• HIPAA's New Rules
  • May 5, 2003 | Author: Elizabeth R. G. Spohn
  • Law Firm: Fredrikson & Byron, P.A. - Minneapolis Office
  • On August 14, 2002, the government published new final regulations for HIPAA's privacy rules. This article summarizes the most important changes to and key features of the previous rule.

    Consent/Acknowledgement: Perhaps the most significant change in the final Privacy Rule is the elimination of the consent requirement. Under the original Privacy Rule, health care providers would have been required to get a patient's written consent prior to treating the patient or using the patient's protected health information ("PHI") for purposes of payment or health care operations. The final Privacy Rule dramatically simplifies this requirement. Instead of obtaining a patient's written consent to use information for treatment, payment or health care operations, providers will now be required to provide the patient with a Notice of Privacy Practices and make a good faith effort to obtain a patient's written acknowledgement that the patient has received the Notice. The Notice must be provided to the patient at the first non-emergency "service delivery" by the provider (even if this service is delivered electronically). The elimination of the consent requirement means that providers may use patients' protected health information to schedule appointments and discuss treatment options with a patient or with other providers prior to seeing the patient. Should they choose to do so (especially where required by state law), providers may still obtain patients' consent, and providers have complete flexibility in the development of these forms. Providers also have complete discretion in developing the form of the patients' written acknowledgement of the receipt of the Notice (e.g., an electronic acknowledgment; a patient's signature or initials on a cover sheet accompanying the Notice).

    Authorization: As in the original Privacy Rule, under the final modifications, providers are required to obtain a patient's written authorization before using the patient's protected health information for purposes other than those specifically permitted without an authorization. For example, no authorization is required to share patient information with another provider for treatment purposes; this use of PHI is expressly permitted under the Privacy Rule. Providers will need to obtain patient authorization to use information for other reasons, including: marketing (although the definition of "marketing" has many exceptions, as noted below), for research, unless an IRB or privacy board waives the authorization requirement; and to use or disclose patient information to third parties, unless the use or disclosure is otherwise permitted by the Privacy Rule (for example, a provider would need a patient's authorization to disclose the results of a drug test or fitness-for-duty examination to the patient's employer). Authorizations must be in writing, signed by the patient, and contain several specific elements and statements.

    Notice of Privacy Practices: The final HIPAA rule continues to require that providers both develop a Notice of Privacy Practices and distribute the Notice to all patients on the date of first service delivery by the provider to the patient after the HIPAA compliance date (April 14, 2003). Providers must also make the Notice available to anyone upon request and must post the Notice at the provider's physical service delivery site, if applicable. If the provider has a website, the Notice must be available on the website. The Notice is designed to inform patients about how the provider will use or disclose their protected health information as well as about patients' rights with regard to protected health information. For example, the Notice should inform patients if the provider will contact them for appointment reminders or other communications by mail, email, fax or telephone. Because the Notice must contain a great deal of information (including descriptions and examples of the types of uses and disclosures of patient protected health information the provider will make), the final Rule permits providers to create a "layered" Notice - the top page of the Notice would provide a concise summary of patient rights and the provider's privacy practices, while the remaining pages would contain a more detailed explanation, along with all of the other required elements.

    Administrative Requirements: Under the final Privacy Rule, patients have the right to inspect and copy their medical records, request an amendment to information contained in their records, and request that the provider account for certain disclosures of their protected health information. Patients' rights to access and amend their protected information were largely unchanged by the final rule. Providers may deny patients access to their records if such access might be harmful to the patient, or they may provide a summary of information contained in the record if the patient agrees. If the provider disagrees with a requested amendment to a patient's medical record proposed by a patient, the provider can deny the amendment (although the patient's request for amendment must remain with the record). In addition, patients may request an accounting of certain disclosures made by the provider or its business associates. Most routine disclosures (such as those made for purposes of treatment, payment or health care operations) need not be included in the accounting. In addition, any disclosure made pursuant to a patient's authorization does not need to be included in the accounting. Incidental disclosures that occur in connection with a permitted use or disclosure (e.g., the discussion of a patient's treatment between providers using a reasonable tone of voice in a reasonable location for such a discussion, even if the discussion may have been overheard) also need not be included in the accounting. If a patient's information has been disclosed for research purposes and the patient did not authorize the disclosure (because the authorization requirement was waived by a privacy board or IRB), the disclosure must be accounted for, but the requirements are more limited.

    Marketing: The original Privacy Rule's definition of "marketing" created a great deal of confusion, and the amended Privacy Rule attempts to dispel that confusion by redefining "marketing" as a "communication about a product or service that on its face encourages the recipient to purchase or use the product or service." The amended Privacy Rule specifically excludes the following communications from the definition of "marketing": (i) communications made to describe a health-related product or service that is provided by, or included in a plan of benefits of, the covered entity making the communication; (ii) communications made for treatment of the individual; and (iii) communications made for case management and care coordination of the individual, or to direct or recommend alternative treatment, therapies, health care providers, or settings of care to the individual. Although covered entities generally need to obtain an individual's authorization for marketing, they do not need to do so for face-to-face communications by a covered entity to an individual and/or promotional gifts of nominal value provided by the covered entity.

    Treatment, Payment and Health Care Operations: The December 2000 Privacy Rule allowed covered entities to use and disclose protected health information for its own treatment, payment, and health care operations, but generally limited a covered entity's use and disclosure of information to those necessary for the provider's own payment activities and health care operations. Uses and disclosures for another covered entity's payment activities or health care operations required a patient's signed authorization. The amended Privacy Rule provides covered entities with substantially more freedom to exchange PHI for treatment, payment, and health care operations. More specifically, the amended Privacy Rule allows the following without specific consent or authorization: (i) uses and disclosures for a covered entity's own treatment, payment, and health care operations; (ii) uses and disclosures for the treatment activities of any health care provider; (iii) disclosures to another covered entity for the payment activities of the other covered entity; and (iv) disclosures to another covered entity for certain health care operations of the recipient of the information, to the extent that both entities have or have had a relationship to the patient.

    Business Associates: The Privacy Rule permits covered entities to disclose PHI to a business associate, provided that the covered entity obtains satisfactory assurances through a written agreement (a Business Associate Agreement) that the business associate will appropriately safeguard the information. The original Privacy Rule required covered entities to enter into these agreements on or before April 14, 2003. The amended Privacy Rule provides covered entities with up to an additional year to achieve compliance with this requirement, at least for some of its business associate arrangements. This new grace period applies to written agreements between a covered entity and a business associate that (i) are in effect prior to October 15, 2002 and (ii) are not renewed or modified between October 15, 2002 and April 14, 2003. With respect to qualifying business associate arrangements, covered entities will have until the earlier of (i) the date the contract is renewed or modified after April 14, 2003, or (ii) April 14, 2004 to achieve compliance with this requirement.