Changes To HIPAA Privacy Rule Proposed By HHS Secretary - Public Comments Due By April 26, 2002
On Wednesday, March 27, 2002, the Secretary of the Department of Health and Human Services ("HHS") published in the Federal Register an assortment of proposed modifications to the Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") under the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191 ("HIPAA"). Most health care entities must be fully compliant with the Privacy Rule by April 14, 2003.
These modifications - set forth in a Notice of Proposed Rulemaking ("NPRM"), available at www.hhs.gov/ocr/hipaa - are "designed to ensure that protections for patient privacy are implemented in a manner that maximizes the effectiveness of such protections while not compromising either the availability or the quality of medical care." Overall, the NPRM's biggest impact may be to ease the burden on providers by eliminating requirements regarding patient consent (see below). The proposed rules would also extend the time for certain business associate contracts to come into compliance, and streamline limitations on marketing.
The following is a summary of some of the key changes. Parties interested in filing comments on the NPRM must do so by April 26, 2002.
Consent and Notice
Concerned that the consent provisions as set forth in the Privacy Rule may "result in unintended consequences that impede the provision of health care in many critical circumstances," HHS has proposed changes to the Rule in the NPRM. Specifically, as proposed, "health care providers with direct treatment relationships with individuals would no longer be required to obtain an individual's consent prior to using and disclosing information about him or her for treatment, payment, and health care operations." Instead, requiring consent would be optional for health care providers.
To counterbalance the elimination of the consent requirement, HHS proposes to bolster the requirements regarding the provision of notice to patients. In particular, the NPRM would modify the Privacy Rule "to require that a covered health care provider with a direct treatment relationship make a good faith effort to obtain an individual's written acknowledgment of receipt of the provider's notice of privacy practices." Under this "good faith" standard, "an individual's failure or refusal to acknowledge the notice … would not interfere with the provider's ability to deliver timely and effective treatment." The NPRM explicitly refrains from proposing a specific form for the acknowledgment, specifying only that it must be in writing. Moreover, HHS emphasizes that "[o]ther covered entities, such as health plans, would not be required to obtain this acknowledgment from individuals, but could do so if they chose."
Disclosure of PHI
In a further effort to ease the perceived administrative burdens of the Privacy Rule, HHS has proposed broadening the uses and disclosures of protected health information ("PHI") that are permitted as part of treatment, payment, and health care operations (collectively "TPO"). In particular, the NPRM proposes to clarify that a covered entity may (i) use or disclose PHI for its own TPO without prior consent or authorization; (ii) share PHI for the treatment activities of another health care provider; (iii) disclose PHI to another covered entity or health care provider for the payment activities of that entity; and (iv) disclose PHI about an individual to another covered entity for certain health care operations - namely, those involving quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, case management, conducting training programs, and accreditation, certification, licensing, or credentialing activities.
The NPRM would also clarify that covered entities participating in an organized health care arrangement ("OHCA") may share PHI for the health care operations of the OHCA. In proposing these changes, HHS emphasizes that "a covered entity's responsibility to apply the Privacy Rule's minimum necessary provisions to both the disclosure of and request for information for payment and health care operations purposes" would remain unchanged.
Incidental Uses and Disclosures
In the NPRM, HHS proposes to permit certain incidental uses and disclosures that occur as a result of an otherwise permitted use or disclosure under the Privacy Rule. The prototypical example of this situation is a confidential oral communication between individual providers or between a provider and a patient, if there were a possibility that the conversation could be overheard. HHS emphasizes, however, that this incidental use provision would not cover otherwise impermissible or erroneous disclosures, such as requesting a patient's health history on a waiting room sign-in sheet, or mistakenly sending PHI via e-mail to the wrong recipient.
HHS proposes to clarify certain aspects of the "minimum necessary" requirements. For example, any uses or disclosures for which a covered entity has received an authorization that satisfies the Privacy Rule would not be subject to the minimum necessary requirements. As a broader matter, HHS indicates its intent "to issue further guidance to clarify issues causing confusion and concern in the industry, as well as provide additional technical assistance materials to help covered entities implement the provisions."
The NPRM would amend the Privacy Rule's transition provisions "to allow covered entities, other than small health plans, to continue to operate under certain existing contracts with business associates for up to one year beyond the April 14, 2003, compliance date." This provision would apply to existing written agreements which are not renewed or modified between the effective date of the proposed modification and April 14, 2003. HHS specifies that "a covered entity that enters into a contract after the effective date of this modification must have a business associate contract that meets the applicable requirements" of the Privacy Rule. Moreover, even for existing contracts, the new provisions would not relieve a covered entity of the obligation to make PHI held by a business associate available to HHS, or to comply with an individual's right to access, amend, or receive an accounting of the individual's PHI held by a business associate.
In addition to the proposed changes, the NPRM also includes model business associate contract provisions for use by covered entities.
HHS has proposed several measures to simplify the rules regarding marketing. Most significantly, any communication defined as "marketing" under the Privacy Rule would require patient authorization; the disclosure and "opt out" provisions as currently formulated would be eliminated. HHS also proposes to modify slightly the definition of "marketing" to clarify that it applies where "the effect of the communication is to encourage recipients of the communication to purchase or use the product or service." The NPRM does not change the exclusion of face-to-face communications made by a covered entity to an individual from the marketing authorization requirements.
Parental Access to Minors' Records
Among the proposed changes set forth in the NPRM regarding the records of minors, HHS seeks to clarify that "State and other applicable law governs not only when a State explicitly addresses disclosure of protected health information to a parent but also when such law provides discretion to a provider." This deference to State law includes deference to established case law. In general, HHS' approach is premised on the assumption that "current professional health care provider practices with respect to access by parents and confidentiality of minor's records are consistent with State and other applicable law."
HHS proposes to make several changes to the use and disclosure of PHI for research purposes. Among them, HHS would consolidate the criteria used by an IRB or Privacy Board in determining whether to approve a waiver of authorization. HHS would also eliminate provisions specifically applicable to obtaining authorization for research purposes, relying instead on a single set of requirements generally applicable to all types of authorizations (see further discussion below). Authorizations could also be consolidated with other legal permissions related to a research study. In addition, proposed changes would lessen the burden on providers unable to specify a particular expiration date on an authorization form to be used for research purposes.
Finally, HHS would amend the transition provisions of the Privacy Rule to "permit a covered entity to use or disclose for a specific research study protected health information that is created or received either before or after the compliance date … , if the covered entity has obtained, prior to the compliance date an authorization or other express legal permission from an individual to use or disclose protected health information for the research study."
In accordance with the NPRM, HHS would simplify the Privacy Rule by consolidating the implementation specifications for authorizations into a single set of criteria. The proposed modifications "would permit covered entities to use a single authorization form, and make it easier to use for the individual and the covered entity, as well as third parties." HHS also seeks to clarify that with respect to psychotherapy notes, in particular, "this information is not permitted to be used or disclosed without individual authorization for purposes of another entity."
Although the NPRM itself does not propose changes to the safe harbor standard for de-identified information, HHS "requests comment on an alternative approach that would permit uses and disclosures of a limited data set which does not include facially identifiable information but in which certain identifiers would remain." This limited data set would apply to disclosures for "research, public health, and health care operations purposes," and would be conditioned on the covered entity obtaining from the recipients of the information, a data use or similar agreement, specifying that the recipient would agree to certain restrictions on the use of the data.
Among other proposed changes and clarifications are the following:
- Group health plans would be able to share enrollment and disenrollment information with plan sponsors without having to amend plan documents.
- The proposed rule would eliminate the requirement that the covered entity account for disclosures authorized by the individual in writing, in accordance with the rule.
- Language would be modified to ensure that covered entities could disclose certain information about quality, safety and effectiveness of FDA-regulated products and activities to private entities subject to FDA jurisdiction.
1 The author acknowledges the valuable assistance of Nancy Wheeler, Esq.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.