HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA/LAW: Legal Q/A Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAA/LAW: Legal Q/A
September 2002

"Final Modifications to the Privacy Rule"

by Steve Fox, Esq., & Rachel Wilson, Esq., Pepper Hamilton LLP

On August 14th, the Department of Health and Human Services ("HHS") released modifications to the HIPAA privacy rule (the "Privacy Rule") in their final form. Although the modifications represent significant changes to the Privacy Rule, they do not vary significantly from the modifications first proposed by HHS in March. Following is a continuation of last month’s article in which we provided a brief summary of certain key subject areas affected by the modifications to the Privacy Rule.

Minimum Necessary Rule & Incidental Disclosures

Minimum Necessary Rule -- In general, the modifications to the minimum necessary rule clarify that the requirement is not an absolute, strict standard to be used in lieu of professional judgment. Covered entities can implement policies and procedures based upon their own assessment of what is reasonably necessary to be disclosed for any particular purpose.

Incidental Disclosures -- When the original privacy rule was published, many providers worried that the restrictions on the use and disclosure of protected health information ("PHI") prohibited certain common communications and practices. For example, some feared that providers would not be able to have confidential conversations with patients if there was any possibility that they could be overheard. Many argued that the strict standards in the privacy rule did not make allowances for certain activities and communications that are essential to treatment.

HHS says it did not intend for the privacy rule to impede customary and necessary health care communications or practices. While covered entities are prohibited from using or disclosing PHI except in accordance with the privacy rule, incidental disclosures are not generally violations, assuming that reasonable safeguards are in place to minimize such disclosures. Accordingly, the modified rule explicitly permits certain incidental uses and disclosures. Incidental uses and disclosures are defined as secondary uses or disclosures that cannot be reasonably prevented, are limited in nature, and occur as a by-product of an otherwise permissible use or disclosure. Examples of incidental disclosures are when a patient or other person happens to see individually identifiable health information of other patients on sign-in sheets in waiting rooms, patient charts at bedside, X-ray lightboards or empty prescription vials. Incidental uses and disclosures are permissible only to the extent that reasonable safeguards have been used and, where applicable, the minimum necessary standard has been implemented. The concept is that covered entities are required to protect PHI with a minimum standard of care. So long as that standard of care (defined by the use and disclosure requirements under the privacy rule) is maintained, covered entities will be in compliance even in the event of an incidental use or disclosure of PHI.

Hybrid Entities

The modifications related to hybrid entities are intended to provide covered entities with the flexibility to apply the Privacy Rule in the manner best suited to their structural organization. Prior to modification, hybrid entities were defined as only those entities whose primary activities are not covered under the rule. For example, corporations that are not in the health care industry, but that operate on-site health clinics. Hybrid entities had the right to designate those components of the entity that engage in covered functions (referred to as "health care components") and were therefore, subject to regulation under HIPAA. This right permitted hybrid entities to limit their HIPAA compliance to only those components that engage in covered activities. In the absence of such a right, the entire entity, covered and non-covered functions alike, would be covered under HIPAA.

Commenters expressed concern about how to determine whether their non-covered functions were in fact their primary activities, thereby allowing them to designate themselves as hybrid entities. Under the final modifications, it does not matter whether a covered entity’s non-covered functions are its primary activity or a small part of its operations. If an entity that performs covered and non-covered functions designates health care components, then it is deemed to be a hybrid entity. Any component of a hybrid entity that would be covered under the Privacy Rule if it were a separate legal entity, must be designated as a health care component.

Treatment of Employment Records

The modifications clarify that employment records maintained by a covered entity in its capacity as an employer are excluded from the definition of PHI. In the commentary preceding the modifications, HHS offers the example of the medical record of a hospital employee who is receiving treatment at the hospital. That medical record is PHI and is covered by the Privacy Rule, just as the medical record of any other patient in the hospital. However, if the employee authorizes the disclosure of part of that record to the hospital-employer in order to substantiate sick leave, the disclosed medical information then becomes part of that individual’s employment record and as such, is no longer considered to be PHI.

Unemancipated Minors

The final modifications do not change the Privacy Rule’s basic approach of deferring to State law on questions of disclosures of information to parents of minor patients. Rather, they merely clarify that providers should follow State law (including statutes, regulations, and case law), not only where State law definitively requires or prohibits parental disclosure or access, but also where State law grants providers discretion in certain circumstances regarding whether to disclose information. If state law permits minors to obtain health care without parental consent, then it is the minor who may exercise the privacy rights granted individuals under the Privacy Rule.

Research

The modified rule significantly simplifies the requirements for research authorizations and the criteria for waivers of authorizations. Specifically, the modified rule eliminates the requirement that authorizations for research involving treatment of patients contain provisions beyond those required for authorizations for other uses and disclosures. Additionally, less specificity is now required with respect to the expiration date for the uses and disclosures in connection with the research. "None" may be used as the expiration date in any research study, not just research involving the disclosure of PHI for the creation or maintenance of a research database or repository, as originally adopted.

Simplifying the waiver criteria to be considered by an IRB or Privacy Board, the modified rule eliminated some criteria and consolidated others. In approving a request for a waiver of authorization for research, an IRB or Privacy Board must now consider whether:

(a) the use or disclosure of PHI involves no more than minimal risk to the privacy of the individual;
(b) the research could not practicably be conducted without the waiver or alteration; and
(c) the research could not practicably be conducted without access to the PHI.

Consolidating former stand-alone criteria, the modified rule folded the following criteria into the 'minimal privacy risk' analysis of the IRB or Privacy Board:

(a) the existence of an adequate plan to protect identifiers from improper use or disclosure;
(b) the existence of an adequate plan to destroy identifiers at the earliest opportunity; and
(c) the adequacy of written assurances against re- disclosure of PHI.

Much needed clarification of certain rules governing the use and disclosure of PHI in the research context was also provided under the modified rule. With respect to revocations of authorizations in research, the preamble to the modified rule indicates that covered entities may continue to use and disclose PHI collected prior to a revocation and pursuant to an authorization as necessary to maintain the integrity of the research study. Additionally, the modified rule clarifies that recruitment of individuals for research does not constitute marketing, so communications made by a covered entity to individuals to solicit their participation in the research study may be made without individual authorization or an IRB or Privacy Board waiver of authorization. Further, as discussed above, acknowledging the obstacles that the de-identification standard could impose upon certain research, the modified rule also clarifies that uses and disclosures of limited data sets for purposes of research are permitted so long as the covered entity enters into a data use agreement with the data recipient.

Finally, under the research transition provisions, covered entities may use or disclose PHI in specific research protocols after the April 14, 2003 compliance date in circumstances where the research protocols are based on an informed consent, IRB waiver or an authorization or other legal permission obtained from the research subject prior to the compliance date.

Security

We would be remiss if we did not include a few words about security and the ever-elusive Security regulations (HHS says they are almost ready for publication - really). In a response to a comment in the August 14 publication, HHS implicitly encouraged covered entities not to wait for the final Security Rule standards to begin implementing technical and physical safeguards. It noted that "there should be no potential for conflict" between the safeguards required by the Privacy Rule and those which will be mandated by the final Security Rule standards, even though they have not yet been issued. The comment also points out a distinction between the Privacy Rule and the Security Rule, which some commentators may have overlooked - the latter rule only applies to electronic health information systems that maintain or transmit individually identifiable health information. Therefore, safeguards undertaken in accordance with the Privacy Rule for PHI in oral, written or other non-electronic forms will be unaffected by the Security Rule’s requirements.

Moreover, it is important to remember that the requirement for security is already in effect – it was imposed by the original HIPAA statute in 1996. Specifically, 42 U.S.C. § 1320d-2(d)(2) requires all covered entities that maintain or transmit health information to "maintain reasonable and appropriate administrative, technical, and physical safeguards" to ensure the integrity and confidentiality of the information; protect against reasonably anticipated threats and unauthorized uses or disclosures, and otherwise ensure compliance. In addition, § 164.530 (c)(1) of the Privacy Rule contains its own security requirements: "A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information."

The bottom line: Do not defer actions on security protections simply because the final Security Rule has not yet been published.

Conclusion

While the modified Privacy Rule eases some of the more worrisome burdens imposed by the original privacy rule, it still significantly restricts the use and disclosure of PHI. Covered entities must take the rule seriously and continue preparing to comply by the April 14, 2003 deadline (with certain exceptions for business associate contracts as explained above).

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner at the Washington, DC office of Pepper Hamilton LLP. This article was co-authored by Rachel H. Wilson, Esq., of Pepper Hamilton LLP. www.pepperlaw.com

Disclaimer: This information is general in nature and should not be relied upon as legal advice.

Go to TOP