HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA/LAW: Legal Q/A Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAA/LAW: Legal Q/A
August 2002

"Understanding the New Privacy Rule Modifications"

by Steve Fox, Esq., & Rachel Wilson, Esq., Pepper Hamilton LLP

On August 14th, the Department of Health and Human Services (HHS) released modifications to the HIPAA privacy rule (the "Privacy Rule") in their final form. Although the modifications represent significant changes to the Privacy Rule, they do not vary significantly from the modifications first proposed by HHS in March. Following is a brief summary of certain key subject areas affected by the modifications to the Privacy Rule.

Required Permissions

Consent -- Under the final modifications, direct treatment providers are no longer required to obtain consent prior to the use or disclosure of protected health information (PHI). The decision on whether or not to obtain consent, and the form of that consent (if any) will now be entirely optional and left to providers' discretion, except to the extent required by state law.

Notice of Privacy Practices -- In lieu of consent, direct providers are obligated to make a good faith attempt to obtain an individual's written acknowledgement of receipt of the Notice of Privacy Practices (NPP). The NPP must be provided on or before the first delivery of service, except in emergency treatment situations. This requirement is applicable regardless of the form of service delivery, although the modifications do take practical considerations into account. For example, if a provider's first encounter with a patient is via telephone, the NPP requirement is satisfied if the provider mails the NPP to that individual the day following the conversation. Even if the individual fails to return the acknowledgement to the provider, the provider will be deemed to have made the required "good faith" attempt to obtain the written acknowledgement.

In response to concerns that the required NPP was too lengthy, the preamble to the final modifications recommends use of a "layered notice." This layered notice consists of a short cover page, containing a summary of the NPP, followed by the lengthier and more detailed NPP.

Authorizations -- Although the modifications make consent optional for purposes of treatment, payment, and health care operations (TPO), the Privacy Rule still requires patient authorization for non-TPO uses of PHI.

The modified rule simplifies the authorization requirements by mandating the use of one standard authorization format as opposed to the three different context-specific formats set forth under the Privacy Rule in its original form. The core elements of an authorization have been condensed to the following:

(a) a description of the information to be used or disclosed,
(b) the identification of the persons or class of persons authorized to make the use or disclosure of the protected health information,
(c) the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure,
(d) a description of each purpose of the use or disclosure,
(e) an expiration date or event,
(f) the individual's signature and date, and
(g) if signed by a personal representative, a description of his or her authority to act for the individual.

Disclosures to Other Entities for Payment & Operations

As originally written, the Privacy Rule required an authorization prior to disclosing PHI for the payment or health care operations of another entity. Many commenters expressed concern that such a restriction would interfere with the ability of covered entities to obtain reimbursement for health care, participate in quality assurance and accreditation programs, and to monitor fraud and abuse. In response to these concerns, the Privacy Rule has been modified to allow covered entities to share PHI for treatment purposes, without obtaining an authorization from the patient.

The modified rule further permits covered entities to disclose PHI to both covered and non-covered health care providers for payment purposes. However, similar disclosures would only be permitted to covered health plans.

The modified rule also allows covered entities to disclose PHI in support of the health care operations of another entity. Such disclosure is only permissible where:

(a) both the disclosing and receiving entities have a relationship with the patient about whom information is being exchanged; and
(b) the PHI that is requested pertains to the recipient's relationship with the patient.

Assuming these requirements are met, a covered entity may generally disclose PHI in support of the health care operations of the covered entity receiving such information.

Business Associate Requirements

Changes to the business associate requirements are designed to ease some of the administrative and financial burdens associated with re-negotiating existing agreements. The modifications add a new transition period to the Privacy Rule that effectively extends the deadline for complying with the business associate contract requirements. Under the modified rule, certain existing vendor contracts would be deemed to comply with the requirements for business associate contracts for up to one additional year beyond the Privacy Rule's April 14, 2003 compliance date (the "Compliance Date").

Under the modified rule, covered entities may take advantage of the transition period with respect to those of its vendor contracts which:

(a) are in existence prior to the effective date of the modified rule, and
(b) do not expire or are not modified or amended prior to the Compliance Date.

This includes contracts that renew automatically, known as "evergreen contracts." Any contracts that meet these criteria are deemed to comply with HIPAA until such time as the contract is renewed or modified (after the Compliance Date) or April 14, 2004, whichever occurs first. The transition period does not apply to oral contract or to small health plans, which already have until April 14, 2004 to comply.

Limited Data Sets

Numerous commenters voiced concerns that the de-identification standard under the unmodified Privacy Rule would curtail important research, health care operations and public health activities. In particular, researchers raised concerns that the impracticality of using de-identified data would significantly increase the workload of individual review boards because waivers of authorization would need to be sought more frequently for research studies even though no direct identifiers were needed for the studies. In response, the modified Privacy Rule permits the use and disclosure of "limited data sets" of PHI for the purpose of research, public health, or health care operations.

These limited data sets do not include direct identifiers such as name, street address, telephone, and social security number and may only be used or disclosed subject to the terms of a data use agreement. The data use agreement must establish the permitted uses and disclosures of the data set consistent with the purpose of the disclosure. The agreement must also require the recipient of the limited data set to:

(a) use the PHI contained in the set only as permitted under the Privacy Rule,
(b) limit who can use or receive the data,
(c) agree not to re-identify the data or contact the individual subjects of such data; and
(d) use appropriate safeguards to prevent use or disclosure of the limited data set other than as permitted by the data use agreement and the Privacy Rule, or as required by law.

Marketing

Subject to certain disclosure and opt-out requirements, the Privacy Rule, in its unmodified form, permitted covered entities to use PHI for marketing purposes without first obtaining an authorization. The modifications to the Privacy Rule limit the circumstances in which covered entities may use PHI for marketing purposes without prior authorization for such use or disclosure. The limitation is intended to provide individuals with more control over whether they receive marketing communications and better privacy protection for such use and disclosure of their PHI.

The modifications require patient authorization prior to using PHI for almost any marketing-related purpose. However, certain types of communications are excluded from the definition of "marketing" and are therefore not subject to the authorization requirement. Under the modified Privacy Rule, covered entities do not engage in marketing activities when communicating with individuals about:

(a) the participating providers and health plans in a network;
(b) the individual's treatment; or
(c) case management or care coordination for the individual, including, recommendations for alternative treatments, therapies, health care providers, or care settings.

Face-to-face communications are similarly excluded from the definition of marketing, and are permitted without prior authorization.

HHS received numerous comments about the need for providers and plans to be able to communicate freely with patients and enrollees about the products, services, and benefits they offer. In response to those comments, the modified Privacy Rule further allows covered entities to convey information to beneficiaries and members about health insurance products offered by the covered entity that could enhance or substitute for existing health plan cov erage. This would include communications describing a health-related product or service that is provided by, or included in the plan benefits of, covered providers or plans. Under this exemption, health plans do not engage in marketing when advising enrollees about other available health plan coverage that could enhance or substitute for existing health plan coverage. HHS offers the example of a child about to age out of coverage under a family's policy. In such an event, a health plan would be permitted to send the family information about continuation of coverage for the child without first obtaining authorization to use PHI for such purposes. However, the plan would not be permitted to send information about a life insurance product offered by an affiliate, without an authorization.

Finally, HHS has added new language to the definition of "marketing" to close a loophole that would have allowed covered entities to sell PHI to a third-party for the purpose of marketing the third-party's products or services. In its unmodified form, the Privacy Rule would have permitted business associates of covered entities to pay providers for a list of patients with a particular condition and then use that list to market their own drug and other products directly to those patients. This could have been accomplished by providing PHI to business associates under the guise of recommending an alternative treatment or therapy to an individual. Therefore, the modified Privacy Rule includes language making it clear that business associate transactions of that nature constitute marketing and are only permissible if the covered entity has obtained the proper authorization.

Next month we will conclude this analysis by examining the impact of the final modifications on the minimum necessary rule, incidental disclosures, research, hybrid entities, unemancipated minors, and the treatment of employment records under the Privacy Rule.

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner at the Washington, DC office of Pepper Hamilton LLP. This article was co-authored by Rachel H. Wilson, Esq., of Pepper Hamilton LLP. www.pepperlaw.com

Disclaimer: This information is general in nature and should not be relied upon as legal advice.

Go to TOP