November 19, 2001

Exposed Online: The federal health privacy regulation and Internet user impacts

Part 3: Covered Web Sites

Providers and Insurers

The privacy rule covers health plans and health care providers that transmit health information electronically in a standard format.36 Once an entity is a “covered entity,” it is subject to the new regulation whether it is conducting business on or offline.

It should be fairly easy to tell whether a health plan is a covered entity.  The term “health plan” is broadly defined in the regulation and covers just about anyone that provides or pays the cost of medical care.  It covers fee-for-service insurers, HMOs, Medicare and Medicaid programs, issuers of long-term care policies, group health plans and others.  Given this broad definition, it is fairly likely that a Web site hosted by a health insurer or HMO will be a covered health plan under the regulation.

Aetna U.S. Healthcare, for example, is a covered health plan with a Web site37 that allows members to view their personal health information, check the status of a claim, make changes in primary care physicians, and seek replacements of ID cards.  The information collected and maintained by the site would be covered by the regulation.

It will be more difficult for consumers to tell whether any given provider is subject to the regulation, since not all health care providers fall under the definition of “covered entity.”  To determine whether a person or organization is a covered provider under the privacy rule, a consumer would need to answer three key questions:

  1. Is the person or organization a health care provider as defined by the rule?
  2. Do they transmit health information in connection with one of the financial or administrative “standard transactions” listed in HIPAA?
  3. Do they transmit that information electronically in the required “standard format”?

A provider is only covered by the privacy rule if the answer to all of these questions is “yes.”  Answering even the simplest of these questions, however, may not be as easy as it appears.

As defined in the privacy rule, the term “health care provider” covers most of the people and organizations that consumers traditionally think of as providers.  It includes any person who furnishes, bills or is paid for health care in the normal course of business.  Thus doctors, counselors, clinics, hospitals, nurses and similar persons and organizations are, not surprisingly, considered to be health care providers under the regulation.

As for those who furnish health-related supplies, the rule applies only to those who sell or dispense these items pursuant to a prescription.38 Under this requirement, a pharmacist, such as CVS, is a health care provider, while a Web site that sells books and tapes on losing weight, such as eDiets.com, is not.  Similarly, a pharmaceutical company is not a health care provider since it does not sell or dispense drugs pursuant to a prescription.

If a person or an organization is a “health care provider” under the regulation, the next question to ask is whether it engages in the type of “standard transactions” that will bring it within the scope of the privacy rule.  Since the intent of the administrative simplification provisions of HIPAA (including the privacy rule) is to simplify the processing of health insurance claims, the privacy rule applies only to providers who conduct insurance related transactions.  Some of the electronic transactions that trigger application of HIPAA to a provider include: submitting health claims or equivalent information related to physician-patient interactions; determining eligibility for a health plan; receiving health care payment and remittance advice; and receiving referral certification and authorization.  All of these transactions are related to health insurance-type transactions.

In a very general sense, this question can be boiled down to: “Does the provider accept health insurance (including Medicaid) or participate in an HMO?”  If the answer to this question is yes, it is likely that the provider will engage in the type of standard transactions necessary to bring her within the scope of the privacy rule.

Even if a provider does engage in standard transactions, that still leaves the last, and perhaps the most difficult, question to answer: “Does the health care provider transmit information in relation to these standard transactions electronically in the required standard format?”  If a provider transmits health information electronically in relation to any of these standard transactions, such as verifying insurance coverage or filing a health claim, HIPAA requires the provider to use a standard electronic format (i.e., the provider must include certain information and use specified codes for diagnosis and treatment).39  Currently, October 2002 is the deadline for compliance with the requirement for adopting the standard format.  HHS has taken the position that only providers who actually use the required format are covered by the privacy rule.

If a provider has an online presence and accepts insurance, it probably will be safe to assume that she transmits the required type of information electronically.  But how a consumer is to determine whether a provider uses the standard format is problematic.

It becomes apparent how difficult it is to know whether a provider is covered when the test is applied to an actual site – for example, PatientSite,40 a Web site created by CareGroup HealthCare System, a network of six hospitals in Massachusetts.  PatientSite allows patients to communicate with their physicians through the Web.  These electronic communications become part of the patient’s medical record.  In addition, the site allows patients to check insurance benefits, refill prescriptions, request referrals, review lab results and make appointments.  Notably, these are online health care activities that the provider already conducts offline.  But is PatientSite run by a health care provider covered by the privacy regulation?

The answer is “maybe.”  PatientSite appears to be directly operated by a network of hospitals that clearly would be health care providers under the regulation.   Additionally, the providers accept insurance.  Its status as a covered entity, however, is not definitive – it is not clear from the Web site if or when CareGroup will use the standard format that is required in order to be covered by the privacy rule.  Currently, providers do not have to use the standard format until October 2002, and there has been extensive lobbying to extend that date.  It is only once a provider meets all three of the required criteria that it becomes a covered entity, and the information collected at its site would be protected by the regulation.

  1. Health care clearinghouses are covered entities under the regulation. However, as a practical matter, whether a clearinghouse is a covered entity would be irrelevant to most consumers, since they do not generally have direct contact with them. See discussion on business associates infra Part IV.B.
  2. http://www.aetna.com/members/index.html.
  3. The privacy rule applies to providers of health care. The rule defines “health care” as including the sale or dispensing of a drug, device or other equipment, or item in accordance with a prescription. Privacy Rule, § 160.103, available at http://www.hhs.gov/ocr/regtext.html. “Health care” therefore does not include over-the-counter drugs.
  4. See supra note 16.
  5. http://patientsite.caregroup.org/default.asp.