HHS Provides Further Modifications to HIPAA Privacy Rules as Deadlines Approach

by Michael J. Schoppmann, Esq.

On August 14, 2002, the Department of Health and Human Services (“HHS”) published final modifications to the HIPAA Privacy Rules in the federal government’s ongoing attempt to “ensure that the (Privacy) Rules provides strong privacy protection without hindering access to quality health care.”

By way of a brief background, The Standards for Privacy of Individually Identifiable Health Information (Privacy Rules) took effect on April 14, 2001. The Privacy Rules are an attempt to create national standards to protect individuals’ personal health information and give patients increased access to their medical records. As required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Privacy Rules cover health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically (“Covered Entities” or “CE’s”). Most Covered Entities must comply with the Privacy Rules by April 14, 2003 though small health plans have until April 14, 2004 to comply.

These “final modifications” address a number of new concepts put forward by HHS while also making significant changes to existing rules.

Marketing—The final version of the Privacy Rules require a CE to obtain an individual’s prior written authorization to use his or her protected health information for marketing purposes except for a face-to-face encounter or a communication involving a promotional gift of nominal value. HHS has now defined marketing to distinguish between the types of communications that are and are not marketing, and make it clear that a CE is prohibited from selling lists of patients and enrollees to third parties or from disclosing protected health information to a third party for the marketing activities of the third party, without the individual’s authorization. The Rules clarify that doctors and other covered entities communicating with patients about treatment options or the covered entity’s own health-related products and services are not considered marketing.

Consent and Notice—HHS has also made changes to strengthen the notice requirement and now makes consent for routine health care delivery purposes (known as treatment, payment, and health care operations) optional. The Rules require CE’s to provide patients with notice of the patient’s privacy rights and the privacy practices of the covered entity. The strengthened notice requires direct treatment providers to make a good faith effort to obtain patient’s written acknowledgement of the CE’s notice of privacy rights.

Uses and Disclosures Regarding Food and Drug Administration (FDA)-Regulated Products and Activities—The final Privacy Rules permit covered entities to disclose protected health information, without authorization, to a person subject to the jurisdiction of the FDA for public health purposes related to the quality, safety or effectiveness of FDA-regulated products or activities such as collecting or reporting adverse events, dangerous products, and defects or problems with FDAregulated products.

Incidental Use and Disclosure—The final Rules acknowledge that uses or disclosures that are incidental to an otherwise permitted use or disclosure may occur. Such incidental uses or disclosures are not considered a violation of the Rules provided that the covered entity has met the reasonable safeguards and minimum necessary requirements. For example, if these requirements are met, doctors’ offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at nurse’s stations without fear of violating the rule if overheard by a passerby.

Authorization—The final Rules clarify the authorization requirements of the Privacy Rules to, among other things, eliminate separate authorization requirements for covered entities. Patients will have to grant permission in advance for each type of non-routine use or disclosure, but providers will not have to use different types of forms.

Minimum Necessary—The final Rules exempt from the “minimum necessary standards” any uses or disclosures for which the covered entity has received an authorization. The Rules previously exempted only certain types of authorizations from the minimum necessary requirement, but since the final rules will only have one type of authorization, the exemption is now applied to all authorizations. Minimum necessary requirements are still in effect to ensure an individual’s privacy for most other uses and disclosures, including those necessary for workers’ compensation programs.

Parents and Minors—The final Rules clarify that state law, or other applicable law, governs in the area of parents and minors. Generally, the Privacy Rules provide parents with new rights to control the health information about their minor children, with limited exceptions that are based on state or other applicable law and professional practice. For example, where a state has explicitly addressed disclosure of a minor’s health information to a parent, or access to a child’s medical record by a parent, the final Rules clarify that state law governs. In addition, the final Rules clarify that, in the special cases in which the minor controls his or her own health information under such law and that law does not define the parents’ ability to access the child’s health information a licensed health care provider continues to be able to exercise discretion to grant or deny such access as long as that decision is consistent with the state or other applicable law.

Business Associates—The final Rules give CE’s (except small health plans) up to an additional year to change existing written contracts to come into compliance with the business associate requirements. The additional time will ease the burden of CE’s renegotiating contracts all at once. HHS has also provided sample business associate contract provisions.

Research—The final Privacy Rules now allow researchers to use of a single combined form to obtain informed consent for the research and authorization to use or disclose protected health information for such research.

Limited Data Set—The final Rules permit the creation and dissemination of a “limited data set” (that does not include directly identifiable information) for research, public health, and health care operation. In addition, to further protect privacy, the final Rules condition disclosure of the limited data set on a covered entity and the recipient entering into a “data use agreement.”

Other new provisions addressed in the final Privacy Rules pertain to Hybrid Entities, Health Care Operations and Changes in Legal Ownership of a Health Care Operation, Group Health Plan Disclosures of Enrollment and Dis-enrollment Information, the Accounting of Disclosures, Disclosure for Treatment, Payment, or Health Care Operations of Another Entity and an Exclusion for Employment Records. The final Rules also include technical corrections and additional clarifications related to various sections of the existing rules.

As it had done on July 6, 2001, HHS will also be issuing a revised “guidance” outline to answer common questions and clarify certain provisions of the final Privacy Rules. The revised guidance will be available on the HHS Office for Civil Rights Privacy web site.