HIPAA regs
HIPAA dvisory
HIPAAdvisory > HIPAAregs > Final Privacy > Guidance Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAAprivacy: The Missile Disassembled

By D'Arcy Guerin Gue, Executive Vice President, Knowledge Services and Business Development, Phoenix Health Systems

On July 6, 2001 the Department of Health and Human Services issued the first of "several technical assistance" materials it has promised on the HIPAA Privacy Rule. The stated purposes of this Guidance: to clarify the Privacy Rule's provisions and reflect DHHS' intent not to interfere with patients' access to healthcare or to the quality of healthcare.

The Department plans to offer future guidance and to issue proposed modifications "expeditiously...to correct any unintended negative effects." Modifications to the Privacy Rule require publishing them in the Federal Register through the Notice of Proposed Rulemaking (NPRM) process and providing for public comment before issuing a final rule. In the meantime, DHHS is preparing Guidance clarifications so that the industry may begin implementing the Privacy Rule to meet its April 14, 2003 compliance date.

OVERVIEW

The Guidance reaffirms that the Privacy Rule is needed because the protections provided by "the old system of paper records in locked file cabinets is not enough...under the current patchwork of laws, personal health information can be distributed -- without either notice or consent -- for reasons that have nothing to do with a patient's medical treatment or health care reimbursement."

Scalable compliance options are emphasized throughout the Guidance; it reiterates that providers and payers have flexibility to create their own privacy procedures, and that these procedures may be "tailored to fit their size and needs."

LIKELY RULE CHANGES / MODIFICATIONS TO BE PROPOSED

  • Pharmacists may fill physicians' phone-in prescriptions before obtaining patient consent.
  • Providers to whom a patient has been referred for the first time, can use personal health info to set up appointments or schedule procedures.
  • Covered entities may engage in whatever communications are necessary for "quick, effective, high quality healthcare" including routine oral communications with family and staff.
  • Common practices such as sign-up sheets, X-ray light boards and bedside medical charts are not prohibited.
  • Possible changes to ensure parents have appropriate access to information about the health of their children.

WHO IS COVERED?

The Guidance notes that health plans, clearinghouses, and providers who conduct electronic transactions electronically are covered even if their "business associates" perform some essential functions for them. Though DHHS has no authority to govern entities who are not healthplans, clearinghouses or healthcare providers, it can and does require them to have contracts outlining specific provisions, with business associates.

CONSENT

DHHS reaffirms that the Privacy Rule builds on customary health practices rather than replacing them. With its consent provisions, it sets "a uniform standard for certain health care providers to obtain patient consent for uses and disclosures of health information" to carry out treatment, payment or healthcare operations (TPO). The Rule does not limit -- or intend to address -- consent for treatment. Its focus is on ACCESS to health information, not the underlying treatment. Clarifications include:

  • Consent is not required in an emergency, when law requires treatment, or when there are substantial communications barriers, but must be obtained as soon as reasonably practicable.
  • Providers with indirect treatment relationships (i.e., laboratories, who only interact with the physician and not the patient health plans and clearinghouses) may use and disclose personal health info for purposes of TPO without getting consent.
  • Consulting with another provider -- another indirect relationship -- does not require the other provider to obtain consent.
  • Providers can refuse treatment if a patient refuses consent for use or disclosure of his personal information to carry out the treatment, payment or healthcare operations.
  • Providers need to obtain the patient's written consent only once, whether there is a "connected course of treatment" or treatment for unrelated conditions -- and aren't required to verify a signature if the patient isn't present.
  • A patient may revoke consent in writing, but this excludes actions already taken in reliance on the consent. The patient can also request restrictions on uses and disclosures; the covered entity doesn't have to agree, but is bound by anything it does agree to. The caregiver may bill and expect payment for care provided after obtaining consent, even if the patient revokes consent.
  • Certain integrated organizations, including an organized healthcare arrangement located in different states, may rely on one joint consent for all.
  • Providers can rely on consents received before the compliance deadline of April 14, 2003 for use and disclosure of information received before that date.
  • Pharmacists may give advice on over-the-counter medicines as long as this is just a conversation, and no records of personal information are set up.
  • Pharmacists can make "reasonable inferences" about the patient's best interest to allow someone other than the patient to pick up a prescription. This includes family and friends.
  • If a provider believes that waiting for patient consent would compromise patient care, he can use or disclose personal health information for emergency treatment. Patient consent must be sought as soon thereafter as is reasonable.

MINIMUM NECESSARY

The "minimum necessary" use and disclosure of personal health information to accomplish the intended purpose does NOT apply to:

  • Disclosures to providers for treatment purposes.
  • Disclosures to the patient himself.
  • Uses or disclosures for which an individual has signed an authorization.
  • Uses or disclosures required to comply with HIPAA transactions.
  • Disclosures to DHHS that are needed in order to enforce HIPAA.
  • Uses or disclosures that are required by other law.

For routine disclosures, covered entities may rely on policies and procedures as standard protocols if they define "minimum necessary" for staff to carry out their jobs. If it's non-routine, a disclosure must be reviewed individually using reasonable criteria.

Covered entities may rely on the requesting party’s judgment on the minimum necessary, if the request is "reasonable" and if made by public officials for certain legal or public health purposes, another covered entity, a professional staff member or business associate, or a researcher who has received appropriate documentation from his review board. However, the covered entity instead may use its own discretion to make the determination.

DHHS plans to modify the Privacy rule to increase confidence that covered entities are "free to engage in whatever communications are required for quick, high quality care."

Covered entities are required to assess for themselves what personal health information is necessary to achieve a particular purpose. However, this does not necessarily require uses and disclosures to be limited only to information "that is absolutely necessary." The Guidance clarifies that the standard is a "reasonableness" standard, not a strict one -- which enables a best practices approach consistent with existing professional standards.

The Guidance also confirms that the covered entity is in the best position to "know and determine who in its workforce needs access" to personal health information, including entire medical records, for treatment purposes -- and recommends that providers develop role-based access policies.

If an entity believes that a request is for more than the minimum necessary information to achieve the intended purpose, the disclosing entity must make the final determination. But if an individual authorizes disclosure of his information to third parties such as government agencies, life insurers and others, the entity does not have to make any minimum necessary determination. However, the entity must make this determination if it has requested the authorization for its own purposes.

The Guidance emphasizes the scalability of compliance with the minimum necessary provision, pointing out that "reasonable efforts" are required to limit access to personal health information. What is reasonable for a paper-based organization with three or four staff compared to a complex hospital environment is likely to be very different. For example, in the former, it may not be practical to limit certain employees’ access to parts of the patient record, but a large organization with electronic patient records systems very likely may need to establish limited access fields. Similarly, organizations are expected to take reasonable precautions against exposing bedside charts, prescription vials and X-ray light boards to the public; they are not required to eliminate them or totally isolate them from all functions .

The Guidance admits that the Privacy Rule is "ambiguous" about the use of sign-in sheets in physician offices and other similar practices. Modifications will be developed indicating that these customary practices are permitted.

ORAL COMMUNICATIONS

DHHS emphasizes that oral communications must be covered by the Privacy Rule because if they were not, any health information could be available to anyone, as long as it was spoken. The Privacy Rule doesn't wish to keep providers from talking to each other -- nor does it require eliminating all risk of prohibited disclosures. Customary practices such as speaking loudly in a crowded emergency room, discussing patients over the phone, coordinating services orally at a nursing station, and discussing a patient’s condition during training rounds are permissible, with "reasonable precautions" such as standing apart and lowering voices. Similarly, structural changes such as soundproofing, private rooms or encryption of phone systems, aren't necessary. A suggested alternative solution is providing curtains, screens or cubicles in areas where multiple patient-staff discussions take place.

The Rule does not require recording oral conversations involving patients’ health information. However, if conversations have been recorded and then used in decision-making about the patient, individuals may have access to these records. Nor does the Rule require documenting any information, including oral, that is used or disclosed for treatment, payment or healthcare operations. If disclosures are made for other purposes, such as disclosure of a health condition to a public health agency, they must be documented as part of the patient’s disclosure history.

BUSINESS ASSOCIATES

A central Privacy Rule tenet is reaffirmed, that personal health information may be disclosed to a business associates only to help providers and plans complete their healthcare functions. Business associates may not use the information in any other way.

  • Members of a provider, health plan or other covered entity's workforce are not considered business associates. Nor are covered entities who exchange personal health information for treatment purposes, such as a physician who discloses information to a hospital where he has admitting privileges.
  • The Privacy Rule doesn't "pass through" its requirements to business associates; it has no authority to do so. Covered entities must obtain assurances from their business associates that they will use the information only for the purposes that they were engaged to perform, will safeguard the information from misuse and will help the entity comply with its HIPAA obligations. Typically this agreement will be accomplished by contract between the covered entity and the business partner. Covered entities are not liable for privacy violations of a business associate. However, if they become aware of a "pattern or practice" that is a material breach of the business associate’s contract, they must take "reasonable steps" to correct the problem. If unsuccessful, they may have to terminate the contract or report the problem to DHHS. Only if the covered entity doesn't take these steps would it be considered non-compliant with the Rule.

PARENTS AND MINORS

A parent or guardian is considered the "personal representative" of his or her minor child, and has the right to see the child’s personal health information. There are a few exceptions:

  • If a minor consents to services where a state or other law doesn't require parental consent, the parent is no longer considered the personal representative.
  • When a parent agrees to a confidential relationship between the child and the physician, he or she may not have access to the child's health information.
  • If a covered entity believes that the child is an abuse or neglect victim, or may be endangered by the parent, the entity may choose not to treat the parent as the child’s personal representative. In these cases, parents do not have the right to see their children’s medical records.

The Guidance notes that Secretary Thompson is reassessing these provisions to ensure "that parents have appropriate access to information about the health and well-being of their children."

MARKETING

The Privacy Rule limits how personal health information may be used in marketing, including the kind of marketing that may be done as a part of healthcare operation. Marketing is defined as communicating about a product or service in order to encourage its purchase or use.

Certain activities that otherwise meet this definition, are NOT considered marketing under the Privacy Rule "to prevent interference with essential treatment or health-related communications with a patient." They include:

  • Describing participating providers or plans in a network -- or the services and benefits they provide.
  • Using the communication to provide, manage or further treatment -- as in recommending over-the-counter medications or sending reminder notices for appointments or prescription refills.

If a communication IS marketing, personal health information may be used or disclosed only in these cases:

  • Face-to-face encounters with the patient -- as in offering product samples during an office visit.
  • They involve products or services of nominal value, i.e., toothbrushes, pens, etc.
  • They concern health-related products and services of the covered entity or a third party, and if the covered entity making communication is identified.
  • It is stated that the covered entity is being paid for the communication, if this is so.
  • The individuals are told how to opt out of further marketing.
  • Individual are told why they have been targeted (Are they diabetics, smokers?) and how the communication relates to their health.
  • They are marketing-related disclosures made to business associates only to support the covered entity’s marketing activities. The entity must require a signed business associate agreement from its telemarketer or door-to-door salesman, who may not use protected health information for his own or other purposes.

Under the Privacy Rule, all other marketing requires individual authorizations to use or disclose personal health information. In order to release patient or enrollee lists for any other reasons, the covered entity must obtain authorization from everyone on the list.

RESEARCH

Covered entities may use and disclose personal health information for health research with authorization by individual participants -- or without it under limited circumstances:

  • The covered entity must be notified that the appropriate Review Board has approved waiver or alteration of authorization. An example might be records research, in which it is impractical to find participants and obtain authorization.
  • The researcher uses the information only to prepare a necessary research protocol or similar document, and will not remove any personal health information.
  • The research is only on decedents, the personal health information is necessary, and the deaths of the individuals can be documented.

The Guidance argues that requiring individual authorization for certain research and limiting unauthorized research as described above will not hinder medical advances. It suggests that patients will be more willing to participate if their information is protected, and cites a National Institutes of Health (NIH) study in which over 30% of eligible participants declined a test for breast cancer for fear of insurance discrimination.

GOVERNMENT ACCESS

The only new authority the Privacy Rule provides for government is in its enforcement role of the Privacy Rule itself. The Office of Civil Rights (OCR) has the right to receive enough information to investigate complaints and ensure compliance. Otherwise, government health providers and healthplans such as Medicare and Medicaid have to meet essentially the same requirements as private organizations. The Guidance also confirms that the Rule does not require physicians or others to send medical information to the government for a databases or similar reason.

Police and other law enforcement access to information also is not expanded by the Rule. According to the Guidance, access will be more limited than provided currently. Law enforcers will not receive DNA information without a warrant; and entities must get permission from victims of domestic abuse before disclosing their information.

PAYMENT

The Privacy Rule allows "payment" to include disclosures to consumer reporting agencies, but these are limited to basic non-health information such as name, social security number, date of birth and payment history.

Covered entities may use collection agencies through a business associate agreement. In general, DHHS maintains that there is no conflict between the Rule and the Fair Credit Reporting act or the Debt Collection Practices Act.

For the full text of the Privacy Guidance of July 6, 2001, go to: http://www.hipaadvisory.com/regs/finalprivacy/guidance.htm

Questions are being taken by DHHS at: http://www.hhs.gov/ocr/hipaa2.html