Final
HIPAA Privacy Rule Modifications
On August 14, 2002, the Department of Health and Human Services
(“DHHS”) released final modifications to its Privacy
Rule, which was issued in December 2000 pursuant to the Health Insurance
Portability and Accountability Act (“HIPAA”). The date
for providers to be in compliance with the Privacy Rule remains
April 14, 2003. However, covered entities have an additional year
to comply with the business associate requirements. This memorandum
provides a general summary of the final modifications to the Privacy
Rule. However, keep in mind that if another law or regulation provides
greater privacy protections, then an entity must comply with the
more restrictive law.
Consent
One of the most significant changes in the final modifications
is that a covered entity is no longer required to obtain “consent”
for uses and disclosures of protected health information (“PHI”)
for treatment, payment, and healthcare operations (“TPO”).
This change allows a covered entity to use and disclose a patient’s
PHI, without prior written patient consent, for its own TPO as well
as for treatment, payment and certain health care operations of
other parties. A covered entity may disclose PHI without consent
to any health care provider, whether or not it is a covered entity,
for purposes of the recipient’s treatment activities. It may
also disclose PHI to another covered entity or to any provider for
the recipient’s payment activities. The changes also allow
disclosure to another covered entity that has a relationship with
the patient, if the disclosure is for specified health care operations
of the recipient, such as quality assessment or credentialing. Note
that this change does not eliminate the need to obtain patient authorizations
for other uses and disclosures. Covered entities may also choose
to voluntarily obtain patient consent.
Notice of Privacy Practices
Direct treatment providers must provide patients with a notice
of the patient’s privacy rights and the privacy practices
of the provider. This privacy notice must be given to each patient
when services are first rendered. Providers are now required to
make a good faith effort to obtain the patient’s written acknowledgment
of the notice of privacy rights and practices. If the provider is
unable to obtain a written acknowledgment, it must document its
good faith efforts to do so and a reason as to why the acknowledgment
was not obtained. The HIPAA notice requirements are very detailed.
DHHS will allow layered notices that contain a short summary as
long as the longer notice containing all of the elements required
by the rule is attached. However, the notice may not be in a single
document with an authorization.
Authorizations
The final modifications simplify the authorization content requirements
and eliminate the need for separate authorization forms. A covered
entity may use a single authorization form containing all of the
core elements outlined in the rule for most types of uses and disclosures.
A covered entity may not use or disclose psychotherapy notes for
purposes of another covered entity’s TPO without the patient’s
authorization. Under certain circumstances, however, the covered
entity may use or disclose psychotherapy notes for its own TPO without
the individual’s authorization.
Minimum Necessary
The Privacy Rule keeps intact the “minimum necessary”
requirement, which requires covered entities to make reasonable
efforts to disclose only the amount of PHI that is necessary to
fulfill the purpose of the disclosure. However, any use or disclosure
made pursuant to a valid patient authorization is now exempt from
the minimum necessary requirement. Under the Privacy Rule providers
must develop policies and procedures for handling routine and non-routine
requests and disclosures so that only the minimum amount necessary
is disclosed. Providers will need to identify staff who will need
access, the categories of PHI they need access to and any conditions
of access.
Incidental Uses and Disclosures
In response to comments received expressing concern that the Privacy
Rule would impede customary and necessary health care communications,
the Privacy Rule has been modified to make it clear that incidental
uses and disclosures will not be considered a violation of the Privacy
Rule as long as the covered entity implements reasonable safeguards
to limit unintended uses or disclosures and the minimum necessary
requirements are met. Although “incidental uses and disclosures”
is not a defined term in the Privacy Rule, some of the examples
provided by the DHHS include being overheard while engaged in a
confidential conversation, using sign-in sheets in waiting rooms,
maintaining patient charts at bedside and discarding empty prescription
vials.
Business Associates
The Privacy Rule requires a covered entity to impose, through written
agreements, the privacy standards on business associates who access
and use PHI to perform functions on behalf of the covered entity.
The requirements for business associate agreements and the content
of these agreements remains essentially unchanged. However, covered
entities have until April 14, 2004 (an additional year beyond the
compliance date) to modify written contracts to comply with the
Privacy Rule. DHHS also states that a covered entity does not need
to actively monitor its business associates but must take the steps
necessary to require the business associate to cure a breach, if
the entity learns of the breach.
Accounting of Disclosures of PHI
The Privacy Rule provides an individual the right to obtain an
accounting of any disclosures of their PHI made by a covered entity.
The rule has been modified so that an accounting is not necessary
for those disclosures for TPO or those disclosures pursuant to a
patient authorization.
Marketing
A covered entity must obtain written authorization for any use
or disclosure of PHI for marketing purposes, and the new rule clarifies
the types of communications that are considered marketing and those
that are not considered marketing. Marketing is defined as a communication
about a product or service that encourages recipients of the communication
to purchase or use the product or service. There are exceptions
to this broad definition including communications for treatment
of the individual, for case management or care coordination, or
to describe the benefits available to a health plan enrollee.
Unemancipated Minors
The final modifications clarify that state law, or other applicable
law (including case law), governs disclosures of, and access to,
an unemancipated minor’s PHI by a parent, guardian or other
person acting in loco parentis. If a specific provision of state
law requires or permits such a disclosure, the covered entity may
disclose the minor’s PHI to the parent. Conversely, if state
or other applicable law prohibits such a disclosure, the covered
entity would not be permitted to make the disclosure. Additionally,
the modifications clarify that state or other applicable law governs
parental access to an unemancipated minor’s health information.
If there is no explicit law governing access to a minor’s
health records, the covered entity may provide or deny access based
on the discretion of a licensed health care professional if such
discretion is permitted by state or other law.
Research
Another significant change in the Privacy Rule is the modification
of several provisions governing research. These changes make the
research provisions more consistent with the “Common Rule”
governing federally funded research, including the requirements
related to an IRB or Privacy Board waiver of authorization. A researcher
is now permitted to use a single combined form to obtain informed
consent for the research and authorization for uses and disclosures
of PHI in connection with the research.
Limited Data Set
The creation and dissemination of a limited data set (one that
does not include directly identifiable information) for research,
public health, and health care operations is permitted. The recipient
of the limited data set must agree, in a written data use agreement,
that it will use the data set only for the purposes for which it
was given, that it will ensure the security of the data and it will
not identify the information or use it to contact any individual.
Hybrid Entities
Any covered entity that performs both covered and non-covered functions
can elect to be a hybrid entity regardless of whether the covered
functions represent the entity’s primary function, a substantial
function or even a small portion of the entity’s activities.
To be considered a hybrid entity, the covered entity must designate
its health care components. If a covered entity does not designate
any health care components, the entire entity would be considered
a covered entity and subject to the Privacy Rule. The final modifications
provide the entity additional discretion in designating its health
care components.
Employers
The final modifications make clear that employment records maintained
by a covered entity in its capacity as an employer are not PHI.
Employers that have a self-insured employee welfare benefit plan
should also determine whether or not they are subject to the requirements
of the Privacy Rule as a health plan. Small health plans (annual
receipts of $5 million or less) have until April 14, 2004 to comply.
Conclusion
This is a general overview of the final changes to the HIPAA Privacy
Rule. The Rule itself is quite complex. For more detailed information
regarding the impact or implementation of the Privacy Rule on your
current practices, please contact the firm.
|