Final Privacy Regulations Are Issued Under HIPAA

The first guidance was issued in early July 2001 on the new federal privacy regulations. Click here for the new guidance and for the text of the privacy regulations. Belwo is Crowell & Moring's Health Care Group's analysis of the new regulations.

Introduction

Today, the long-awaited rule regulating privacy of medical records was published in the FEDERAL REGISTER (65 Fed. Reg. 82462). The lengthy final rule, designed to implement a few paragraphs in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), goes into effect in sixty days. Health care providers, group health plans, and other businesses are given two years from that effective date to come into compliance with a significant array of new requirements. Overall, the final rule mirrors in most respects the proposed rule published in November 1999. It applies directly to covered entities-health care providers, insurers (including Medicare and other government programs), and clearinghouses-and indirectly to other entities, dubbed "business associates," that receive individually identifiable health information, (which is called protected health information ("PHI")) to help covered entities do their jobs (e.g., legal, actuarial, accounting, consulting, management, administrative accreditation, data aggregation, financial services).

The final rule goes well beyond the requirements of the proposed rule and of HIPAA itself-which on its face is limited to electronically transmitted health data-by regulating all identifiable health information irrespective of how that information is stored or transmitted. The final rule, thus, covers physicians who do not maintain or transmit electronic patient records. In this regard, the final rule may well face a Commerce Clause or even Chevron I challenge.

The final rule provides patients with a greater apparent ability to control the movement of their health care information than did the proposed rule. Under the proposal, PHI could be disseminated without a patient's permission for payment, treatment or health care operations. The final rule changes that by requiring two types of permission: "consent," and "authorization." See section 164.502. Consent is the permission provided by an individual for PHI to be used for purposes of payment, treatment, or health care operations. Authorization, in contrast, is the narrower, written permission provided by individuals for any other use of PHI, when such authorization is required. There are detailed standards for both consents and authorizations depending on the type of covered entity, and the type of use or disclosure contemplated.

Although the regulation is to go into effect on February 26, 2001, the new administration, if it stays in keeping with the practices of prior new administrations, could impose a 60- or 90-day moratorium on all new rules that have yet to take effect. Moreover, to the extent that a new rule contains provisions of questionable constitutionality-as may be the case with the HIPAA rule-the new President may invoke his powers under the Take Care Clause of the Constitution and decline to implement the rule until the constitutional infirmities have been corrected.

Below we present a summary of the final HIPAA rule and highlight some of the salient differences between the proposed and final rules. First, we present the general structure through a summary. Second, we note the pivotal terms and provide a summary of their definitions. Third, we describe the key features of the regulation.

I. General Structure

The final rule seeks to protect the confidentiality of an individual's identifiable health information directly by regulating the use and dissemination of the information by covered entities-health care providers, group health plans, and clearinghouses-and indirectly by regulating the business arrangements between covered entities and their "business associates." The general framework for the types of permission required for the use and disclosure of PHI by covered entities is found in sections 164.502 through 164.514 of the regulation.

Overall, a covered entity may not disseminate protected health information, even for purposes of treatment, payment or health care operations, unless the individual has originally consented to the dissemination (or use). When use or dissemination is permitted, the covered entity may, in most cases, only disseminate the minimum necessary information. Further, the rule prohibits a covered entity from using or disseminating protected health information for purposes other than treatment, payment, or health care operations, unless the patient has expressly authorized the use or dissemination, or the use or disclosure is specifically permitted under the rule.

Covered entities must keep records of information that they have disseminated, must provide for access to individuals of their protected health information, must make themselves available for inspection by the Secretary of HHS, and can only disseminate PHI to those "business associates" that have contractually agreed to be bound by the provisions of the rule.

II. Definitions

As in the proposed rule, the final rule contains numerous definitions. Many key terms that were defined in the proposed regulations are largely unchanged, including definitions for covered entity, group health plan, health care provider, health care, health care clearinghouse, health information, and transaction.

The final rule has substantially modified the term health care operations. The proposed rule had generally limited health care operations to activities that were related to the treatment or payment for services for an individual. The final rule now covers within the scope of health care operations such activities as business planning and development, business management and general administrative activities of the entity, including customer service, and due diligence in connection with the sale or transfer of assets to a potential successor in interest, creating de?identified health information, fundraising for the benefit of the covered entity, and marketing. The use of PHI for several of these activities (e.g., fundraising and marketing) is in turn limited by other provisions of the rule, even though the activities fall within the category of health care operations.

The final rule has added several new definitions. There is now a definition for trading partner agreement, which is an agreement related to the exchange of information in electronic transactions. Trading partner agreement is also a defined term in the final regulations governing standards for electronic transactions (65 Fed. Reg. 50312 (Aug. 17, 2000)). The term business partner has been changed to business associate, a term that is also used in the final standard electronic transaction rules, but remains essentially unchanged from the proposed rule.

The most notable additional term in the final rule is a definition for marketing, discussed in greater detail below.

III. Key Features

Section 164.506-Consent

Health Care Providers: Unless otherwise excepted, a covered health care provider must obtain the individual's consent prior to using or disclosing protected health information to carry out treatment, payment, or health care operations. A covered health care provider may use or disclose protected health information to carry out treatment, payment, or health care operations without consent if its relationship with the patient is only indirect, or if the patient is an inmate. Exceptions also exist for emergencies and other circumstances in which requiring consent would likely be unfair or impossible.

Other Covered Entities: Even if a covered entity is not required to obtain consent under 164.506(a)(1), it may obtain an individual's consent for the covered entity's own use or disclosure of protected health information to carry out treatment, payment, or health care operations.

Conditioning Treatment, Payment or Enrollment on Consent: A health plan may, as a condition of enrollment, require an individual to execute a consent form thereby permitting the use and dissemination of PHI for treatment, payment, and operational purposes. Correspondingly, a covered health care provider may, as a condition of treatment, require an individual to execute a consent.

Form and Content of Consent: The regulations provide detailed standards for consent forms. These include, generally, not combining a consent form with any other document, providing notice of the individual's revocation rights, and maintaining executed consent forms. The final rule also creates a mechanism by which covered entities that participate in an organized health care arrangement may establish a joint consent.

Section 164.508-Authorization

Unless the regulation specifically provides otherwise, a covered entity may not use or disclose protected health information for purposes other than treatment, payment or health care operations without a valid authorization.

Required Form and Content of Authorization-

General Rule: As with consents, the regulation sets out detailed standards for the form and content of an authorization. The rule provides for slightly different standards for authorizations permitting a covered entity to use or disclose information on its own behalf, versus permitting the use or disclosures by third parties. Generally, however, an authorization must provide a fairly specific description of the type of information that is to be used or disclosed and the purpose of the use or disclosure, as well as a statement that the authorization is not required to be signed, and may be revoked.

Special Rules for Psychotherapy Notes: The rule sets out specific and detailed limitations on the use and disclosure of psychotherapy notes. With very limited exceptions, a specific authorization is always required for the use or disclosure of psychotherapy notes.

Limited Right to Restrict the Provision of Treatment, Payment, or Enrollment: A covered entity may not generally require an individual to execute an authorization as a condition of treatment, payment, enrollment in a health plan, or eligibility for benefits. However, there are notable exceptions. Specifically, if an authorization is not for the use or disclosure of psychotherapy notes, then:

• a health plan may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual's enrollment in the health plan, if the authorization sought is for the health plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations; and
• a health plan may condition payment of a claim for specified benefits on provision of an authorization, if the disclosure is necessary to determine payment of such claim.

Authorization Related to Treatment Provided in Tandem with Research: The final rule deleted the special provisions that governed "research unrelated to treatment," and instead establishes specific requirements for authorizations for research that includes treatment of the individual.

Generally, unless the research falls within the waiver of authorization provisions of section 164.512, if a covered entity creates protected health information for the purpose of research that includes treatment, it must obtain an authorization that contains a disclosure regarding the extent to which PHI will be used or disclosed to carry out treatment, payment, or health care operations.

The authorization may, however, be in the same document as a consent to participate in the research; a consent to use or disclose protected health information to carry out treatment, payment, or health care operations under § 164.506; or a notice of privacy practices under § 164.520.

Section 164.510-Opportunity to Object

As noted above, there are circumstances under which a covered entity may use or disclose protected health information without either a written consent or authorization. However, even where a consent or authorization is not required, the covered entity must alert the individual in advance that the covered entity contemplates using or disclosing his or her PHI. The individual may object to or restrict the proposed use or dissemination. The rule sets out detailed standards for implementing this provision, including a proviso that permits the process to be done orally.

Section 164.512-Exemptions from Consent, Authorization, or Opportunity to Object

Under certain circumstances, a covered entity may use or disclose protected health information without a written consent or authorization and without providing advance notice to the individual, as follows.

• Uses and disclosures required by law.
• Uses and disclosures for public health activities. In a departure from the proposed rule, this section has expanded permissible uses and disclosures for entities that are subject to FDA regulation, to permit the reporting of adverse events, product defects or problems in regulated devices or drugs, to track products, to enable product recalls, repairs, or replacement, or to conduct post marketing surveillance.
• Disclosures about victims of abuse, neglect or domestic violence.
• Uses and disclosures for health oversight activities.
• Disclosures for judicial and administrative proceedings.
• Disclosures for law enforcement purposes.
• Uses and disclosures about decedents.
• Uses and disclosures for cadaveric organ, eye or tissue donation purposes.
• Uses and disclosures for research purposes. (See expanded discussion below.)
• Uses and disclosures to avert a serious threat to health or safety.
• Uses and disclosures for specialized government functions.
• Disclosures for workers' compensation.

Section 164.512(i)-Permitted Uses and Disclosures for Research

The final rule seeks to superimpose the so-called Common Rule that governs federally-funded or FDA regulated research on all research, irrespective of the funding source, provided that the research involves PHI collected or disseminated by a covered entity.

Under normal circumstances, a covered entity is required to obtain an authorization before using or disseminating PHI for most research purposes. However, an authorization is not required if the researcher's Institutional Review Board ("IRB") (or privacy board) determines, among other things, that the research poses minimal risks to privacy and therefore permits the research to be conducted without an authorization (i.e., waives authorization) and provides the covered entity with documentation to that effect.

IRB approval: In approving a waiver, the IRB must provide eight separate statements documenting that it has considered (1) the risk of disclosure of protected health information; (2) the privacy rights and the welfare of the individuals; (3) the need for the waiver; (4) the need for protected health information; (5) the reasonableness of the privacy risks in relation to the anticipated benefits or importance of the research; (6) the adequacy of the plan to protect the identifiers from improper use and disclosure; (7) the adequacy of the plan to destroy the identifiers at the earliest opportunity; and (8) the adequacy of written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted.

The researcher must provide documentation that the waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows:

• An IRB must follow the requirements of the Common Rule, including the normal review procedures; or
• A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one independent member, and the waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure.
• A privacy board may use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the protected health information for which use or disclosure is being sought. If the privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair; and
• The documentation of the waiver of authorization must be signed by the chair or other member, as designated by the chair, of the IRB or the privacy board.

Section 164.514-De-Identification and Re-Identification.

Once information has been de-identified, the rule makes clear that it is not PHI, and is not subject to the rule. Information that is re-identified continues to be subject to the rule.

De-Identification: The final rule provides for two methods of de-identification. First, a covered entity may rely on a person with "appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable" to determine that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.

Second, the covered entity may remove from the data to be disclosed each of the identifiers enumerated in a lengthy list, for both the individual or of relatives, employers, or household members of the individual. Most of the identifiers remain unchanged from the proposed rules, including names, phone and fax numbers, actual and electronic addresses, Social Security and other unique identifying numbers (including device identifiers), biometric identifiers, such as fingerprints, full face images, and any other unique identifying number, characteristic, or code.

The final rule slightly modifies the required removal of geocode identifying information such that the first three zip code digits would not be considered identifying if the zone to which they are related has at least 20,000 inhabitants.

Re-Identification: Unlike the proposed rules, the final rules permit a covered entity to assign a code or other means of record identification to allow de-identified information to be re-identified by the covered entity, so long as certain security criteria have been met.

Sections 164.502 and 164.514-Minimum Necessary Standard.

General Rule: Section 164.502 requires that when using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

Covered entities are not required to make a minimum necessary determination in the following situations:

• when a disclosure is made to or requested by a health care provider for treatment;
• when uses or disclosures are made to the individual who is the subject of the PHI;
• when an individual who is the subject of the PHI authorizes a particular use or disclosure;
• when an individual who is the subject of the PHI requests an accounting of disclosures of PHI made by the covered entity;
• when a disclosure of PHI is requested by the Secretary of HHS to determine a covered entity's compliance with the rule, or is required for compliance with applicable requirements of the rule;
• when a use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law (e.g., disclosing PHI under certain conditions when the individual may be a victim of child abuse or neglect).

Implementation of the Minimum Necessary Standard: A covered entity must reasonably ensure that the standards, requirements, and implementation specifications of the minimum necessary standard are met, and must establish a process for handling requests for use and disclosure of PHI. To implement the minimum necessary standard with respect to uses of PHI, a covered entity must:

• determine who in the workforce will need access to PHI to carry out their duties and which type of PHI each employee or category of employee may need to access and attach appropriate conditions to access.

To implement the minimum necessary standard for disclosures of PHI:

• a covered entity must, for any type of disclosure it makes on a routine and recurring basis, implement policies and procedures (e.g., standard protocols) that limit the PHI disclosed to the amount reasonably necessary to achieve the purpose of the disclosure;
• a covered entity must, for all other disclosures, develop criteria designed to limit the PHI to the information reasonably necessary to accomplish the intended purpose, and review requests for disclosure on an individual basis in accordance with such criteria.

In certain situations, a covered entity may reasonably rely on the requester's stated purpose and description of PHI needed. These circumstances are:

• when public officials request PHI, as long as the public officials represent that the information requested is the minimum necessary for the stated purpose;
• when the information is requested by another covered entity;
• when the information is requested by a member of the covered entity's workforce or is a business associate for the purpose of providing professional services to the covered entity, if it is represented that the information requested is the minimum necessary for the stated purpose; or
• when the information is requested for research purposes and the requester has followed certain requirements with respect to requesting the information.

When a covered entity is requesting PHI from another covered entity, it must limit the request to that which is reasonably necessary to accomplish the purpose for which the request is made. Moreover, when making requests, a covered entity must:

• for requests made on a routine and recurring basis, implement policies and procedures (i.e., standard protocols) that limit the PHI requested to the amount reasonably necessary to accomplish the purpose for which it is made;
• for all other requests, review the request on an individual basis to determine that the PHI sought is no more than what is reasonably necessary to accomplish the purpose for which the request is made.
• Finally, a covered entity may only use, disclose, or request an entire medical record when the entire record is necessary to accomplish the intended purpose of the request.

New Developments: Like the proposed rule, the final rule provides only limited exceptions to the requirement that uses and disclosures of PHI be restricted to that which is minimally necessary to accomplish the purpose of the use or disclosure. The standard differs, however, from the proposed rule in several important respects. For example, while the proposed rule required covered entities to make all reasonable efforts to limit uses and disclosures to the minimum amount of information necessary, the final rule calls for reasonable efforts.

Another significant change in the final rule is that a minimum necessary determination need not be made if a health care provider requests or discloses PHI for treatment purposes. Also, the final rule permits covered entities, in certain circumstances, to make a minimum necessary determination by category, as opposed to making an individual determination for each use or disclosure.

Finally, the Secretary has expanded the situations in which covered entities may rely on the requester's definition of PHI rather than having to make a minimum necessary determination.

Section 164.504-Organizational Requirements

Section 164.504 sets out requirements governing disclosures by group health plans to the plan sponsor; for use and disclosure by a covered entity that is part of an organization that engages in activities that would not be considered to be that of a covered entity (e.g., employer-sponsored and administered group health plans) (called a hybrid entity); and for use and disclosure by and among commonly controlled and affiliated entities.

Disclosure by Group Health Plans to Plan Sponsors: The final rule establishes specific standards that, if met, will enable a group health plan to disclose data to a plan sponsor. Generally, in order for an HMO or other health insurance issuer to disclose protected health information to the plan sponsor, it must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of the regulation.

The rule establishes specific elements that must be part of the plan documents in order for the group health plan to disclose PHI to the sponsor. These include setting forth permitted and required uses and disclosures of information by the plan sponsor, providing that the group health plan will disclose protected health information only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate additional required provisions, including requiring the sponsor's agents to comply with the requirements of the rule, and committing the sponsor to otherwise comply with many aspects of the regulation.

The group health plan may also disclose summary health information to the plan sponsor for the purpose of obtaining premium bids from health plans for providing health insurance coverage under the group health plan, or modifying, amending, or terminating the group health plan.

Commonly Controlled and Affiliated Entities: Unlike the proposed rule, the final rule provides for standards governing the use and disclosure of PHI among entities that are commonly controlled or otherwise part of the same corporate family. Under section 164.504, legally separate covered entities may designate themselves as a single affiliated covered entity, for purposes of the rule, if all of the covered entities designated are under common ownership or control.

An affiliated covered entity must ensure that: the affiliated covered entity's use and disclosure of protected health information complies with applicable aspects of the regulation.

Hybrid Entities: The covered entity that is a hybrid entity must ensure that the part of the entity that engages in activities that make it a covered entity (called a "health care component") complies with all applicable requirements of the rule. In particular, the covered entity must ensure that the health care component does not disclose protected health information to another component of the covered entity in circumstances in which such disclosure would be prohibited under the rule if the two components were separate and distinct legal entities. If a person performs duties for both the health care component and another component, the employee must not use or disclose protected health information created or received in the course of, or incident to the member's work for the health care component in a way prohibited by the rule.

Section 164.514-Marketing

The final rule has significantly clarified the rules that govern marketing. First, it has added a definition for the term marketing:

• to make a communication about a product or service, a purpose of which is to encourage recipients of the communication to purchase or use the product or service.

The definition specifically excludes oral communications or those made in writing where the covered entity does not receive remuneration from a third party for making the communication, so long as the communication is made by the covered entity: (1) for the purpose of describing the entities participating in a health care provider network or for the purpose of product description; or (2) is tailored to the circumstances of a particular individual, for treatment purposes.

Use of PHI for Marketing: A covered entity may not generally use or disclose protected health information for marketing without an authorization. However, unlike the proposed rule, the final rule does permit certain marketing activities to be carried out by a covered entity without authorization. The use of PHI for marketing purposes without authorization is permitted only for marketing that:

• Occurs in a face-to-face encounter with the individual;
• Concerns products or services of nominal value; or
• Concerns the health-related products and services of the covered entity or of a third party, so long as (i) the communication identifies the covered entity as the party making the communication; (ii) if the covered entity has received or will receive direct or indirect remuneration for making the communication, the communication prominently states that fact; and (iii) except when the communication is contained in a newsletter or similar type of general communication device that the covered entity distributes to a broad cross-section of individuals, the communication contains instructions describing how the individual may opt out of receiving future such communications.

Targeted Communications Based on Health Status: If the covered entity uses or discloses protected health information to target the communication to individuals based on their health status or condition, the covered entity must make a determination prior to making the communication that the product or service being marketed may be beneficial to the health of the type or class of individual targeted; and must explain why the individual has been targeted and how the product or service relates to the health of the individual.

Disclosure of PHI for Marketing: A covered entity may disclose protected health information for purposes of such communications only to a business associate that assists the covered entity with such communications.

Section 164.514-Fundraising

A covered entity may use, or disclose to a business associate or to an institutionally related foundation, certain categories of protected health information for the purpose of raising funds for its own benefit, without an authorization. The information that can be used or disclosed for this purpose includes demographic information relating to an individual and dates of health care provided to an individual.

Standards for Business Associates

General Rule: The rule generally allows a covered entity to disclose PHI to a "business associate" ("business partner" in the proposed rule) so long as the covered entity "obtains satisfactory assurance that the business associate will safeguard the information." 45 C.F.R. § 164.502(e). For most covered entities, compliance with this provision will require entering into new contracts with vendors and other third parties that meet the definition of "business associate." Such business associates may include other covered entities, but will generally