Major Rule Changes Proposed by HHS In Consent, Marketing and Other Areas

The Department of Health and Human Services (HHS) kept its promise to revise some of the more burdensome and disruptive requirements of the HIPAA patient privacy regulations by proposing modifications to the regulations on March 21, 2002. The proposed rules, which will change the final regulations issued in December 2000, appeared in the March 27, 2002, Federal Register and provided interested parties with a 30-day comment period.

Go to www.AISHealth.com/Compliance/HIPAARegs032202.html to view the proposed rules, preamble language and a side-by-side comparison of this new proposal.

Here is a quick summary of how these changes will impact your HIPAA compliance if they are implemented without further modification:

Consent and Notice: As proposed, a covered entity with a direct treatment relationship with the patient would no longer be required to obtain a patient's consent for treatment, payment, and health care operations (TPO), but still could elect to obtain consent. In lieu of the mandatory consent requirement for TPO, HHS would require providers with a direct treatment relationship to make a good-faith effort to have patients acknowledge in writing their receipt of the Notice of Privacy Practices upon the first visit to a provider or facility (the "initial moment"). The proposal does not prescribe how the patient should acknowledge receipt but suggests signing the notice or initialing a log that confirms receipt of the notice. If the first service is delivered electronically, the covered entity must capture an electronic acknowledgment of receipt.

The only exception to the requirement is an emergency treatment situation. Covered entities must provide the privacy notice as soon as is "reasonably practicable" after the emergency treatment, but otherwise are exempt from making a good-faith effort to obtain written acknowledgment. Other covered entities, such as health plans, would not be required to obtain this acknowledgment from individuals, but could do so if they chose.

Unlike the Privacy Rule's consent requirement, an individual's failure or refusal to acknowledge the notice would not interfere with the provider's ability to deliver timely and effective treatment as long as the covered entity has documented its good-faith efforts to obtain such a signature.

Elimination of the mandatory consent requirement does not affect the need to obtain authorizations for use and disclosure of PHI for non-TPO purposes -- even if the covered entity elects to obtain consent.

HHS decided to propose elimination of the mandatory consent for TPO because the requirement could create barriers to the efficient delivery of health care -- for pharmacists filling prescriptions, referrals to specialists or hospitals, emergency providers, treatment on the phone, minors who become "of age" and require a transfer of consent from parent to child. Consumer advocates, however, see elimination of the consent requirement as a "devastating blow to patient privacy."

Minimum Necessary and Oral Communication

The new proposal emphasizes that the minimum necessary standard is reasonable and flexible, not strict and absolute. It does not intend to impede the delivery of health care or "to override the professional judgment of the covered entity." As long as covered entities use reasonable safeguards to protect PHI and make sure that only the "minimum necessary" is used or disclosed, physicians and others involved in patient care should not be fearful of oral or other incidental disclosures (e.g., if another patient overhears a portion of a conversation).

An incidental use or disclosure would be a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a by-product of an otherwise permitted use or disclosure. HHS evidently will tolerate incidental disclosures, such as from patients' charts at bedside, a sign-in sheet in a waiting room, or an empty prescription vial, as long as reasonable safeguards are in place. However, it will not treat errors that are the result of mistakes or neglect as "incidental use or disclosure."

While covered entities are expected to take "reasonable" steps to protect PHI and limit its disclosure to the minimum necessary, expensive facility or computer upgrades are not required. However, some adjustments such as isolating and/or locking file cabinets may be required to meet the safeguard.

The proposal also would exempt from the minimum necessary standard any uses or disclosures for which the covered entity has received a valid authorization.

Business Associates

Two major changes are proposed with regard to business associates: (1) to "make it easier and less costly" to comply, HHS provides a model business associate agreement; and (2) covered entities would have an extra year -- until April 2004, rather than 2003 -- to make certain business associate contracts comply with HIPAA. To qualify for the extension, the agreements must be in existence on the date the transition provisions (not the privacy rule) take effect and must not require modification or renewal before April 14, 2003. The only exception to these conditions is an evergreen contract -- a contract that automatically renews without any change or action by the parties. These contracts are eligible for the extension and do not automatically terminate upon rollover.

The extra year would not pertain to (a) small health plans, (b) oral or other agreements that are not in writing; (c) new agreements entered into after the effective date of the transition rule's provisions (which will be well before April 13, 2003). Contracts in all of these circumstances must be HIPAA-compliant on April 13, 2003.

During the transition period, the eligible contracts are deemed to be compliant until either the covered entity renews or modifies the contract following the April 14, 2003, compliance date, or April 14, 2004, whichever is sooner. Covered entities would be able to disclose protected health information to the business associate or allow the business associate to create or receive protected health information on its behalf, during this time period even though the contract may not meet the rule's contract requirements.

Marketing

The new rule strengthens consumer protections by requiring authorizations from patients (an "opt-in") before their PHI may be used or disclosed for any marketing purpose. (The rule adds a provision explicitly requiring this authorization.) The proposed rule eliminates the exceptions that currently exist in sec.164.514 (e). Doctors and covered entities would not be prohibited from explaining treatment options, including disease management programs, to patients, and the proposal intends to dispel the concern that treatment-related communications, such as prescription-refill reminders, would fall under the definition of marketing. The proposal would clarify that the effect of the communication, not the intent of the communicator, determines whether the communication was "marketing."

Authorizations

The proposal calls for a single type of authorization form to get a patient's permission for a specific use or disclosure. This change would preserve a patient's rights to make individual decisions to release PHI but streamline the paperwork for covered entities. Because of the consolidation of the three authorizations currently required by the regulations, the proposed provision would add several notifications for the text of the authorization. Other clarifications ensure that an insurer has the right to contest the health care policy and that a valid authorization exempts those uses and disclosures from the minimum necessary standard.

The modifications to the authorization provisions also clearly limit the use and disclosure of psychotherapy notes without authorization to treatment, payment or health care operations purposes.

Disclosures for TPO of Another Entity

While "carefully limiting the expansion" of information sharing, the new rules would clarify that covered entities can use or disclose PHI for its own treatment, payment, or health care operations and may disclose PHI for the treatment activities of another covered entity or provider without the authorization required by the current rules. The example provided by HHS involves a PCP who -- absent this modification -- would not be allowed to send PHI to a specialist without the patient's authorization.

For payment purposes only, the proposal permits such disclosures to both covered and noncovered providers and to covered health plans. Disclosures to another entity for operations are limited to specific activities that generally affect quality of care and compliance.

Miscellaneous Provisions

The proposed modifications also (a) clarify that disclosures are permitted in certain circumstances for the sale of a covered entity's business; (b) reaffirm the supremacy of state law in terms of parental access to the PHI of minors, (c) permit researchers to use a single combined form for consent, (d) make it clear that group health plans and insurers can disclose enrollment/disenrollment information to a plan sponsor without amending plan documents; (e) free covered entities from having to account for disclosures of PHI that are authorized by a patient; (f) proposes several modifications related to "hybrid" entities; and (g) allows covered entities to continue disclosing information to non-government entities subject to FDA jurisdiction regarding the quality, safety and effectiveness of FDA-regulated products and activities.

Advertise With AIS

Privacy

Site Map