November 2002

Legislative Watch

By George G. Olsen, JD

On August 14, 2002, the Secretary of Health and Human Services (HHS) promulgated a final rule entitled “Standards for Privacy of Individually Identifiable Health Information.” In common parlance, it is simply the Privacy Rule.

HISTORY

The Health Insurance Portability and Accountability Act (HIPAA) became law on August 21, 1996. HIPAA authorized the Secretary of HHS to publish standards to protect the privacy of individually identifiable health information if Congress failed to enact medical records privacy legislation by August 21, 1999. HIPAA also directed the Secretary of HHS, Donna E. Shalala, to provide Congress with recommendations for legislation to ensure the confidentiality of medical records. Although recommendations were transmitted to Congress on September 11, 1996, the legislature did not pass privacy legislation within its self-imposed deadline.

When Congress failed to act, Secretary Shalala published a proposed rule on November 3, 1999. The proposal was complicated and highly controversial—it drew a staggering 52,000 comments, many expressing reservations about the rule. After assessing these comments, Shalala issued a final rule on December 28, 2000. Again, the Department of Health and Human Services was deluged with comments that “exhibited substantial confusion and misunderstanding about how the Privacy Rule will operate” while others “expressed great concern over [its] complexity.”¹ In light of these concerns, the new Secretary of HHS, Tommy Thompson, opened the Privacy Rule for further public comment in February 2001 “to ensure that the provisions of the Privacy Rule would protect patients’ privacy without creating unanticipated consequences that might harm patients’ access to health care or quality of health care.”¹

Persuaded that the comments raised legitimate issues, the Secretary pursued a comprehensive plan to reevaluate the Privacy Rule. The effort included the development of guidelines on how the rule should be implemented, public hearings before the National Committee for Vital and Health Statistics, and the preparation of modifications to the Privacy Rule to resolve problems precipitated by the unintended effects of the regulation on health care delivery, quality, and access. These activities culminated in the new final rule published on August 14, 2002.

Health care providers, health plans, and health care clearinghouses—covered entities under the Privacy Rule—must be in compliance with the regulation by April 14, 2003. Small health plans have an extra year to achieve compliance.

The recently published Privacy Rule differs from its December 28, 2000, predecessor in several critical respects. As described below, these modifications are of significant benefit to health care providers and their patients. They maintain strong protections for the privacy of medical records while (1) clarifying the operation of the rule; (2) alleviating its unintended adverse effects on health care quality and access; and (3) reducing the administrative burden for covered entities.

CONSENT

Pursuant to the December 28, 2000, rule, a covered entity was required to secure advance consent from each person to use his or her protected health information for treatment, payment, or health care operations. The consent had to be written in plain language, make specific reference to the entity’s notice of privacy practices, and delineate certain rights such as the right to revoke the consent. A provider was permitted to condition treatment on receipt of the consent and similarly a health plan could refuse enrollment if consent was not furnished.

The new final rule eliminates the consent requirement entirely. Based on the administrative record, HHS concluded that the consent requirement would have interfered with patient care, compromised the ability of providers to render timely care, and could have precluded some providers from furnishing care altogether. The new rule permits a covered entity to request consent if it so desires but it is no longer mandatory. However, a direct treatment provider (eg, physician, pharmacist, or hospital) must have written proof that the patient had received a copy of the provider’s notice of privacy practices. The regulation does not specify the form of the acknowledgement from the patient. The acknowledgement must be obtained even if the covered entity elects to obtain consent from the patient.

DISCLOSURE

The initial Privacy Rule required a covered entity to secure written authorization (as distinct from consent) from the patient before it could disclose protected health information to another covered entity for that entity’s health care operations or payment. Comments on this provision led HHS to determine that this mandate would impede the flow of legitimate and important information among covered entities especially in the areas of reimbursement and quality assessment and assurance. Accordingly, the Secretary’s new regulation authorizes a covered entity to disclose protected health information to another covered entity for (1) treatment of the patient by a health care provider; (2) for use by the second entity in securing payment; and (3) for the second entity’s health care operations if both entities have or had a relationship with the patient and the information pertains to that relationship. For the purposes of this provision, “health care operations” includes medical education or training, fraud and abuse detection or compliance programs, accreditation and certification activities, licensing, peer review and quality assessment, case management, and population- based functions to improve health or reduce costs.

MARKETING

As a general proposition, the December 2000 Privacy Rule required a covered entity to obtain an individual’s written authorization to use protected health information in a marketing communication. However, a covered entity was permitted to make a marketing communication without such authorization if the communication: (1) identified the covered entity as the party making the communication; (2) stated (if applicable) that the covered entity had received direct or indirect remuneration from a third party for making the communication; (3) contained instructions on how to opt out of receiving such communications; and (4) explained why the individual was targeted for the communication.

The August 2002 Privacy Rule bars covered entities from disclosing protected health information for marketing purposes unless it has obtained authorization from the individual. The prohibition does not extend to face-to-face communications or promotional gifts of nominal value offered by the covered entity. However, the new rule streamlines the authorization process and permits covered entities to use a single form for all individual authorizations, including marketing communications. Note that the authorization for marketing must disclose whether the marketing involves direct or indirect remuneration to the covered entity.

The August 2002 Privacy Rule also seeks to bring clarity to the definition of “marketing”—a term that caused confusion in previous iterations of the regulation. The new rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Marketing does not include a communication made to describe a health-related product or service that is provided by, or included in a plan of benefits of, the entity making the communication; for the treatment of the individual; for care management or care coordination for the individual; or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the patient.

AUTHORIZATION

The new final Privacy Rule requires each authorization to contain the following elements:

• A specific and meaningful description of the protected health information to be used or disclosed;
• An identification of the recipients of the protected health information;
• Identification of the persons authorized to make the disclosures;
• A description of each purpose of the use or disclosure;
• An expiration date or event that will terminate the authorization; and
• The signature of the individual or individual’s authorized representative and a description of the representative’s authority to act.

The authorization must also include statements concerning the individual’s right to revoke the authorization, the potential that information disclosed pursuant to the authorization could be subject to redisclosure by the recipient, and the ability or inability of the covered entity to condition treatment, payment, or enrollment on the authorization.

MINIMUM NECESSARY

The December 2000 rule imposes the requirement that a covered entity make reasonable efforts to limit its use or disclosure of protected health information to the minimum necessary to achieve the purpose of the use or disclosure. Although this is a highly controversial provision, it was preserved in the new final rule. The scope of the requirement is slightly modified, however, by excluding uses and disclosures made pursuant to authorizations.

There are numerous other changes made by the August 2002 Privacy Rule that should be carefully studied by covered entities as they prepare for compliance with the regulation. A copy of the rule is available electronically at the HHS Office of Civil Rights Privacy Web site at www.hhs.gov/ocr/hipaa/. The lengthy preamble to the rule is a treasure trove of useful information and guidance on the Privacy Rule. ®

REFERENCE

1. 1. Health and Human Services Department. Individually identifiable health information; privacy standards, 53181–53273 [02–20554]67. Federal Register. August 14, 2002;67(157). Available at: www.access.gpo.gov/su_docs/fedreg/a020814c.html. Accessed September 27, 2002.

George G. Olsen, JD, is a partner of the firm Williams & Jensen, PC, Washington, DC. He is also legal counsel for the National Association of Rehabilitation Agencies and Providers.

Editor’s Note: For the latest news on HIPAA, be sure to read Rehab Management’s newest column starting in the January/February 2003 issue, “Avoid the HIPAA Hoodwink.”

LOOKING FOR EXPERT ADVICE? Experts here are available to answer all your questions! Please contact us for more information about this feature, or to become an expert.

MEDIA CENTER Interactive Media  Archives  · November 2008  · October 2008  · August/September 2008  · Fall 2008 Product Directory  · July 2008  · June 2008  · May 2008  · April 2008  · March 2008  · January/February 2008  · All Archives  Newsletter  · Rehab Today Resources Classifieds Calendar Consumer Resources Media Kit Advertiser Index EAB Reprints Submit an Article