HHS Proposes Changes To Privacy Rule That Protect Privacy, Access
To Care
March 21, 2002
HHS Secretary Tommy G. Thompson today proposed changes to HHS'
health privacy regulations to ensure strong privacy protections
while correcting unintended consequences that threatened patients'
access to quality health care.
"The President believes strongly in the need for federal protections
to ensure patient privacy, and the changes we are proposing today
will allow us to deliver strong protections for personal medical
information while improving access to care," Secretary Thompson
said.
The federal privacy regulations guarantee patients full access
to their medical records, give them more control over how their
personal information is used and disclosed, and provide a clear
avenue of recourse if their medical privacy is compromised.
Secretary Thompson said today's proposed revisions are needed to
fix problems with the previously published rule that otherwise could
make it more difficult for patients to get quality care quickly
and easily. The proposal also strengthens and clarifies the rule's
marketing restrictions.
"These are common-sense revisions that eliminate serious obstacles
to patients getting needed care and services quickly while continuing
to protect patients' privacy," Secretary Thompson said. "For
example, sick patients will not be forced to visit the pharmacy
themselves to pick up prescriptions -- and could send a family member
or friend instead. Doctors will be able to consult with nurses and
others involved in a patient's care to ensure that they get the
best care."
The proposal also would make other revisions to simplify the rule's
paperwork requirements while preserving the rule's strong privacy
protections. The changes reflect Secretary Thompson's commitment
to making regulatory requirements simpler and easier to implement
- without reducing their effectiveness.
Standards for Privacy of Individually Identifiable Health Information
--
Proposed Rule Modification
Background
The Standards for Privacy of Individually Identifiable Health Information
(Privacy Rule/current rule) took effect on April 14, 2001. As required
by the Health Insurance Portability and Accountability Act (HIPAA),
the Privacy Rule covers health plans, health care clearinghouses,
and those health care providers who conduct certain financial and
administrative transactions electronically. Most covered entities
must comply with the Privacy Rule by April 14, 2003. Small health
plans have until April 14, 2004 to comply with the Rule. The Privacy
Rule creates national standards to protect individuals' personal
health information and gives patients increased access to their
medical records. The Bush Administration is committed to strong
patient privacy protections and continues to take steps to protect
personal health information while maintaining access to quality
health care. To ensure that the provisions of the final rule provide
strong privacy protection without hindering access to health care,
the Department of Health and Human Services is proposing modifications
to the Privacy Rule.
Proposed Modifications
Consent and Notice -- The proposal would promote access to
care by removing the consent requirements that would potentially
interfere with the efficient delivery of health care, while strengthening
requirements for providers to notify patients about their privacy
rights and practices. Specifically, the Department received comments
that the consent requirements in the current rule interferes with
pharmacists filling prescriptions, referrals to specialists and
hospitals, providing treatment over the telephone, and emergency
medical providers. Under, the proposal, patients would be asked
to acknowledge receipt of the notice of privacy rights and practices.
This change would give patients the opportunity to consider a provider's
privacy policies before making health care decisions, while eliminating
barriers that could delay or block patients' access to care. This
change to consent only applies to uses and disclosures for treatment,
payment and health care operations (TPO) purposes. Patient authorizations
are still required to use and disclosure information for non-TPO
purposes.
Minimum Necessary and Oral Communications -- The "minimum necessary"
provision is an essential element in the privacy protections for
individual health information. This provision requires covered entities
to make reasonable efforts to limit the use and disclosure of and
request for, protected health information to the minimum necessary
to accomplish the intended purpose. The proposal would retain both
the oral communication and "minimum necessary" requirements,
but it would make clear that a doctor could discuss a patient's
treatment with other doctors and professionals involved in the patient's
care without fear of violating the rule if they are overheard. As
long as a covered entity met the minimum necessary standards and
took reasonable safeguards to protect personal health information,
incidental disclosures - such as another patient overhearing a fragment
of conversation - would not be an impermissible disclosure.
Business Associates -- The current rule requires covered entities
- health plans, health care providers and clearinghouses - to have
contracts with their business associates to ensure the business
associates protect the privacy of the information. The proposal
includes model business associate contract provisions, to make it
easier and less costly for covered entities to implement the requirements.
The changes also would give covered entities (except for small health
plans) up to an additional year to change existing contracts, easing
the burden of renegotiating contracts all at once.
Marketing -- Based on consumer concerns that the marketing provisions
in the current rule does not protect individuals' privacy, the proposal
would explicitly require covered entities to first obtain the individual's
specific authorization before sending them any marketing materials.
At the same time, the proposal would permit doctors and other covered
entities to communicate freely with patients about treatment options
and other health-related information, including disease-management
programs.
Parents and Minors -- The current rule may have unintentionally limited
a parent's access to their child's medical records. The proposal
clarifies that state law governs disclosures to parents. In cases
where state law is silent or unclear, the revisions would preserve
state law and professional practice by permitting a health care
provider to use discretion to provide or deny a parent access to
such records as long as that decision is consistent with state or
other law.
Uses and Disclosures for Research Purposes -- The proposal would
eliminate the need for researchers to use multiple consent forms
- one for informed consent to the research and one or more related
to information privacy rights. Instead, researchers could use a
single combined form to accomplish both purposes. The proposal would
also simplify other provisions so that the existing rule more closely
follows the requirements of the "Common Rule," which governs
federally-funded research. The provisions include privacy-specific
criteria and apply equally to publicly and privately funded research.
Request for Comments on an Alternative Approach to De-Identification
-- The Department received comments from the research community on
the need for an alternative approach to de-identification. HHS shares
these concerns but still believes identifiable information should
have strong protections. Therefore, HHS is seeking comments on establishing
a limited data set that does not include directly identifiable information
but in which certain identifiers remain. In addition, to further
protect privacy, the Department proposes to condition the disclosure
of the limited data set on a covered entity's obtaining from the
recipient a data use or similar agreement, in which the recipient
would agree to limit the use of the data set for the purposes for
which it was given as well as not to re-identify the information
or use it to contact any individual.
Uses and Disclosures for which Authorizations Are Required -- The
proposal would allow the use of a single type of authorization form
to get a patient's permission for a specific use or disclosure that
otherwise would not be permitted under the Privacy Rule. Patients
would still need to grant permission in advance for each type of
use or disclosure, but the proposal would eliminate the need for
covered entities to use different types of forms to obtain that
advance permission.
Other Provisions
The Department also proposes the following modifications:
- Sale of Business -- The proposal would clarify that the
rule permits disclosures in certain circumstances for the sale
of a covered entity's business.
- Group Health Plans -- The proposal would clarify that
a group health plan or health insurance issuer can disclose enrollment
or disenrollment information to a plan sponsor without amending
plan documents.
- Accounting of Disclosures of Protected Health Information
-- The proposal would not require the covered entity to account
for disclosures for which the individual provided written authorization.
- Disclosures for Treatment, Payment, or Health Care Operations
of Another Entity -- The proposal would clarify that covered
entities can disclose protected health information for the treatment,
payment and certain health care activities of another covered
entity or health care provider. The proposal would carefully limit
the expansion of sharing of information for health care operations
to protect the privacy expectations of individuals.
- Uses and Disclosures Regarding FDA-Regulated Products and
Activities -- The proposal would assure that the rule permits
covered entities to continue to disclose information to non-government
entities subject to FDA jurisdiction about the quality, safety,
and effectiveness of FDA-regulated products and activities - such
as reporting adverse events related to prescription drug use.
- Hybrid Entity -- The proposal would permit any entity
that performs covered and non-covered functions to elect to use
the hybrid entity provisions and would provide the entity additional
discretion in designating its health care component. The proposal
would clarify that protected health information does not include
employment records.
The proposal also includes a list of technical corrections and
additional clarifications related to various sections of the existing
rule. The proposed modifications collectively are designed to ensure
that protections for patient privacy are implemented in a manner
that maximizes privacy while not compromising either the availability
or the quality of medical care. Further information about the proposed
rule is available on the Web at http://www.hhs.gov/ocr/hipaa/.
|
