On March 21, 2002, the U.S. Department of Health and Human Services (DHHS) issued proposed amendments (Proposed Rule) to the current Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act (HIPAA). The Proposed Rule was published in the Federal Register on March 27, 2002, and provides for a 30-day public comment period. In general, the Proposed Rule, if finalized, would reduce some, but not all, of the burdens imposed on health care providers and health plans contained in the Privacy Rule. It would also add new restrictions with respect to marketing.
Following the comment period, DHHS intends to promulgate new privacy standards that reflect the Privacy Rule, the Proposed Rule and any significant comments. Because the new final privacy rule will reflect DHHS’ consideration of comments from the public, the new rule may include further changes to and/or restore parts of the Privacy Rule. The Proposed Rule does not delay the privacy standards compliance date of April 14, 2003, (April 14, 2004, for small health plans).
The Proposed Rule includes several modifications to the Privacy Rule which are intended to address the concerns of covered entities (defined as health care providers, health plans and health care clearinghouses) and health care consumers. If finalized by DHHS, these modifications will require adjustments to most organizations’ HIPAA implementation efforts.
Written Acknowledgment of Privacy Notice Replaces Consent Requirement
The Proposed Rule removes a major administrative burden by making optional the Privacy Rule requirement that direct treatment providers, such as hospitals and most physicians, obtain a patient’s signed consent before using or disclosing the patient’s protected health information (PHI) for treatment, payment or health care operations (TPO). The Proposed Rule, instead, requires direct treatment providers to make a "good faith" effort to obtain a written acknowledgement of receipt of the provider’s notice of privacy practices from the patient or the patient’s authorized personal representative. While "good faith" is not defined under the Proposed Rule, the phrase is typically defined to mean honesty of purpose and a general conscientiousness and faithfulness toward one’s duty or obligation (i.e., the duty to obtain written acknowledgement).
The Proposed Rule maintains the general requirement that a direct treatment provider post the notice in a prominent location and also deliver it to a patient no later than the first date of service after April 14, 2003. However, in an emergency treatment situation, the notice may be delivered as soon as reasonably practicable after the emergency. For example, hospital emergency department personnel may deliver the notice after they have stabilized a patient who requires emergency treatment.
If a direct treatment provider is unable to obtain the written acknowledgement, then it must document its good faith efforts to obtain it and the reason(s) why it was not obtained. Providers may find that diligently pursuing the patient for and obtaining the acknowledgment requires less time and effort than documenting the failure to obtain it.
The elimination of the consent requirement does not eliminate the Privacy Rule requirement that covered entities obtain individuals’ authorizations for use and disclosure of PHI for non-TPO purposes, but the Proposed Rule does somewhat simplify the authorization requirement. It attempts to standardize the authorization requirement and eliminate the need for different forms of authorizations for different purposes.
Core Elements and Required Statements
The Proposed Rule requires any authorization to contain the following core informational elements (many of which were already required under the Privacy Rule):
- a specific and meaningful description of the PHI to be used or disclosed;
- an identification of the persons or class of persons authorized to make the requested use or disclosure;
- an identification of the authorized recipients or class of recipients of PHI;
- a description of each purpose of the requested use or disclosure;
- an expiration date or event related to the individual who is the subject of the use or disclosure or the purpose of the use or disclosure;
- the signature of the individual or the individual’s authorized personal representative; and
- if signed by a personal representative, then a description of the representative’s authority to act for the individual.
When an individual initiates an authorization for his or her own purposes, the Proposed Rule provides that "at the request of the individual" is a sufficient description of the purpose of the requested use or disclosure.
In addition to the core elements, the standard authorization must contain the following notification statements:
- a statement that the individual has the right to revoke the authorization, and either exceptions to the right to revoke and a description of how to exercise the right, or a reference to the covered entity's privacy notice if the instructions are included in the notice;
- a statement regarding the ability or inability of the covered entity under the Privacy Rule to condition treatment, payment, enrollment or eligibility for benefits on the authorization by stating either (i) the covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when such prohibition applies, or (ii) if the covered entity is permitted to place such conditions, then an explanation of the consequences of the individual's refusal to sign the authorization; and
- a statement regarding the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and thus, outside the protection of the Privacy Rule.
While the Proposed Rule attempts to standardize authorizations based on these core elements and required statements, it maintains special requirements and exceptions for authorizations to use and disclose psychotherapy notes, marketing communications and for research (as discussed below). For instance, the authorization for marketing still must state whether the authorization is expected to result in remuneration to the covered entity from a party other than the patient. However, the covered entity is not required to disclose remuneration it receives in connection with non-marketing-related authorizations.
Accounting for Disclosures Made Pursuant to an Authorization
The Proposed Rule maintains an individual’s right to obtain an accounting of certain disclosures of PHI by a covered entity. However, it significantly reduces the administrative burden on covered entities by eliminating the requirement that covered entities account for disclosures made pursuant to an authorization. In addition, covered entities are not required to account for disclosures to the individual who is the subject of the PHI, made to carry out treatment, payment and health care operations, to facility directories and other listed exceptions. Consequently, under the Proposed Rule, covered entities would need to account for significantly fewer disclosures.
Minimum Necessary Requirement
The Proposed Rule generally maintains the controversial Privacy Rule requirement that covered entities make reasonable efforts to limit their uses and disclosures of, and requests for, PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure or request. The Proposed Rule, however, reduces the applicability of the requirement by providing that it does not apply to uses and disclosures pursuant to an individual’s authorization. The covered entity otherwise must continue to abide by the terms of the authorization with respect to the amount of information to be used or disclosed. Furthermore, any state laws that restrict the amount of PHI to be used or disclosed would still apply to the use or disclosure.
Unintended Uses and Disclosures
The Proposed Rule addresses concerns about unintended violations of privacy requirements caused by uses or disclosures that are the result of or incidental to an otherwise permissible use or disclosure. It permits such incidental uses or disclosures so long as the covered entity has complied with the minimum necessary requirement in making the use or disclosure and has implemented reasonable safeguards to limit unintended uses or disclosures. For example, a health care provider would not violate the privacy requirements when a person who is not authorized to access PHI happens to walk by medical equipment containing a patient’s health information or overhears a conversation between a physician and a nurse in a hospital emergency department.
Disclosures for Use by Another Covered Entity
The Proposed Rule clarifies circumstances under which one covered entity may disclose PHI to another covered entity for the TPO purposes of the receiving covered entity without the patient’s signed authorization. First, a covered entity may disclose a patient’s PHI for the treatment activities of another provider. For example, a primary care physician may disclose information to a specialist to use while treating the patient. Second, a covered entity may disclose PHI to another covered entity for the payment activities of the receiving entity. Third, the Proposed Rule would permit a covered entity to disclose an individual’s PHI to another covered entity for certain health care operations of the receiving entity if both entities have a relationship with the individual. Such health care operations include quality improvement, peer review, health care fraud and abuse detection and compliance programs, medical education and other listed activities. Finally, the Proposed Rule clarifies that covered entities participating in an organized health care arrangement may share PHI for the health care operations of the arrangement.
Parents’ Right to Access Minor-Child’s PHI
The Proposed Rule maintains the approach of the Privacy Rule with respect to parental rights to a child’s health information. However, it makes technical changes to clarify that state law determines whether parents of a child may have access to health information about the child.
The Proposed Rule maintains the general approach to marketing communications under the Privacy Rule, but makes a significant change to address concerns expressed by health care consumers to limit intrusive marketing and reduce the Privacy Rule’s perceived interference with the flow of information that relates to patient treatment. The Proposed Rule generally defines marketing to mean a communication about a product or service to encourage recipients of the communication to purchase or use a product or service and limits the definition by specifying exceptions to it. Before a covered entity may make any marketing communication, the Proposed Rule generally requires that a covered entity obtain the patient’s signed authorization unless there is an applicable exception to the authorization requirement.
Definition of "Marketing"
The Proposed Rule revises the exceptions to the Privacy Rule definition of marketing to include certain communications within the definition and excepts others kinds of communications. It clarifies that marketing excludes communications about a product or service to an individual for treatment, case management and care coordination of the patient. It maintains the exclusion of communications to describe the entities participating in a health care provider or health plan network, or to describe if, and the extent to which, a product or service is provided or paid for by a covered entity or included in a plan of benefits. The Proposed Rule also would eliminate the distinction between written communications by providers where they are not compensated and those where they are compensated. Under the Privacy Rule, if a provider was compensated for a written communication, the Privacy Rule considered this communication to be marketing. Based on provider concerns that this approach could preclude treatment-related communications without an authorization, e.g., refill reminders, the Proposed Rule would exclude from the definition of marketing a written communication made for treatment purposes, case management or care coordination, even if a provider were compensated for that communication.
DHHS asserts in the preamble to the Proposed Rule that fewer communications constitute marketing. But the accuracy of this assertion depends on how narrowly a covered entity interprets the Privacy Rule’s definition of marketing and the extent to which it uses written marketing brochures and publications. Only if fewer communications fall within the definition of marketing will the burdens on a covered entity to obtain the patient’s signed authorization for marketing activities be reduced.
The Proposed Rule makes more stringent the general requirement that a covered entity obtain the patient’s signed authorization before making any communication falling within the definition of marketing. It does, however, maintain the exceptions to the authorization requirement for marketing communications made in a face-to-face communication and for promotional gifts of nominal value. Nevertheless, the authorization for marketing still must state whether the marketing is expected to result in remuneration to the covered entity from a third party.
The Proposed Rule removes two exceptions to the authorization requirement that were contained in the Privacy Rule. It deletes the exceptions for targeted marketing based on an individual’s health status and for marketing newsletters and other general types of marketing tools distributed to a broad cross-section of patients, enrollees or other broad groups of individuals. As a result of these deleted exceptions combined with the breadth of the proposed definition of marketing, the Proposed Rule likely results in a net increase in the number of promotional communications that will require an individual’s prior authorization.
The Proposed Rule would simplify Privacy Rule requirements related to research and make them more consistent with the "Common Rule" governing federally funded research.
The Proposed Rule maintains the Privacy Rule’s general requirement that a researcher obtain an individual’s authorization to use or disclose PHI for purposes of research, but reduces the administrative burdens created by the requirement. The Proposed Rule permits researchers to use one document to obtain both an individual’s informed consent to the research and permission to use and disclose PHI in connection with the research. Further, the Proposed Rule clarifies that the Privacy Rule requirement that an authorization contain an expiration date or event may be satisfied by a statement that the authorization expires at the "end of the research study."
Research Transition Provisions
The Proposed Rule streamlines the Privacy Rule’s approach to the effect of an authorization or other express legal permission to use health information for research purposes obtained prior to the privacy rule compliance date of April 14, 2003, (or April 14, 2004 for small health plans). It would permit researchers to rely upon the following legal permissions: the authorization or other express legal permission from an individual research subject to use PHI for the research study; the informed consent of the individual to participate in the research study; or a waiver by an Institutional Review Board (IRB) of informed consent for the research study in accordance with federal requirements regulating such IRB waivers, provided that a researcher must obtain an authorization after the applicable privacy rule compliance date, if informed consent is sought from an individual.
Authorization Waiver Criteria
The Proposed Rule also eliminates two requirements of the Privacy Rule for obtaining an alternation or waiver of the authorization requirement from an IRB or a privacy board. Specifically, it would no longer be necessary for the IRB or privacy board to make the highly subjective determination that the privacy risks are reasonable in relation to anticipated benefits to the individual research subjects and the importance of the knowledge that may reasonably be expected to result from the research. The Proposed Rule would also eliminate the criterion in the Privacy Rule that the alteration or waiver will not adversely affect the privacy rights and the welfare of the research subjects. This change has been proposed because it seemed to conflict with the Privacy Rule’s criterion regarding the assessment of minimal privacy risk.
The Proposed Rule seeks to reduce the burden associated with the Privacy Rule requirement that covered entities include several privacy-related provisions in contracts with their business associates. It supplies model contract provisions to facilitate the process of adding these provisions to contracts with business associates and gives covered entities (except for small health plans) more time to enter into compliant contracts. For contracts with business associates that are in effect prior to April 14, 2003, the Proposed Rule generally would not require the business associate language to be included until the earlier of the date the contract is otherwise renewed or modified and April 14, 2004. However, if a covered entity enters into a contract after the effective date of the Proposed Rule (yet to be determined), the contract must include the business associate provisions by April 14, 2003. Thus, at a minimum, if a contract is effective on January 1, 2003, and is renewed on January 1, 2004, then the covered entity must amend the contract to include the required business associate contract provisions by January 1, 2004. In addition, if, for example, the Proposed Rule were to become final on July 1, 2002 and a covered entity enters into a contract on July 2, 2002, this contract would need to include business associate language by no later than April 14, 2003. Notwithstanding the need and timing for business associate language, a covered entity must still grant an individual the rights to access and request amendments to PHI held by a business associate and obtain an accounting for certain uses and disclosures of PHI held by a business associate beginning April 14, 2003, even if a business associate contract is not required by that date. Thus, as a practical matter, a covered entity must obtain some agreement or assurance that a business associate will enable the covered entity to grant the rights described above to individual patients.
Issues for Employers
The Proposed Rule attempts to make the Privacy Rule requirements less burdensome and costly for employers. It clarifies that group health plans may disclose, and authorizes health insurance issuers to disclose, enrollment and disenrollment information to an employer or other group health plan sponsor without amending plan documents.
The Proposed Rule also revises the definition of PHI to exclude a covered entity’s employment records about its employees from the definition. Consequently, the Privacy Rule requirements generally would not apply to uses and disclosures of employment records held by a covered entity in its role as an employer.
Hybrid Entities and Health Care Components
The Privacy Rule defines "hybrid entity" as a single legal entity that is a covered entity and whose covered health care functions are not its primary functions. The Proposed Rule revises this definition of hybrid entity and the definition of a health care component of a hybrid entity in order to permit an entity, which is engaged in both health care and non-health care functions, to choose whether or not to designate itself as a hybrid entity or as a full covered entity. Thus, each covered entity engaged in dual functions should determine whether or not it is more advantageous to be a hybrid entity. One advantage of becoming a hybrid entity is that the components or divisions of an entity that are not health care components would not be required to abide by the Privacy Rule. If an entity elects to designate itself as a hybrid entity, then it must erect firewalls to preclude information flow between health care components and other parts of the entity.
De-identified Health Information
The Proposed Rule leaves intact the requirements for creation, use and disclosure of de-identified health information without an individual’s authorization. However, DHHS is soliciting additional comments regarding alternative approaches to de-identification, including the creation of a limited data set of health information that includes some identifiers such as the date of a patient’s injury or month of birth, in order to make de-identified information more useful for purposes of research, public health activities and health care operations purposes. Thus, DHHS could include such an alternative approach when it publishes the new privacy rule.
Because the Proposed Rule, if finalized, would maintain most components of the Privacy Rule, covered entities should continue their planning and implementation efforts and merely consider adjustments to their implementation priorities to reflect the proposed changes contained in the Proposed Rule. One such adjustment, for example, might be to defer the creation of a consent form for uses and disclosures of PHI for TPO purposes, until such time as the new privacy rule is published.
We look forward to assisting you in analyzing the implications of the Proposed Rule and identifying ways to adjust your implementation efforts to ensure compliance with the Privacy Rule by the compliance date of April 14, 2003 (or April 14, 2004 for small health plans). For more information about the Privacy Rule, please see the Health Law Update on the Privacy Rule that was published on January 5, 2001.