By George G. Olsen, JD
On August 14, 2002, the Secretary of Health and Human Services (HHS) promulgated a final rule entitled “Standards for Privacy of Individually Identifiable Health Information.” In common parlance, it is simply the Privacy Rule.
HISTORY
The Health Insurance Portability and Accountability Act (HIPAA) became law on August 21, 1996. HIPAA authorized the Secretary of HHS to publish standards to protect the privacy of individually identifiable health information if Congress failed to enact medical records privacy legislation by August 21, 1999. HIPAA also directed the Secretary of HHS, Donna E. Shalala, to provide Congress with recommendations for legislation to ensure the confidentiality of medical records. Although recommendations were transmitted to Congress on September 11, 1996, the legislature did not pass privacy legislation within its self-imposed deadline.
When Congress failed to act, Secretary Shalala published a proposed rule on November 3, 1999. The proposal was complicated and highly controversial—it drew a staggering 52,000 comments, many expressing reservations about the rule. After assessing these comments, Shalala issued a final rule on December 28, 2000. Again, the Department of Health and Human Services was deluged with comments that “exhibited substantial confusion and misunderstanding about how the Privacy Rule will operate” while others “expressed great concern over [its] complexity.”1 In light of these concerns, the new Secretary of HHS, Tommy Thompson, opened the Privacy Rule for further public comment in February 2001 “to ensure that the provisions of the Privacy Rule would protect patients’ privacy without creating unanticipated consequences that might harm patients’ access to health care or quality of health care.”1
Persuaded that the comments raised legitimate issues, the Secretary pursued a comprehensive plan to reevaluate the Privacy Rule. The effort included the development of guidelines on how the rule should be implemented, public hearings before the National Committee for Vital and Health Statistics, and the preparation of modifications to the Privacy Rule to resolve problems precipitated by the unintended effects of the regulation on health care delivery, quality, and access. These activities culminated in the new final rule published on August 14, 2002.
Health care providers, health plans, and health care clearinghouses—covered entities under the Privacy Rule—must be in compliance with the regulation by April 14, 2003. Small health plans have an extra year to achieve compliance.
The recently published Privacy Rule differs from its December 28, 2000, predecessor in several critical respects. As described below, these modifications are of significant benefit to health care providers and their patients. They maintain strong protections for the privacy of medical records while (1) clarifying the operation of the rule; (2) alleviating its unintended adverse effects on health care quality and access; and (3) reducing the administrative burden for covered entities.
CONSENT
Pursuant to the December 28, 2000, rule, a covered entity was required to secure advance consent from each person to use his or her protected health information for treatment, payment, or health care operations. The consent had to be written in plain language, make specific reference to the entity’s notice of privacy practices, and delineate certain rights such as the right to revoke the consent. A provider was permitted to condition treatment on receipt of the consent and similarly a health plan could refuse enrollment if consent was not furnished.
The new final rule eliminates the consent requirement entirely. Based on the administrative record, HHS concluded that the consent requirement would have interfered with patient care, compromised the ability of providers to render timely care, and could have precluded some providers from furnishing care altogether. The new rule permits a covered entity to request consent if it so desires but it is no longer mandatory. However, a direct treatment provider (eg, physician, pharmacist, or hospital) must have written proof that the patient had received a copy of the provider’s notice of privacy practices. The regulation does not specify the form of the acknowledgement from the patient. The acknowledgement must be obtained even if the covered entity elects to obtain consent from the patient.
DISCLOSURE
The initial Privacy Rule required a covered entity to secure written authorization (as distinct from consent) from the patient before it could disclose protected health information to another covered entity for that entity’s health care operations or payment. Comments on this provision led HHS to determine that this mandate would impede the flow of legitimate and important information among covered entities especially in the areas of reimbursement and quality assessment and assurance. Accordingly, the Secretary’s new regulation authorizes a covered entity to disclose protected health information to another covered entity for (1) treatment of the patient by a health care provider; (2) for use by the second entity in securing payment; and (3) for the second entity’s health care operations if both entities have or had a relationship with the patient and the information pertains to that relationship. For the purposes of this provision, “health care operations” includes medical education or training, fraud and abuse detection or compliance programs, accreditation and certification activities, licensing, peer review and quality assessment, case management, and population- based functions to improve health or reduce costs.
MARKETING
As a general proposition, the December 2000 Privacy Rule required a covered entity to obtain an individual’s written authorization to use protected health information in a marketing communication. However, a covered entity was permitted to make a marketing communication without such authorization if the communication: (1) identified the covered entity as the party making the communication; (2) stated (if applicable) that the covered entity had received direct or indirect remuneration from a third party for making the communication; (3) contained instructions on how to opt out of receiving such communications; and (4) explained why the individual was targeted for the communication.
The August 2002 Privacy Rule bars covered entities from disclosing protected health information for marketing purposes unless it has obtained authorization from the individual. The prohibition does not extend to face-to-face communications or promotional gifts of nominal value offered by the covered entity. However, the new rule streamlines the authorization process and permits covered entities to use a single form for all individual authorizations, including marketing communications. Note that the authorization for marketing must disclose whether the marketing involves direct or indirect remuneration to the covered entity.
The August 2002 Privacy Rule also seeks to bring clarity to the definition of “marketing”—a term that caused confusion in previous iterations of the regulation. The new rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Marketing does not include a communication made to describe a health-related product or service that is provided by, or included in a plan of benefits of, the entity making the communication; for the treatment of the individual; for care management or care coordination for the individual; or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the patient.
AUTHORIZATION
The new final Privacy Rule requires each authorization to contain the following elements:
The authorization must also include statements concerning the individual’s right to revoke the authorization, the potential that information disclosed pursuant to the authorization could be subject to redisclosure by the recipient, and the ability or inability of the covered entity to condition treatment, payment, or enrollment on the authorization.
MINIMUM NECESSARY
The December 2000 rule imposes the requirement that a covered entity make reasonable efforts to limit its use or disclosure of protected health information to the minimum necessary to achieve the purpose of the use or disclosure. Although this is a highly controversial provision, it was preserved in the new final rule. The scope of the requirement is slightly modified, however, by excluding uses and disclosures made pursuant to authorizations.
There are numerous other changes made by the August 2002 Privacy Rule that should be carefully studied by covered entities as they prepare for compliance with the regulation. A copy of the rule is available electronically at the HHS Office of Civil Rights Privacy Web site at www.hhs.gov/ocr/hipaa/. The lengthy preamble to the rule is a treasure trove of useful information and guidance on the Privacy Rule. ®
REFERENCE
George G. Olsen, JD, is a partner of the firm Williams & Jensen, PC, Washington, DC. He is also legal counsel for the National Association of Rehabilitation Agencies and Providers.
Editor’s Note: For the latest news on HIPAA, be sure to read Rehab Management’s newest column starting in the January/February 2003 issue, “Avoid the HIPAA Hoodwink.”
