTIES FOR HIPAA VIOLATIONS
18. In the first year of HIPAA Privacy enforcement, which of the following individuals are most likely to face personal fines under HIPAA's penalty statute?
a. Nursing Home Clerk, for knowingly failing to verify the identity of Ex husband's     attorney before mistakenly providing him Patient's medical records.
b. Ex-husband's attorney, for attempting to use Patient's PHI for commercial     advantage.
c. Credentialing Specialist, for knowingly obtaining and using Patient's PHI in a     manner outside his job description.
d. None are likely to be sanctioned personally, at least in the initial year of     enforcement.
     Overview of issues. Persons, both individual and legal, who knowingly and in violation of the Administrative Simplification Act (a) use or cause to be used a unique health identifier; (b) obtain individually identifiable health information relating to a patient; or (c) disclose individually identifiable health information to another person, shall be (a) fined not more than $50,000, imprisoned for up to one year, or both; (b) fined not more than $100,000, imprisoned up to five years, or both if the offense is committed under false pretenses; and (c) fined not more than $250,000, imprisoned not more than 10 years, or both if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.⁶²
     Best Answer: d. While no one can predict for sure how HHS will react, it is most likely that no one would face fines or criminal penalties, particularly in the first year of enforcement. In the preamble to the first proposed rule issued on enforcement, HHS stated that "[t]he Department intends to seek and promote voluntary compliance with the rules promulgated to carry out the HIPAA provisions."⁶³ Emphasizing the technical assistance continuing to be produced by the Office of Civil Rights, the preamble states that such efforts "will continue after the April 14, 2003, compliance date, as OCR learns from its compliance activities and from those who are implementing the Privacy Rule where additional guidance and assistance are needed."⁶⁴
     Clerk would most likely not be sanctioned for her mistaken disclosure of Patient's records to Ex-husband's attorney, because the disclosure was not done "knowingly." Nonetheless, the Office of Civil Rights could impose administrative remedies against Nursing Home for, among other things, failure to effectively train or to sanction the employee for the unauthorized disclosure, or failure to mitigate any harmful consequences. There would be no sanctions against Ex-husband's Attorney for use of Patient's PHI because Attorney is not a covered entity, and is therefore not governed by the HIPAA enforcement statute.
     Credentialing Specialist did knowingly obtain and use PHI in a manner inconsistent with his job function, and arguably disclosed PHI knowingly, at least indirectly. He would be the most likely person of the three referenced here to face sanctions. However, HHS probably would not fine or penalize Credentialing Specialist under these facts, but, again, could impose alternative sanctions against Insurance Company for failure to adequately train its employees.

CONCLUSION
The questions set forth above are merely examples of the myriad HIPAA-related situations that arise each day for a covered entity. No doubt covered entities believe that each day of HIPAA compliance efforts is itself a "test." •

Endnotes
   1. The Privacy Rules are codified at 45 C.F.R., Parts 160 and 164.
   2. Preemption provisions are contained in 45 C.F.R. Part 160, Subpart B.
   3. 45 C.F.R. § 164.520.
   4. 45 C.F.R. § 164.520(c)(2)(i)(B).
   5. 45 C.F.R. § 164.520(c)(2)((ii).
   6. Office of Civil Rights, Frequently Asked Questions, #330 (July 2003).
   7. 45 C.F.R. 164.520(c)(3); 45 C.F.R. § 164.508(b)(3).
   8. 45 C.F.R. § 164.510(a).
   9. 45 C.F.R. § 164.510(b).
   10. 45 C.F.R. §164.510(b).
   11. 45 C.F.R. § 164.506.
   12. Rules & Regs for Hospitals and Related Institutions, § 14(A)(18).
   13. See definition of "payment" in 45 C.F.R. §164.501.
   14. 45 C.F.R. § 164.501.
   15. 45 C.F.R. § 164.502(b).
   16. 45 C.F.R. § 164.514(d)(2).
   17. 45 C.F.R. § 164.514(d)(3).
   18. 45 C.F.R. § 164.514(d)(5).
   19. 45 C.F.R. §164.530(c).
   20. 45 C.F.R. §164.530(c)(2)(ii).
   21. See HHS, Office of Civil Rights Privacy Guidance (as revised April 3, 2003).
   22. 45 C.F.R. § 164.508.
   23. 45 C.F.R. § 164.508(c).
   24. 45 C.F.R. §164.530(b).
   25. 45 C.F.R. §164.530(a).
   26. 45 C.F.R. § 164.502(g).
   27. Ark. Code Ann. §28-68-201.
   28. 45 C.F.R. § 164.524(c)(4).
   29. 45 C.F.R. § 164.514(h).
   30. These include court orders, search warrants, grand jury subpoenas,      subpoenas or summons issued by a judge or magistrate; and administrative      orders issued during the course of an administrative proceeding. 45 C.F.R. §      164.512 (e) and (f).
   31. A qualified protective order is defined under the Privacy Rules as an order or      stipulation by the parties to the action that prohibits the parties from using or      disclosing the PHI for any purpose other than the litigation or proceeding for      which the records have been requested; and requires either the return or      destruction of the PHI (including all copies) at the end of the litigation or      proceeding. 45 C.F.R. § 164.512(e)(1)(v).
   32. 45 C.F.R. § 164.512(e)(1)(iii).
   33. 45 C.F.R. § 164.512(e)(iv); see also, supra Note 29 defining "qualified      protective order."
   34. 65 Fed. Reg. 82,517.
   35. 45 C.F.R. § 164.522(a).
   36. 45 C.F.R. § 164.522(b).
   37. 45 C.F.R. § 164.524.
   38. 45 C.F.R. § 164.526.
   39. 45 C.F.R. § 164.528.
   40. 42 C.F.R. § 483.10(b)(2).
   41. See 45 C.F.R. §160.202.
   42. 45 C.F.R. §164.524(b)(2).
   43. 45 C.F.R. §164.524(b)(1).
   44. 45 C.F.R. §164.501.
   45. 45 C.F.R. § 164.501.
   46. 45 C.F.R. § 164.512(d).
   47. 45 C.F.R. § 164.528.
   48. 45 C.F.R. § 164.528(b)(2).
   49. 45 C.F.R. § 164.528(c).
   50. 45 C.F.R. § 160.103.51. 45 C.F.R. § 164.530(a)(1)(ii).
   52. 45 C.F.R. § 164.530(d)(1).
   53. 45 C.F.R. § 164.530(d)(2).
   54. 45 C.F.R. § 164.530(g).
   55. See OCR Fact Sheet, How to File a Health Information Privacy Complaint, at      http://www.hhs.gove/ocr/privacyhowto.htm
   56. 45 C.F.R. § 164.520(b)(vi).
   57. 45 C.F.R. § 160.103.
   58. 45 C.F.R. § 164.502(e).
   59. 45 C.F.R. § 164.504(e)(2)-(4).
   60. 67 Fed. Reg. at 53265.
   61. 45 C.F.R. § 164.504(e)(1).
   62. 42 U.S.C. § 1320d-6; 68 Fed. Reg. 18902, No. 74 (April 17, 2003) proposed      rule to be codified at 45 C.F.R., Subpart E.
   63. 68 Fed. Reg. at 18897.
   64. Id.