Applies to all health care providers
Posted October 4, 2002
For more information contact Jerri Lynn Ward.
On August 14, 2002 , the Department of Health and Human Services provided changes to the Privacy Rule intended to clarify any uncertainties in the original rule and remove any potentially burdensome requirements. The main changes relate to the consent requirements, business associate requirements, limited data sets, and marketing requirements.
Changes to Consent Requirements
Under the final Privacy Rule, direct treatment providers are no longer required to obtain consent prior to the use or disclosure of protected health information (PHI). Instead, direct providers must make a good faith attempt to obtain an individual’s written acknowledgement of receipt of the Notice of Privacy Practices (NPP).
The Privacy Rule still requires patient authorization for non treatment, payment or operational uses of PHI, but the modified rule approves the use of one standard authorization format.
Business Associate Requirements
The modifications to the Privacy Rule with regard to Business Associate Agreements enact a new transition period to the Privacy Rule that extends the deadline for complying with the business associate contract requirements. Under the modified rule, certain existing vendor contracts will be given up to an additional year beyond the Privacy Rule’s April 14, 2003 compliance date to comply with the requirements for business associate contracts. This change also effects contracts that renew automatically, known as “evergreen contracts.” Evergreen contracts will be considered compliant with HIPAA until such time as the contract is renewed or modified (after the Compliance Date) or April 14, 2004 , whichever occurs first. The extension does not apply to oral contract or to small health plans, which already have until April 14, 2004 to comply.
Limited Data Sets
The modified Privacy Rule allows for the use and disclosure of “limited data sets” of PHI for the purpose of research, public health, or health care operations. These limited data sets do not include direct identifiers such as name, street address, telephone, and social security number and may only be used or disclosed subject to the terms of a data use agreement. The data use agreement must specify the permitted uses and disclosures of the data set consistent with the purpose of the disclosure.
Marketing Requirements
The changes to the marketing requirements are intended to limit the circumstances under which covered entities may use PHI for marketing purposes without prior authorization for such disclosure. The end goal of the modifications is to provide individuals with more control over whether they receive marketing communications and better privacy protection for such use and disclosure of their PHI.
All information in this article is informational only and is not legal advice. Should you have any questions or a situation requiring advice, please contact an attorney.
Copyright 2004 by Garlo Ward, P.C., all rights reserved
Austin, Texas 78752-3714 USA
Telephone: 512-302-1103
Facsimilie: 512-302-3256
Email: Info@Garloward.com