The Department of Health and Human Services ("DHHS") announced the long-awaited final privacy regulations on December 20, 2000 and published them in the Federal Register on December 28, 2000 at pages 82462-82829 (the "Final Rules"). The Final Rules implement the privacy provisions of Subtitle F of the Health Insurance Portability and Accountability Act ("HIPAA"). Although similar to the proposed rules published on November 3, 1999, the Final Rules apply to more than electronic information and provide significantly greater detail and include a number of clarifications. In the accompanying release (or preamble), DHHS emphasized that the purposes of the Final Rules are to: (1) protect and enhance consumers’ rights of access to their health information and offer them control over inappropriate use of that information; (2) improve health care quality by restoring trust in the health care system and its participants; and (3) improve efficiency of health care delivery by creating a national framework for health privacy protection that builds on related efforts by states, health systems, organizations and individuals.
Who and What are Covered
The basic requirement of the Final Rules is simply stated as follows: "A covered entity may not use or disclose an individual’s protected health information, except as otherwise permitted or required by this subpart." § 164.502(a). Fully understanding the definitions of who (Covered Entity) and what (protected health information) are covered is the first step to being able to comply with this complex regulatory mandate.
Covered Entities. The Final Rules define Covered Entities to include health plans, health care providers and health care clearinghouses (such as a public or private billing service). § 160.103. However, health care providers that do not electronically transmit any protected health information in connection with transactions covered by the Final Rules are not Covered Entities.
Protected Health Information. Under the proposed rules, protected health information ("PHI") was limited to electronic records and any paper records that previously existed in electronic form. In the Final Rules, PHI has been expanded to include information transmitted or maintained in any form or medium, including oral communications. Health information in any form is protected if it (1) is created or received by a Covered Entity; (2) relates to an individual’s physical or mental health condition, the provision of health care to an individual or the payment for the provision of health care to an individual; and (3) identifies the individual or creates a reasonable basis to believe that the information, including demographic information, can be used to identify the individual. § 164.501. Thus, the Final Rules may be read as expanding the definition to include paper and oral information, and thereby regulating the use and disclosure of all individually identifiable health information created or received by a Covered Entity.
Some have questioned the application of the Final Rules to PHI in any form or medium. They maintain that HIPAA only grants the Secretary of DHHS the authority to promulgate standards that govern information electronically transmitted in connection with the transactions enumerated in HIPAA, such as claims for payment. Nonetheless, DHHS asserts in the Final Rules that the Secretary has proper authority under §264 of Subtitle F of HIPAA to promulgate comprehensive privacy rules for PHI in any form.
De-identified Information. A Covered Entity may use PHI to create de-identified health information, which is information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. De-identified health information must be created in accordance with the procedures outlined in §164.514(a) of the Final Rules. A Covered Entity’s disclosure of such de-identified health information is not subject to the Final Rules unless such disclosure is accompanied by a key or mechanism that could be used to re-identify the health information.
Patient Rights and Protections
Permitted Uses and Disclosures of PHI. A Covered Entity is permitted to use and disclose PHI as follows: (1) to the individual who is the subject of the PHI; (2) without consent or authorization of the individual, if such is not required under the Final Rules; (3) in compliance with a consent or authorization provided by the individual; (4) pursuant to an agreement with the individual under §164.510; or (5) as otherwise permitted or required by the Final Rules. § 164.502.
Minimum Necessary Standard. A Covered Entity must make reasonable efforts to limit the use, disclosure of and request for PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. §164.502(b). The minimum necessary standard applies when a Covered Entity uses or discloses PHI or requests PHI from another Covered Entity. This standard does not apply however, to: (1) disclosures of PHI made to, or requests for PHI made by, a health care provider for treatment purposes; (2) uses or disclosures made to individuals about their own PHI; or (3) uses or disclosures made to the Secretary in accordance with the Final Rules. This narrowing of the minimum necessary standard to exclude disclosures for treatment is a significant change from the proposed rules.
In addition, a Covered Entity that makes routine and recurring disclosures of or requests for PHI must implement policies and procedures that limit the PHI disclosed or requested to the amount reasonably necessary to achieve the purpose of the disclosure or request. §164.514(d). This provision permits Covered Entities to avoid case-by-case determinations under the minimum necessary standard for routine and recurring requests or disclosures, such as completing claim forms.
Consent. Perhaps the most significant change in the Final Rules from the proposed rules is the new requirement that covered health care providers must obtain the individual’s consent prior to using or disclosing PHI to carry out treatment, payment or health care operations. §164.506(a). Other Covered Entities may, but are not required to, obtain such a consent. The Final Rules further permit a health care provider to condition treatment on the individual’s giving such a consent. A health plan may also condition enrollment on such consent.
Covered Entities should recognize that such a consent applies only to uses or disclosures of PHI for treatment, payment and health care operations. Any other use or disclosure of PHI will require the individual’s specific, separate authorization, unless an exception to the authorization requirement applies.
An individual’s consent must be written in plain language and signed and dated by the individual. Substantively, the consent must: (1) inform the individual that PHI may be used or disclosed for treatment, payment or health care operations; (2) refer the individual to the Covered Entity’s general notice regarding its use and disclosure practices; (3) notify the individual of the Covered Entity’s reserved right to change its privacy practices as contained in its general notice, if any; (4) state that the individual may request that the Covered Entity restrict the use or disclosure of PHI for treatment, payment and health care operations, and that the Covered Entity may refuse such request; and (5) state in writing that the individual may revoke the consent unless the Covered Entity has taken action in reliance on such consent.
The Final Rules permit the individual’s consent to be combined with or incorporated into other types of written legal consents obtained from an individual, such as informed consents or consents to assignment of benefits. However, the consent to use or disclose PHI must be visually and organizationally separate from such other consent and must be separately signed and dated by the individual. Thus, for all practical purposes, Covered Entities should use a separate consent form.
A health care provider may use or disclose PHI without a consent in an emergency; if required by law; if the individual is an inmate; or if the provider has an indirect treatment relationship with the individual. An indirect treatment relationship exists when the health care provider delivers care based upon the orders of another health care provider and such health care provider typically provides services for or reports to such other provider and not directly to the individual. Examples of health care providers who generally have an indirect relationship with patients include radiologists and pathologists. A health care provider may also use or disclose PHI without consent if such provider attempts to obtain the individual’s consent but is unable to do so due to substantial barriers, and in the provider’s professional judgement the individual’s consent to receive treatment is clearly inferred from the circumstances. Providers must document their attempts to obtain the consent prior to using or disclosing PHI and must limit such use or disclosure to treatment, payment or health care operations.
Authorization. Unless a specific exception applies, a Covered Entity must obtain an individual’s authorization to use or disclose PHI for any reason other than treatment, payment and health care operations. §164.508. A Covered Entity may not condition treatment, payment, enrollment in a health plan or eligibility for benefits on the individual’s signing of an authorization except for research related treatment, enrollment or eligibility prior to the individual’s enrollment in a health plan, and payment of claims by a health plan if such disclosure is necessary and does not include psychotherapy notes.
A valid authorization must be written in plain language and signed and dated. Substantively, the authorization must contain: (1) a description of the PHI to be used or disclosed; (2) names of the persons or class of persons to whom the PHI will be disclosed or from whom such PHI will be requested; (3) an expiration date related to the individual or the use or disclosure; (4) a statement of the individual’s right to revoke; and (5) a statement that the PHI disclosed may be subject to redisclosure by the recipient and no longer protected by the Final Rules. Additional requirements apply to authorizations requested by a Covered Entity for its own use and disclosure of PHI. Notably, those authorizations must state if the use or disclosure will result in direct or indirect remuneration to the Covered Entity. Authorizations requested by a Covered Entity that is requesting disclosure of PHI by others also have additional requirements.
Directories, Marketing and Fundraising. A Covered Entity may disclose certain PHI without first obtaining a written authorization in order to maintain a directory of individuals in its facility or to provide information to family members or close personal friends involved in the care of the individual. The Covered Entity must inform the individual in advance, orally or in writing, of such use of PHI and offer an opportunity for the individual to prohibit or restrict the use. §164.510. This rule essentially creates an "opt out" provision by which an individual has the burden of objecting to this limited use or disclosure of PHI.
Similarly, a Covered Entity may use PHI without first obtaining a written authorization for its own marketing and fundraising purposes. However, the Covered Entity must provide the individual with an opportunity to "opt out" of receiving future marketing or fundraising communications. §164.514(e) and (f). Covered Entities should be aware that despite this exemption from the authorization requirement, the use of PHI in connection with marketing and fundraising materials must still comply with requirements specifically related to marketing and fundraising activities. For instance, marketing materials that include PHI must (1) identify that the marketing materials come from the Covered Entity and (2) state whether the Covered Entity receives compensation from a third party for the marketing. §164.514(e)(3). Further, PHI used by Covered Entities as part of fundraising activities may only include demographic information about the individual (i.e., name, address) and dates of health care service provided to such individual. §164.514(f)(1).
Covered Entities should be aware that PHI excepted or exempted from the consent or authorization requirements may still be subject to state law requirements regarding the confidentiality of medical information (e.g., use or disclosure of information related to HIV/AIDS status).
Notice. The Final Rules require that individuals receive notice regarding the privacy practices of Covered Entities. §164.520. Covered Entities must provide adequate notice of their permitted uses and disclosures of PHI, the individual’s rights and the Covered Entity’s legal obligations with respect to the protection of PHI. This notice must contain the following statement as a header or otherwise prominently displayed: "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please read it carefully." In addition, the notice must state: (1) that the Covered Entity is required by law to maintain the privacy of PHI; (2) when it may, and may not, use or disclose PHI; and (3) that all other uses or disclosures will require the individual’s revocable written authorization. The notice must also inform individuals of their rights, including the right to: access, copy, inspect and amend their PHI; to receive an accounting of disclosures of their PHI; and to request restrictions on the use or disclosure of PHI.
A Covered Entity must provide this notice upon request. In the case of health care providers having a direct relationship with the individual, the notice must be provided no later than the first occasion of service after the compliance date. §164.520(c). Health care providers must provide the notice to each patient individually, and post the notice prominently in their office as well as on the provider’s website, if applicable. All notices must be updated and distributed whenever there are material changes to any provision of the notice.
Access, Amendment and Accounting. Similar to the proposed rules, the Final Rules afford patients the right, with limited exceptions, to access, inspect and copy their own PHI; to request an amendment of their PHI; and to obtain an accounting of all disclosures of their PHI made by the Covered Entity within the immediately preceding six year period. §§ 164.524, .526, and .528. Covered Entities must act within 30 days of a request for access to PHI and within 60 days of a request to amend or receive an accounting of PHI. A denial of a patient’s request to access or amend PHI must be provided by the Covered Entity within the specified time period, in writing, and must state the reasons for such denial and explain the patient’s review rights, if any. A Covered Entity may not deny a request for an accounting. However, such accounting need not include the following disclosures of PHI: (1) made to carry out treatment, payment or health care operations; (2) to individuals about their own PHI; or (3) prior to the Covered Entity’s compliance date.
Right to Request Additional Protection of PHI. An individual has the right to request that the Covered Entity restrict uses and disclosures of PHI to carry out treatment, payment or health care operations and disclosures to family members or close personal friends involved in the individual’s care. §164.522. A Covered Entity is not required to agree to such requests. However, a Covered Entity that agrees to restrict the use and disclosure of PHI as requested must abide by such agreement except in the case of a medical emergency.
Psychotherapy Notes. Psychotherapy notes are treated differently from other forms of PHI. DHHS has commented that psychotherapy notes are highly subjective and sensitive and are deserving of a higher protected status. For instance, a Covered Entity must obtain patient authorization for any use or disclosure of psychotherapy notes except for use by the originator of the notes for treatment purposes; use or disclosure for training purposes; use or disclosure to defend a legal action brought by the individual; or as otherwise permitted by the Final Rules for oversight of the psychotherapist. §164.508(a)(2). In addition, a Covered Entity may deny an individual’s request to access or amend his or her psychotherapy notes. §§164.524(a)(2)(i) and 164.526(a)(2)(iii).
Disclosures Permitted without Written Authorization
In certain specific situations, Covered Entities are permitted to disclose PHI without obtaining either written consent or authorization. §§164.510 and .512.
The provisions regarding disclosure without authorization are highly technical. Compliance with these rules will require Covered Entities to make a two-step determination before disclosing information; first, determining whether a specific situation described in the Final Rules exists; and second, determining what exact type of PHI can be disclosed in that particular situation.
Covered Entities will be permitted to disclose PHI that is required to be disclosed by law. §164.512(a). For example, Covered Entities may be required by state law to disclose vital statistics or communicable disease information to state public health departments or to make disclosures to state professional regulation bodies in connection with audits or investigations. Under the Final Rules, Covered Entities will, for the most part, continue to be able to make these disclosures. However, Covered Entities will need to ensure that the disclosure is actually required by law and to verify the identity of the person receiving the disclosure. Where the disclosure is related to the abuse or neglect of an adult or is in response to a request by a law enforcement official or a judicial or administrative officer, Covered Entities must follow additional requirements. §164.512(c),(e), and (f).
The Final Rules also permit disclosures for public policy reasons. Examples include cooperation with health oversight activities, facilitating organ donation, and funeral arrangements. In addition, there are also public policy exceptions that address highly sensitive situations such as when necessary to avert a serious threat to public health and safety or when national security interests are at stake. Compliance with these rules may prove challenging because employees will be required to consult the Final Rules during volatile, highly charged situations.
The Final Rules include administrative requirements that essentially require Covered Entities to establish a framework to achieve organizational compliance. §164.530. These administrative requirements require Covered Entities to appoint privacy staff, implement policies and train employees.
Covered Entities will be required to designate a privacy official to oversee compliance and a contact person to receive complaints and questions. §164.530 (a). Although DHHS indicated that organizations would not necessarily need to create an entirely new position for these roles, many analysts are skeptical that a person assigned to other duties can adequately handle this cumbersome task, particularly in larger organizations.
Covered Entities will be required to develop and implement policies to establish compliance with the Final Rules. §164.530(c)-(i). Specifically, Covered Entities must have policies to accomplish the following tasks: (1) protect from accidental or intentional misuse or disclosure of PHI; (2) establish a grievance procedure for violations of the organization’s privacy policies; (3) impose sanctions against employees who violate the organization's privacy policies; (4) mitigate effects of errant disclosures by the entity or by a business associate; and (5) prevent retaliation for complaints or reports of noncompliance and address applying changes in privacy policies to PHI already collected.
Covered Entities must train employees on the organization’s privacy policies and must re-train employees if material changes are made to such policies. §164.530 (b). The controversial provision of the proposed rule that required employees to sign a certification that they received training on the policies and recertify such document every three years has been eliminated in the Final Rules.
Business Associate Requirements
The controversial business partner provisions of the proposed rules still exist with some modifications in the Final Rules. §164.502 (e). Under the Final Rules, relationships between Covered Entities and their "business associates" must meet certain requirements. A business associate is defined as any entity who on behalf of the Covered Entity performs a function or service that involves the use or disclosure of PHI. §160.103(B)(ii). A business associate must be performing the function, or service to, for or on behalf of the Covered Entity to be considered its business associate.
With limited exceptions, Covered Entities must adhere to two requirements for business associates. First, the Covered Entity must enter into a contract with the business associate that provides satisfactory assurances that the business associate will appropriately safeguard the PHI. §164.504(e). The required contractual provisions include limitations on the business associate’s further use and disclosure of PHI, a requirement that the business associate must make the PHI available for amendment and for audit of disclosures, reporting requirements regarding any improper use or disclosure of which a business associate becomes aware, the use of appropriate safeguards to comply with the contract and a requirement that agents or subcontractors who receive PHI from the business associate will also comply. Further, the contract must require the return or destruction of all PHI at termination of the contract, if feasible.
In addition, a Covered Entity must address situations where the business associate is not complying with its obligations. §164.504(e)(ii). The proposed requirement that the Covered Entity investigate the practices of business associates and ensure their compliance has been deleted. However, under the Final Rules, a Covered Entity may be liable if it knew of a material breach by the business associate unless the Covered Entity took reasonable steps to either cure the breach or terminate the contract.
Notably, the controversial provision by the proposed rules that the contract make an individual who is the subject of disclosed PHI a third party beneficiary has been deleted in the Final Rules.
In accordance with §264 of HIPAA, the Final Rules generally preempt state law provisions that are contrary to the Final Rules. A state law will be considered contrary to the Final Rules if the Covered Entity finds it impossible to comply with both. There are three exceptions to this general rule to save a state law that: (1) following a request for an exception, the Secretary determines the law is necessary to prevent fraud and abuse, to ensure appropriate state regulation of insurance and health plans, or for state reporting on health care delivery, and other purposes; (2) following a request for an exception, the Secretary determines the law has as its principal purpose the regulation of controlled substances; or (3) relates to the privacy of individually identifiable PHI and is more stringent than the Final Rules. State laws that relate to public health, auditing of health plans and licensure of facilities are also not preempted. §260.203. Analysis of state law will be an important component of the compliance effort.
Complaints, Enforcement, and Penalties
The Final Rules establish a whistleblower provision. Any person believing that a Covered Entity has failed to comply with the Final Rules may file a written complaint (via paper or e-mail) with the Secretary of DHHS within 180 days of the date the complainant knew or should have known that the act or omission complained of occurred. As a result of such complaint, the Secretary of DHHS may initiate an investigation of the Covered Entity, including a compliance review. §160.306. However, the Final Rules do not confer a private right of action upon any person to sue a Covered Entity for damages incurred by such person as a result of a Covered Entity’s violation of the Final Rules.
DHHS has delegated interpretation, implementation and enforcement authority to its Office for Civil Rights ("OCR"). OCR’s enforcement authority includes the right to impose civil monetary penalties and to make exception determinations regarding the preemption of state law provisions that are contrary to the Final Rules.
Under §262 of Subtitle F of HIPAA, the Secretary of DHHS has the authority to impose civil monetary penalties up to $100 per violation, not to exceed $25,000 per person for violations of a single standard in any calendar year. The statute also imposes criminal penalties of up to $50,000 and/or imprisonment for up to one year for any person who knowingly violates a standard; $100,000 and/or imprisonment for up to five years for any person who violates such standards under false pretenses; and $250,000 and/or imprisonment of up to 10 years for any person who violates any standard with the intent to sell, transfer or use PHI for commercial advantage.
Effective Date and Compliance Dates
Pursuant to Section 164.534, the Final Rules became effective February 26, 2001, sixty days following their publication in the Federal Register. However, under the Congressional Review Act of 1996, major regulations are effective only after a 60-day Congressional review period. Allegedly because of an administrative oversight, Congress did not receive the official notification of the Final Rules from DHHS until February 13, 2001. DHHS has since announced that as a result of the delay, the Final Rules will become effective on April 14, 2001. Compliance will be required by April 14, 2003 for most covered entities. Compliance for small health plans will be required by April 14, 2004. Legal consents and authorizations for the use and disclosure of PHI obtained prior to such compliance date will remain valid even if they do not comply with the requirements contained in the Final Rules. §164.532.
Special Issues for Health Systems and Medical Groups
The Final Rules create a new type of covered arrangement that accommodates integrated entities that consist of more than one Covered Entity. An "organized health care arrangement" includes clinically integrated care settings in which an individual receives care from more than one provider (e.g., group practices and hospitals); organized systems of health care including more than one Covered Entity holding itself out to the public as a joint arrangement and participating in joint activities; a group health plan and one or more health insurance issuers or HMOs; two or more group health plans maintained by the same plan sponsor; and two or more group health plans maintained by the same plan sponsor and health insurance issuers or HMOs. § 164.501.
The Final Rules recognize that certain Covered Entities maintain and transmit PHI as a secondary function of their businesses. A "hybrid" is a legal entity that is a Covered Entity but whose covered functions are not its primary purpose. §164.504. Only the health care component of the hybrid entity will be considered a Covered Entity for purposes of compliance with the Final Rules. §164.504(c). For instance, a manufacturing company may have an on-site health clinic. The clinic and the administrative and business functions performed by the company with respect to the clinic would be required to comply with the Final Rules as a Covered Entity.
The Final Rules also permit legally separate Covered Entities that are affiliated with one another (e.g., hospital chains) to designate themselves as a single Covered Entity for purposes of compliance. §164.504(d). An "affiliate" is described as two entities under common ownership or control. In turn, "common ownership" is defined as an ownership or equity interest of 5 percent or more, and "common control" is defined as the power to, directly or indirectly, influence or direct the actions or policies of another entity. Thus, most health systems could be a single Covered Entity. As a single Covered Entity, the affiliates may promulgate joint notices and consent forms as permitted under the Final Rules. However, although the Final Rules treat the affiliates as a single Covered Entity in most respects, affiliates must still comply with the requirements and restrictions applicable to the disclosure of or request for PHI between or among Covered Entities.
Special Issues for Health Plans
Insured and self-insured employee health benefit plans (other than those with fewer than 50 participants that are administered by the plan sponsor), as well as health insurers and HMOs ("health insurance issuers"), are "health plan" Covered Entities. However, employers and other group health plan sponsors are not, as such, Covered Entities and thus are not directly regulated under the Final Rules.
Disclosure of PHI to Sponsors of Group Health Plans. Health plan disclosures of PHI without individual consent to plan sponsors as needed by the sponsor to carry out both its fiduciary plan administration and non-fiduciary functions with respect to its group health plans are governed by the special standard at §164.504(f). Health plans are permitted to disclose PHI that consists of summary claims information without certain identifiers to a plan sponsor that requests it for the purpose of obtaining premium quotes for health insurance or HMO coverage or modifying, amending or terminating the group health plan. Under the Final Rules, as under ERISA, these functions and a sponsor's performance of enrollment functions on behalf of its employees are not considered to be plan administration activities. Group health plans may disclose and permit a health insurance issuer to disclose PHI to a plan sponsor that is needed by the sponsor to perform its plan administration functions only after the group health plan assures that the plan documents have been amended to specify the sponsor's obligations with respect to its use and disclosure of the PHI that are consistent with the §164.504(f) requirements.
In disclosing PHI to a plan sponsor, health plans are entitled to rely on the sponsor's written certification that the plan documents have been amended to incorporate the required provisions and that the sponsor agrees to abide by them. PHI may not be disclosed to a plan sponsor for employment-related actions or actions with respect to any other benefit or plan maintained by the sponsor, without individual consent, and the sponsor must agree not to use PHI for such purposes.
Business Associations. Disclosures of PHI to a plan sponsor in conformance with the requirements noted above do not require a business associate contract between the sponsor and the disclosing health plan. §164.502(e)(ii)(B).
The provision of insurance or HMO coverage to a group health plan does not make the health insurance issuer providing such coverage a business associate of the group health plan. DHHS states in the preamble to the Final Rules that it considers a health insurance issuer's activities involving the use or disclosure of PHI which are part of or directly related to its provision of insurance to be activities performed by the issuer on its own behalf, and not on behalf of the group health plan.
However, a health insurance issuer that contracts with a group health plan to perform on behalf of the plan any function or activity regulated under the Final Rules that involves the use or disclosure of PHI, and that is not part of or directly related to the issuer's provision of insurance to the group health plan, is a business associate of the plan. In such a case, the business associate contract must meet the requirements of §164.504(e)(2).
Notice of Privacy Practices. An individual enrolled in a group health plan who receives plan benefits through an insurance contract with a health insurance issuer is entitled to notice from the issuer of its privacy practices for PHI. Enrollees who receive self-insured group health plan benefits are entitled to notice from the group health plan. In either case, it appears that provision of the notice to an enrolled employee will satisfy the health plan's notice obligation with respect to the employee's enrolled dependents.
A group health plan that provides benefits solely through an insurance contract with a health insurance issuer is not required to maintain or provide any notice of its privacy practices for PHI unless it creates or receives PHI other than summary claims information or information on individuals' participation in the group health plan or enrollment with a health insurance issuer offered by the plan. §164.520(a)(2).
Health plans must provide the required notice of privacy practices on or before the compliance date to the individuals who are covered by the plan when the notice is given. Thereafter they must give the notice to covered individuals within 60 days of a material revision to the notice and to new enrollees at the time of enrollment. At least once every three years a health plan must notify covered individuals of the availability of the notice and how to obtain it. §164.520(c)(1).
Special Issues for Research and Research Institutions
The new privacy standards will affect directly the conduct of research by Covered Entities and, indirectly, will affect pharmaceutical companies and medical device companies who sponsor research conducted by Covered Entities. The standards comprehend one of three pathways for disclosure of PHI by Covered Entities to sponsors of research, depending upon the context of the research, the PHI to be disclosed, the risks from disclosure and the practicability of obtaining an authorization for disclosure from the study subject.
For research that includes treatment of individual study subjects, an authorization for use or disclosure of PHI must be obtained. §164.508(f). The authorization must include a description of the extent to which PHI will be used or disclosed to carry out treatment, payment, or health care operations and a description of any PHI that will not be used or disclosed. The authorization may be in the same document as the consent to participate in research, the consent to use or disclose PHI for treatment, payment or health care operations or a notice of privacy practices. This pathway would likely apply to most prospective clinical research studies.
The privacy standards permit disclosure of PHI without written consent or authorization to pharmaceutical companies and medical device companies (as persons subject to the jurisdiction of the Food and Drug Administration) to report adverse events, to enable product recalls, to track products or to conduct post-marketing surveillance (where FDA requires product tracking or post-marketing surveillance). §164.512(b)(iii).
Under certain circumstances, disclosure of PHI is permitted without authorization, provided a waiver of authorization for disclosure has been approved by an Institutional Review Board or a new privacy board, the disclosure is limited to review of information necessary to prepare a research protocol, or the disclosure is sought solely for research on decedents. §164.512(i). For disclosure to be permitted under an IRB or privacy board waiver, the IRB or privacy board must find that (1) the disclosure involves no more than minimal risk; (2) the research could not practicably be conducted without the PHI or the waiver; (3) the privacy risks are reasonable in relation to anticipated benefits to the individuals and the importance of the knowledge that may reasonably be expected to result from the research; (4) there is an adequate plan to protect PHI from improper use and disclosure and to destroy identifiers at the earliest opportunity consistent with the conduct of the research; and (5) the PHI will not be reused or disclosed to any other person (except as required by law or for authorized oversight of the research project). This approach would appear to cover many retrospective studies involving medical record ("chart") reviews.
Database research involving de-identified information is permitted as long as the information does not identify an individual and there is no reasonable basis to believe the information can be used to identify an individual. §164.514(a). A covered entity can determine that information has been adequately de-identified in one of two ways: (1) determination and documentation by a statistical expert that the risk is very small that the information could be used to identify an individual, or (2) compliance with a "safe harbor" through removal of 18 specified identifiers. §164.514(b). Of note, birth date, admission date, discharge date, date of death, and age, if over 89, are to be removed except year of birth, admission, discharge or death are permitted and ages over 90 may be aggregated into a single category. For geographic region, identifiers other than state or the initial three digits of the zip code must be removed. If the region comprising zip codes with the same initial three digits has a population less than 20,000, the zip code identifier must be reported as "000." Database research that cannot meet the de-identification requirements may still proceed under a waiver of authorization approved by an IRB or privacy board as described above.
The finalization of the federal health information privacy rules signals a new era for all health care providers and other Covered Entities. The Final Rules require heightened concern with ensuring the privacy of patient information at every level of the health care system and for every entity in the health industry. The Final Rules cannot be ignored and will require lengthy and painstaking planning to implement. We look forward to helping our clients analyze the Final Rules and implement them effectively and efficiently in their organizations.