HIPAA PRIVACY RULE MODIFIED

 

            The Department of Health and Human Services (“HHS”) has announced significant revisions to its previously issued “final” HIPAA Privacy Rule.  The most notable of the proposed changes deal with the standards concerning consent, notices of privacy practices, minimum necessary disclosures and business associates.

Background

            In late December, 2000, HHS issued its “standards for privacy of individually identifiable health information” intended to implement the certain provisions of the Health Insurance Portability and Accountability Act of 1996  (the “Privacy Rule”).  The Privacy Rule governs the use and disclosure of “protected health information” (“PHI”)  --  information concerning the health condition, care or treatment of a person which identifies the individual  or can reasonably be expected to identify the individual who is the subject of the data. 

            The Privacy Rule imposes obligations on virtually any person who uses health information for patient care and treatment or in connection with the payment for health care services.  The Privacy Rule will have the greatest impact on “covered entities,” which include health plans, health care clearinghouses and health care providers who transmit any health information in electronic form in connection with certain transactions covered by HIPAA.  A major aspect of the Privacy Rule as issued in late 2000 was the requirement that a health care provider obtain prior consent or authorization from a patient before use and/or disclosure of PHI.  In particular, the Privacy Rule required a covered entity with a direct treatment relationship with a patient to obtain a written consent for the use of PHI in treating the patient or obtaining payment for such treatment.

            Since issuing the Privacy Rule, HHS has given indications that even though the Privacy Rule was issued in “final” form, it would be subject to changes before its general effective date of April 14, 2003.  Just recently, HHS announced the first set of such proposed changes.

Description of Major Proposed Changes

            The principal provisions of the Privacy Rule affected by the proposed changes deal with:

• consent from individuals for use of PHI;
• notices of privacy practices;
• disclosure of PHI to other providers;
• limiting use or disclosure information to the “minimum necessary”;
• business associates;
• use of PHI for marketing; and
• use of PHI for research

HHS described the proposed changes as being necessary to address “unintended negative effects of the Privacy Rule on health care quality or access to health care” and to relieve “unintended administrative burden[s] created by the Privacy Rule.”  Each of the major changes is discussed  below.

            (1)            Elimination of Consent Requirement

            HHS identified a number of potential problems with the consent requirements of the Privacy Rule.  These included concerns that the consent rules would make obtaining prescription medicines difficult, burdens associated with tracking patient consents and revocations and difficulties in obtaining consents in emergency medical situations.   The proposed changes would eliminate the requirement of obtaining consent for the use of PHI for treatment, payment or health care operations.  Providers would still have the option of obtaining such consent if they so desire.  This change would be effected by incorporating into the Privacy Rule explicit permission for use and disclosure of PHI for treatment, payment and health care operations.  The proposed elimination of the consent requirements is balanced by proposed additional requirements concerning notices of privacy practices.

            (2)             Notice of Privacy Practices

            The Privacy Rule requires most covered entities to give individuals notices of the provider’s procedures for using, disclosing and maintaining the confidentiality of PHI.  This notice is commonly referred to as the “Notice of Privacy Practices.”  In light of the proposal to eliminate the consent requirements, HHS has also proposed a modest strengthening of the Notice of Privacy Practice requirements.  In particular, the proposed change would require health care providers with direct treatment relationships  to make a good faith effort to obtain a written acknowledgment of delivery  of  a Notice of Privacy Practices to each patient.   Covered entities which do not have direct treatment relationships, such as health plans, would not be required to obtain such an acknowledgment.  Except for emergency situations, the acknowledgment of delivery of the Notice of Privacy Practices would have to take place at the time of the first delivery of services to a patient.  Ideally, acknowledgment would be evidenced by obtaining a patient’s signature on a form acknowledging receipt of the notice, but the proposed changes indicate there would be some flexibility in this area. 

            (3)            Disclosure for Treatment, Payment or Health Care Operations of Another Entity

            Under the Privacy Rule as issued, a covered entity could use and disclose PHI only for its own treatment and payment activities.  HHS was concerned this limitation could create significant difficulties for certain health care providers.  For example, ambulance service providers often have difficulty obtaining sufficient billing information for the patients they assist.  HHS now proposes to modify the Privacy Rule to permit a covered entity to disclose PHI for the payment activities of another covered entity or health care provider and for certain health care operations, such as quality assurance activities. 

            (4)            Minimum Necessary Standard

            The Privacy Rule as issued required entities to make reasonable efforts to limit the use or disclosure of PHI to the “minimum necessary.” HHS noted that a number of persons  expressed concern about whether this standard would prohibit providers from engaging in what HHS described as “common and essential health care communications and practices in use today.”  Examples of such practices cited by HHS included calling out a patient’s name in a waiting room, prohibiting the use of sign-in sheets and other routine practices.  While the proposed changes do not provide explicit guidance as to the use of such practices, they do relax the “minimum necessary standard to exempt uses or disclosures of PHI which occur as a result of an otherwise permitted use or disclosure under the Privacy Rule.”  The type of “incidental use or disclosure” that would be permitted is one which “could not reasonably be prevented, is limited in nature and occurs as a by-product of an otherwise permitted use or disclosure under the Privacy Rule.”  While the proposed changes stop short of indicating that calling out a patient’s name in a waiting room or using a sign-in sheet would be permissible under the proposed changes, they do indicate that using a sign-in sheet that asks for a patient’s health history would not be a permitted incidental disclosure even under the proposed changes. The implication, at least, exists that use of a sign-in sheet which merely requested patients’ names would be a permissible incidental use or disclosure of PHI under the proposed changes.

 

 

            (5)            Business Associates

            The Privacy Rule included requirements that a covered entity may disclose PHI to a business associate only if prior to such disclosure the covered entity had received “satisfactory assurances” that the business associate will safeguard the PHI and the covered entity documents the existence of such satisfactory arrangements through a written contract or other written agreement.  A business associate is a person or entity who, on behalf of a covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information.  These functions and activities include claims processing or administration, data analysis, processing or administration,             utilization or review, quality assurance, billing, benefit management, practice management and re-pricing. 

            HHS received a number of comments requesting the promulgation of model business associate contract provisions.  The proposed changes include such model provisions.  The proposed changes do not make any changes to the actual business associate requirements, other than to give some covered entities up to an additional year to change existing contracts with business associates.

            (6)            Use and Disclosure of PHI for Marketing Purposes

            The Privacy Rule as issued contained rather complicated provisions concerning the use and disclosure of PHI for marketing.  The proposed changes are intended to make those rules clearer and simpler. Under the proposed changes, any communication which fits the Privacy Rule definition of “marketing” would require an authorization by the patient.  This in effect eliminates the ability to deliver some marketing communications absent such authorization.  These intended changes are described by HHS as meant to create greater consumer privacy protection then afforded under the Privacy Rule as issued. 

            (7)            Research

            HHS received a number of comments expressing concern about the Privacy Rule provisions governing the use of PHI for research purposes.  Most notable were concerns that the Privacy Rule conflicted with other administrative rules and protocols covering clinical research.  The proposed changes would simplify the research provisions of the Privacy Rule.  In particular,  the changes would reduce the number of criteria required for an institutional review or privacy board to approve a waiver of the requirement that patient authorization be obtained before PHI is used in connection with research activities.  HHS has attempted to better synch the Privacy Rule provisions concerning research with those of other rules and protocols governing research activities.

            (8)            Other Changes

·                    Parents and Minors.  To eliminate confusion concerning a parent’s access to his/her child’s medical records, the proposed changes would emphasize that State law govern such matters.  To the extent state law permits disclosure to parents, the Privacy Rule would not prohibit such disclosure. In cases where state law is silent or unclear, the proposed changes would permit the health care provider to use discretion to provide or to deny  a parent access to such records as long as that decision is consistent with applicable State or other law. 

·                    Authorizations.  Certain uses and disclosures of PHI require that a patient give voluntary and informed prior authorization.  The proposed changes would simplify the Privacy Rule provisions concerning authorizations and apply a single set of criteria for authorizations.

 

 

·                    Accounting for Disclosures.           The proposed changes would eliminate any requirements that a covered entity provide an accounting for disclosures made pursuant to an authorization.

            The proposed changes are likely to be finalized quickly by HHS.   It is important for covered entities to be apprised of these changes as they continue to move toward full compliance with the Privacy Rule. At the same time, covered entities might wish to move toward implementation at a deliberate pace as the possibility of even more proposed changes is far from remote.