- CMS Proposes Provider-Friendly Changes to HIPAA
- May 13, 2003
- Law Firm: Waller Lansden Dortch & Davis, PLLC - Nashville Office
On March 27, 2002, the Centers for Medicare and Medicaid Services, or CMS, published proposed changes to the privacy regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA. CMS will accept public commentary on the proposed changes for 30 days, after which a final version of the Privacy Rule will become effective. Although no effective date has been proposed, it is anticipated that the final rule will become effective in June 2002.
Except for limited extensions to some of the business associate requirements, discussed below, covered entities are still required to comply with the Privacy Rule by no later than April 14, 2003 or be subject to civil and criminal penalties. Significant proposed changes to the Privacy Rule are summarized below.
Consent Requirement Dropped
In an important departure from the previous version of the Privacy Rule, the proposed modifications make optional the requirement that covered entities obtain a consent for the disclosure of a patient's health care information for treatment, payment and healthcare operations. Many covered entities had been frustrated by the consent requirement, as they sought to determine how to obtain the required consents in a manner that would not impede patient treatment.
Providers feared that the need to obtain a consent might delay the provision of care or services to a patient. For instance, a pharmacist might have to delay filling a prescription until the pharmacist had a face-to-face meeting with a patient, or until the pharmacist could locate a consent executed at another branch of a large chain organization, perhaps in another state. Likewise, specialists could not use patient information provided by a referring physician to schedule patient appointments or tests until they obtained the patient's written consent. The elimination of the consent requirement frees providers to treat patients, and assist other covered entities in their efforts to treat patients, without delays caused by having to obtain consent first.
If a covered entity chooses voluntarily to obtain a consent to disclose patient information for treatment, payment, and healthcare operations, the entity will have "complete discretion" in the design and procedure for obtaining such a consent, according to the commentary to the proposed changes. Covered entities may adopt practices that are in line with their current operating procedures on obtaining consent to treatment, ultimately resulting in very minimal changes to an entity's current policies and procedures regarding consent. However, providers may not use the new voluntary consent to circumvent the requirement that a covered entity obtain an authorization for disclosures for which an authorization is otherwise required.
In addition to deleting the consent requirement, the proposed regulations will allow providers to share information with other providers for the purposes of treatment, payment, and (in limited circumstances) healthcare operations without entering into a business associate agreement with each other or obtaining an authorization from the patient.
Notice Requirement Strengthened
Every action has an opposite reaction, however, and the proposed modifications include changes to the notice requirement that attempt to ensure that patient privacy will not be compromised by eliminating the consent requirement. As before, a notice of patient rights must be provided to every patient by the time of the patient's first service delivery. In addition, the proposed modifications now require providers with direct treatment relationships with a patient-those who previously would have been required to obtain a consent-to make a good faith attempt to obtain the patient's signature acknowledging receipt of the notice. Health plans and other covered entities may obtain such an acknowledgment if they choose.
It might appear that the acknowledgment requirement erases the benefits of retracting the consent requirement. However, that is not the case. Even if the patient cannot sign due to an emergency, or the provider is unable to obtain an acknowledgment because the patient refuses to sign it, the provider may still use and disclose that patient's information for treatment, payment, and healthcare operations, as long as the provider documents its good faith efforts to obtain a signed acknowledgment and the reasons why such acknowledgment could not be obtained.
In addition, a provider may choose how to administer the notice acknowledgment. Obtaining the patient's signature on the notice itself, although preferable, is not required-the patient could, for example, sign a list indicating that he received a notice if that would ease the administrative burden on a particular provider. If initial patient contact is electronic, such as when a patient sends a request for a prescription to a pharmacy over the internet, the acknowledgment may be documented electronically, eliminating the need for face-to-face contact with a patient prior to the provision of services.
The requirement for obtaining a signed acknowledgment or, in the alternative, documenting the provider's good faith attempts to obtain an acknowledgment, will create some additional burdens for providers. On the whole, however, the changes to the consent and notice requirements represent a compromise between the effective delivery of patient care and concern for information privacy.
Limited Extensions for Some Business Associate Contracts
Another significant proposed change to the Privacy Rule involves the time period within which contracts with business associates must be amended to include HIPAA-compliant terms. Although initially referred to by some as a "one-year extension for business associate contracts," this characterization of the proposed changes is misleading.
For new contracts with business associates, there will be no compliance extension. All agreements entered into between the effective date of the proposed changes (expected to be in June 2002) and April 14, 2003 will have to be HIPAA-compliant by April 14, 2003, the compliance date for the remainder of the Privacy Rule for most covered entities. All new contracts executed after April 14, 2003 must include appropriate HIPAA provisions when they are executed.
The "extension" period would be granted only for those agreements that are already in existence when the proposed rule changes become effective. Moreover, even these grandfathered agreements may not be subject to a full year extension - if they come up for renewal or any other modification prior to April 14, 2004, they must be updated at the time of that renewal or modification to include HIPAA-compliant provisions. For purposes of the proposed changes to the Privacy Rule, "renewal" does not include "evergreen" agreements that automatically renew without action by the parties. The chart on the next page shows the dates by which business associate agreements must include HIPAA-compliant language.
No matter when a particular business associate contract must include HIPAA-compliant terms, a covered entity will still be responsible for making protected health information held by a business associate available both to CMS and to a patient exercising his right to inspect, amend, or obtain an accounting of disclosures at any time after April 14, 2003. If it is necessary to amend an agreement with a business associate in order to accomplish this, then for all practical purposes no compliance extension will be available for that contract.
The business associate "extension" is meant to ensure that covered entities will not be forced to re-open and re-negotiate all business associate contracts simultaneously solely for the purpose of achieving HIPAA compliance. Easing the burden of obtaining these contract amendments by allowing a covered entity to make them on a more gradual and naturally-occurring schedule, however, does not change the fact that covered entities should be prepared now to include HIPAA-compliant language in many business associate contracts, including those currently being negotiated. Given that many contracts are for a term of one year, appropriate HIPAA terms should become an integral part of all new, renewed, and modified business associate contracts no later than April 15, 2002 in order to ensure that full compliance is achieved by April 14, 2003.
In its discussion of the proposed modifications, CMS included sample provisions that may, at the option of the covered entity, be included in business associate contracts. As CMS points out, the sample provisions are not sufficient by themselves to create a binding contract under state laws, nor do they include indemnification provisions or other terms necessary to fully protect the covered entity.
No Reprieve from Compliance Deadline
The proposed modifications to the Privacy Rule do not free covered entities from the impending compliance deadlines, nor do they alter the large number of requirements that make it necessary to closely scrutinize a health care provider's existing policies and procedures to ensure that the provider adequately can protect and respond to patients' new rights and secure authorizations for many types of disclosures. If anything, the proposed changes solidify the fact that most covered entities now have only one year-until April 14, 2003-to achieve full compliance with all requirements except the minimal business associate changes discussed above. For many covered entities who had been hoping for a delay in the privacy rules, or for a "workplan"-type extension similar to that adopted for the transaction portion of the rule, this compliance deadline is approaching much more quickly than they had anticipated.
In addition to the changes discussed above, the proposed modifications to the Privacy Rule include changes to provisions affecting disclosures concerning minors, the "minimum necessary" requirement, disclosures for purposes of marketing and research, and several other provisions. Most of the additional proposed changes simply clarify areas of confusion in interpreting the Privacy Rule. However, covered entities should contact their HIPAA advisors to determine how each of the proposed changes impact their current compliance plans.