Popovits & Robinson - Client Advisory

Final HIPAA Privacy Rule Modifications

On August 14, 2002, the Department of Health and Human Services (“DHHS”) released final modifications to its Privacy Rule, which was issued in December 2000 pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”). The date for providers to be in compliance with the Privacy Rule remains April 14, 2003. However, covered entities have an additional year to comply with the business associate requirements. This memorandum provides a general summary of the final modifications to the Privacy Rule and the implications for substance abuse treatment providers who must also comply with the requirements of 42 CFR Part 2.

Consent

One of the most significant changes in the final modifications is that a covered entity is no longer required to obtain “consent” for uses and disclosures of protected health information (“PHI”) for treatment, payment, and healthcare operations (“TPO”). This change allows a covered entity to use and disclose a patient’s PHI, without prior written patient consent, for its own TPO as well as for treatment, payment and certain health care operations of other parties. A covered entity may disclose PHI without consent to any health care provider, whether or not it is a covered entity, for purposes of the recipient’s treatment activities. It may also disclose PHI to another covered entity or to any provider for the recipient’s payment activities. The changes also allow disclosure to another covered entity that has a relationship with the patient, if the disclosure is for specified health care operations of the recipient, such as quality assessment or credentialing. Note that this change does not eliminate the need to obtain patient authorizations for other uses and disclosures. Covered entities may also choose to voluntarily obtain patient consent. Now that TPO consents are eliminated, treatment providers can continue to allow communications between or among personnel having a need for the information in connection with their duties, as allowed by 42 CFR Part 2, without patient authorization or consent. However, substance abuse treatment providers must continue to follow their current practice of obtaining consent for payment as required under 42 CFR Part 2. Similarly, sharing of information for healthcare operations will need to be evaluated to determine whether such information can be disclosed under an exception in 42 CFR Part 2.

Notice of Privacy Practices

Direct treatment providers must provide patients with a notice of the patient’s privacy rights and the privacy practices of the provider. This privacy notice must be given to each patient when services are first rendered. Providers are now required to make a good faith effort to obtain the patient’s written acknowledgment of the notice of privacy rights and practices. If the provider is unable to obtain a written acknowledgment, it must document its good faith efforts to do so and a reason as to why the acknowledgment was not obtained. Substance abuse treatment providers will need to revise the written notices they are currently using pursuant to 42 CFR Part 2 to incorporate the provisions required under HIPAA. The HIPAA notice requirements are very detailed. DHHS will allow layered notices that contain a short summary as long as the longer notice containing all of the elements required by the rule is attached. Neither 42 CFR Part 2 nor HIPAA prohibit a provider from using a single notice form that incorporates the requirements of both rules. However, the notice may not be in a single document with an authorization. Programs must also implement procedures for obtaining a patient’s written acknowledgment pursuant to the final modifications, as outlined above.

Authorizations

The final modifications simplify the authorization content requirements and eliminate the need for separate authorization forms. A covered entity may use a single authorization form containing all of the core elements outlined in the rule for most types of uses and disclosures. A covered entity may not use or disclose psychotherapy notes for purposes of another covered entity’s TPO without the patient’s authorization. Under certain circumstances, however, the covered entity may use or disclose psychotherapy notes for its own TPO without the individual’s authorization.

A consent must be obtained under 42 CFR Part 2 before confidential information may be disclosed. This consent must include nine elements outlined in the regulations and include a prohibition on redisclosure. The authorization under the Privacy Rule is similar to the consent required under 42 CFR Part 2, however, the HIPAA authorization requires that more elements be included in the authorization. Therefore, providers will need to revise their current consents to include these additional elements.

Minimum Necessary

The Privacy Rule keeps intact the “minimum necessary” requirement, which requires covered entities to make reasonable efforts to disclose only the amount of PHI that is necessary to fulfill the purpose of the disclosure. However, any use or disclosure made pursuant to a valid patient authorization is now exempt from the minimum necessary requirement. Pursuant to 42 CFR Part 2, patient identifying information may only be used or disclosed as permitted by the regulations and must be limited to that information which is necessary to carry out the purpose of the disclosure. In addition, disclosures made pursuant to a court order must be limited to the criminal or non-criminal purposes stated in the court order and the regulations. Under the Privacy Rule providers must develop policies and procedures for handling routine and non-routine requests and disclosures so that only the minimum amount necessary is disclosed. Providers will need to identify staff who will need access, the categories of PHI they need access to and any conditions of access.

Incidental Uses and Disclosures

In response to comments received expressing concern that the Privacy Rule would impede customary and necessary health care communications, the Privacy Rule has been modified to make it clear that incidental uses and disclosures will not be considered a violation of the Privacy Rule as long as the covered entity implements reasonable safeguards to limit unintended uses or disclosures and the minimum necessary requirements are met. Although “incidental uses and disclosures” is not a defined term in the Privacy Rule, some of the examples provided by the DHHS include being overheard while engaged in a confidential conversation, using sign-in sheets in waiting rooms, maintaining patient charts at bedside and discarding empty prescription vials.

Business Associates

The Privacy Rule requires a covered entity to impose, through written agreements, the privacy standards on “business associates” who access and use PHI to perform functions on behalf of the covered entity. The requirements for business associate agreements and the content of these agreements remains essentially unchanged. However, covered entities have until April 14, 2004 (an additional year beyond the compliance date) to modify written contracts to comply with the Privacy Rule. DHHS also states that a covered entity does not need to actively monitor its business associates but must take the steps necessary to require the business associate to cure a breach, if the entity learns of the breach.

Business associates are similar to qualified service organizations (“QSO”) under 42 CFR Part 2. However, not all business associates will be a QSO and vice versa. Both rules set forth detailed requirements. Providers will need to ensure compliance with both rules.

Accounting of Disclosures of PHI

The Privacy Rule provides an individual the right to obtain an accounting of any disclosures of their PHI made by a covered entity. 42 CFR Part 2 has no provision regarding accounting of disclosures. Therefore, this is a new requirement that treatment providers must meet. An accounting is not necessary for those disclosures for TPO or those disclosures pursuant to a patient authorization.

Marketing

A covered entity must obtain written authorization for any use or disclosure of PHI for marketing purposes, and the new rule clarifies the types of communications that are considered marketing and those that are not considered marketing. However, 42 CFR Part 2 does not have a provision exempting marketing activities from the confidentiality requirements. Therefore, a provider must obtain patient consent to disclose information for any type of marketing activities.

Unemancipated Minors

The final modifications clarify that state law, or other applicable law (including case law), governs disclosures of, and access to an unemancipated minor’s PHI by a parent, guardian or other person acting in loco parentis. If a specific provision of state law requires or permits such a disclosure, the covered entity may disclose the minor’s PHI to the parent. Conversely, if state or other applicable law prohibits such a disclosure, the covered entity would not be permitted to make the disclosure. Additionally, the modifications clarify that state or other applicable law governs parental access to an unemancipated minor’s health information. If there is no explicit law governing access to a minor’s health records, the covered entity may provide or deny access based on the discretion of a licensed health care professional if such discretion is permitted by state or other law. This change is consistent with 42 CFR Part 2, which defers to state law regarding a minor’s rights.

Research

Another significant change in the Privacy Rule is the modification of several provisions governing research. These changes make the research provisions more consistent with the “Common Rule” governing federally funded research, including the requirements related to an IRB or Privacy Board waiver of authorization. A researcher is now permitted to use a single combined form to obtain informed consent for the research and authorization for uses and disclosures of PHI in connection with the research. Pursuant to 42 CFR Part 2, patient identifying research may be disclosed for the purpose of conducting research if the recipient is qualified to conduct the research, has a protocol with specific protections identified in the regulations and has had the protocol reviewed by three or more individuals who are independent of the research project.

Limited Data Set

The creation and dissemination of a limited data set (one that does not include directly identifiable information) for research, public health, and health care operations is permitted. The recipient of the limited data set must agree, in a written data use agreement, that it will use the data set only for the purposes for which it was given, that it will ensure the security of the data and it will not identify the information or use it to contact any individual. This would also be consistent with 42 CFR Part 2.

Hybrid Entities

Any covered entity that performs both covered and non-covered functions can elect to be a hybrid entity regardless of whether the covered functions represent the entity’s primary function, a substantial function or even a small portion of the entity’s activities. To be considered a hybrid entity, the covered entity must designate its health care components. If a covered entity does not designate any health care components, the entire entity would be considered a covered entity and subject to the Privacy Rule. The final modifications provide the entity additional discretion in designating its health care components.

Employers

The final modifications make clear that employment records maintained by a covered entity in its capacity as an employer are not PHI. Employers that have a self-insured employee welfare benefit plan should also determine whether or not they are subject to the requirements of the Privacy Rule as a health plan. Small health plans (annual receipts of $5 million or less) have until April 14, 2004 to comply.

Conclusion

This is a general overview of the final changes to the HIPAA Privacy Rule and its effect on substance abuse treatment providers. This Rule is quite complex in itself and the additional requirements of 42 CFR. Part 2 increase the burden imposed on substance abuse treatment providers. For more detailed information regarding the impact or implementation of the Privacy Rule on your current practices, please contact the firm.