Posted June 4, 2002
Please contact Jerri Lynn Ward for more information.
The Department of Health and Human Services (“HHS”) has proposed changes to the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) to address the importance of protecting the privacy of health information following the passage of the Health Insurance Portability Act of 1996 (“HIPAA”). The Standards were issued in proposed format in November of 1999, and became final on December 28, 2000, thereby creating the first nation-wide set of rules for protecting the privacy of health information.
After the publication of the Privacy Rule, HHS received many unsolicited comments from the public about the impact and operation of the rules on different sectors of the health care industry. Many expressed concern over the complex nature of the rules, while others questioned how the Privacy Rule would operate. In response, the Secretary requested comment on the Privacy Rule in March 2001, to be quickly reviewed before the Rule became effective on April 14, 2001. In addition, the Secretary asked the Department to begin the process of developing guidelines for how the Privacy Rule should be implemented and to clarify how the rules would impact health care activities. The Secretary also charged the Department with proposing changes to the Privacy Rule over the next year to clarify and correct potential problems.
In July of 2001, the Department issued its first guidance to answer common questions and clarify the provisions of the Privacy Rule. In March 2002, after collecting and reviewing another set of comments from the public, the Department published a Proposed Rule to modify several areas or provisions of the Privacy Rule, including consent, minimum necessary uses and disclosures, and business associates contracts.
History of the Consent Requirements and Proposed Modifications
Under the original Privacy Rule guidelines of 1999, the Department proposed to permit all covered entities to use and disclose protected health information to carry out treatment, payment, and health care operations without any requirement that the covered entities obtain an individual’s consent. The Department even proposed to prohibit covered entities from obtaining an individual’s consent for these purposes, relying instead on the principle of fair notice, coupled with regulatory limits on the use and disclosure of health information. A great deal of opposition from the public caused the Department to reconsider and establish the consent requirement in the Final Rule.
Following the establishment of consent requirements, the Department received comments from a variety of sources claiming that obtaining consent interferes with: 1) pharmacists filing prescriptions, 2) referrals to specialists and hospitals, 3) providing treatment over the phone, and 4) emergency medical providers. Some providers worried about being in the position of having to decide whether to withhold treatment if an individual refused to provide consent, or to proceed to use information to treat the individual in violation of the consent requirements. Many providers also informed the Department that they were not currently required to obtain consent, and that the transition provisions would result in significant operational problems and that the inability to access health records would have an adverse effect on quality activities.
After some consideration, the Department proposed in March of 2002 to make the obtaining of consent optional. Under this proposal, health care providers would no longer be required to obtain an individual’s consent prior to using or disclosing information about him or her for treatment, payment, and health care operations. Instead, covered entities could obtain consent if they choose, and HHS has proposed to strengthen the notice requirements to preserve the opportunity for individuals to discuss privacy practices and concerns with providers. It is believed that this proposal also offers greater flexibility of the consent process for those who do choose to obtain consent. Under the proposal, the Department recognizes that one consent process is unfeasible, and instead allows covered entities to design their own consent process and forms.
Although covered entities would not be required to obtain consent, any uses or disclosures of protected health information for treatment, payment, or health care operations would need to be consistent with the covered entity’s notice of privacy practices. Also, these changes do not alter the requirement to obtain an authorization under §164.508 for uses and disclosures of protected health information not otherwise permitted by the Privacy Rule.
Proposed Modifications for Notice of Privacy Practices for Protected Health Information
The Privacy Rule requires most covered entities to provide individuals with adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual’s rights, and the covered entity’s responsibilities, with respect to protected health information.
To preserve some of the most important benefits of the consent requirement, the Department proposes to change the notice requirements so that a covered health care provider with a direct treatment relationship must make a good faith effort to obtain an individual’s written acknowledgment of receipt of the provider’s notice of privacy practices.
The Department hopes that the proposed changes are simple and do not impose a significant burden on either the covered health care provider or on the individual. The good faith requirement only applies to covered providers with direct treatment relationships, the same group of covered entities that would have been required to obtain consent under the Privacy Rule.
The Department also designed the timing of the proposed good faith acknowledgment requirement to limit the burden on covered entities by generally making it consistent with the timing for notice distribution. The Department has also not prescribed in detail the form the acknowledgment must take so as to allow for some flexibility. The Department requires only that the acknowledgment be in writing.
The proposed modification would require only a good faith effort of the provider to obtain the individual’s acknowledgment, and the Department understands that an individual may refuse to sign or otherwise fail to provide acknowledgment. In this case, if, despite a good faith effort no acknowledgment is obtained, treatment may be delivered in a timely and effective manner, with no violation of the Privacy Rule.
A good faith effort must be made on the first delivery of service, except in the case of emergency treatment. This applies to service that is provided in person or electronically.
Concern over Minimum Necessary Standards
The Department received a number of comments on the minimum necessary standards provision of the Privacy Rule during the March 2001 comment period. Many commenters worried that implementing the standards would be costly and burdensome, and questioned whether they would be required to redesign office space or implement expensive upgrades to computer systems. A number of health care providers expressed concern that minimum necessary restrictions on uses within the entity would jeopardize patient care and exacerbate medical errors by impeding access to information necessary for treatment purposes.
In their July 2001 guidance, the Department clarified that redesigns and upgrades were not specifically required by the minimum necessary standard, but that covered entities may need to make certain adjustments to their facilities. They emphasized that the minimum necessary standard is a reasonableness standard, with flexibility built in to allow covered entities professional judgment. They also explained that a covered entity is permitted to develop policies and procedures that allow for the appropriate individuals within the entity to have access to protected health information to provide timely and effective care.
The Department also proposes to expand the exception for authorizations to apply generally to any authorization executed pursuant to §164.508. The proposal would exempt from the minimum necessary standard any uses or disclosures for which the covered entity has received an authorization that meets the requirements of §164.508.
The Department defends the minimum necessary standards on the principle that, without it, covered entities may be tempted to disclose an entire medical record when only a few items of information are necessary. The Department also hopes that the standard will encourage covered entities to assess their privacy practices, give more attention to their patients’ privacy, and make other improvements that might not otherwise be made.
Changes to Business Associates Agreements
The Privacy Rule requires that covered entities have written contracts with business associates before disclosing protected health information. The Department received many comments on the possible administrative burden and cost to implement the business associate provisions. Many pointed out the problem of integrating or renegotiating existing contracts in the two-year compliance period. Also, commenters expressed concern over a perceived liability imposed by the Privacy Rule that would require the covered entity to monitor and be responsible for the actions of its business associates.
The Department made clear that covered entities must have contracts with business associates even if they are also a covered entity. It stressed that active monitoring of business associates is not required by covered entities, but that covered entities are required to attempt to cure violations or take steps to end the violation if they know of a breach in conduct. To solve the problem of existing contracts, the Department proposed in their March 2002 rules to allow covered entities, other than small health plans, to continue to operate under existing contracts with business associates for up to one year beyond the April 14, 2003 compliance date of the Privacy Rule. The proposal also includes model business associate contract provisions to ease the financial and time costs associated with implementing the requirements.
Click here for our HIPAA Business Associate Agreement Checklist in PDF format.
Click here to download Adobe Acrobat Reader, a free program that allows you to view PDF documents.
Incidental Uses and Disclosures
Many expressed concerns that the restrictions on uses and disclosures of information might prohibit covered entities from carrying out common and essential health care communications and practices. Commenters were concerned that the standards were absolute and strict, not allowing for the incidental or unintentional disclosure of health care information in the process of health care communications and practices. Specific comments included worries that the Privacy Rule standards would prohibit the use of sign-in sheets in waiting rooms or maintaining patient charts at bedside.
The Department responded to these concerns in its July guidance by clarifying that the Privacy Rule is not intended to impede customary and necessary health care communications or practices, nor to require that all risk of incidental use or disclosure be eliminated to satisfy the standards. The Department stated that as long as reasonable care is taken and proper safeguards are put in place to minimize the chance of incidental disclosure to others, the intent of the standards would be met.
In their March 2002 proposal for rule modification, the Department clarified that a doctor could discuss a patient’s treatment with other doctors and professionals involved in the patient’s care without fear of violating the rule if they are overheard. Covered entities must simply meet the minimum necessary standards and take reasonable safeguards to protect personal health information from incidental disclosures.
Proposed Changes to Authorization Requirements
The Privacy Rule provides for the individual’s voluntary authorization for uses and disclosure of his or her protected health information by prohibiting, with very limited exceptions, covered entities from conditioning treatment, payment, or eligibility for benefits or enrollment in a health plan, on obtaining an authorization. To ensure uniformity of authorization, the Privacy Rule sets out core elements that must be included in any authorization. These core elements are intended to provide individuals with the necessary information to make intelligent decisions about giving authorization.
The Department received many comments regarding the implementation of the authorization requirements, with many complaining that the provisions of this portion of the Privacy Rule are too complex and confusing. Others said that the sets of implementation specifications are not discrete, creating the potential for the implementation specifications for specific circumstances to conflict with the required core elements.
In response to the comments received, the Department proposes to consolidate the implementation specifications into a single set of criteria to simplify these provisions, prevent confusion, and eliminate the potential for conflicts between the authorization requirements. The Department proposes a set of seven core elements to be required of all authorizations and proposes to add new language to clarify that when the individual initiates the authorization for his or her own purposes, the purpose may be described as “at the request of the individual.”
The seven core elements to be included in all authorizations are as follows:
- A description of the information to be used or disclosed,
- The identification of the persons or class of persons authorized to make the use or disclosure of the protected health information,
- The identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure,
- A description of each purpose of the use or disclosure,
- An expiration date or event,
- The individual’s signature and date, and
- If signed by a personal representative, a description of his or her authority to act for the individual.
Authorizations would be required to contain several notifications:
- A statement that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke, and instructions on how to exercise such right, or, to the extent this information is included in the covered entity’s notice, a reference to the notice,
- A statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization if such conditioning is prohibited by the Privacy Rule, or, if conditioning is permitted by the Privacy Rule, a statement about the consequences of refusing to sign the authorization, and
- A statement about the potential for the protected health information to be subject to redisclosure by the recipient.
Proposed Modifications to Accounting of Disclosures
Under the Privacy Rule, covered entities are required to keep track of disclosures of protected health information, with a few exceptions which include disclosures made by the covered entity to carry out treatment, payment, or health care operations, as well as disclosures to individuals of protected health information about them.
The Department received comments raising concern that the high costs and administrative burdens associated with the accounting requirements would deter covered entities from disclosing protected health information. In response to this concern, the Department proposed to extend the exceptions to the standard to include disclosures made pursuant to an authorization as provided in §164.508. Covered entities would no longer be required to account for any disclosures authorized by the individual in accordance with §164.50.
All information in this article is informational only and is not legal advice. Should you have any questions or a situation requiring advice, please contact an attorney.
Copyright 2004 by Garlo Ward, P.C., all rights reserved
Austin, Texas 78752-3714 USA