Legislative Watch

Subscribe | Advertise | About Us | Contact Us | Home

June/July 2002

By George G. Olsen, JD

As providers know, on December 28, 2000, the Clinton administration published a final rule establishing standards for privacy of individually identifiable health information. Providers and other covered entities must comply with these requirements by February 26, 2003, and the regulation is enforceable by civil and criminal penalties.

When the Bush administration took office, it resisted the temptation to make wholesale changes in the medical records privacy rule. From time to time, it issued clarifications and guidances on the way in which the rule was to be interpreted. However, after a rigorous review of the rule by the US Department of Health and Human Services (HHS), the Secretary of HHS issued a proposed rule on March 27, 2002, that would make substantial modifications in the rule as promulgated by former Secretary of HHS Shalala.

CONSENT

Pursuant to the final rule published in December 2000, a covered entity-a health care provider, health plan, or health clearinghouse-must secure consent from an individual to use that person's protected health information for treatment, payment, or health care operations. The consent must be in writing, use plain language, make reference to the covered entity's notice of privacy practices, specify that the individual has the right to review the notice of privacy practice, inform the individual that he or she has the right to request restrictions on the consent, and provide the person with the right to revoke the consent at any time.

The recently published Notice of Proposed Rulemaking may well result in substantial changes in this consent requirement. Since the publication of the final rule, HHS has been deluged with comments from providers explaining that the consent requirements "result in unintended consequences that impede the provision of health care in many critical circumstances." For this reason, the proposed rule would eliminate the mandatory requirement that a covered entity secure consent from the individual and instead would "make optional the obtaining of consent to use and disclose protected health information for treatment, payment, or health care operations on the part of all covered entities, including providers with direct treatment relationships."

There are some important caveats to the optional nature of the consent requirement as set out in the proposed rule. First, although covered entities would not be required to obtain an individual's consent, any use or disclosure of protected health information for treatment, payment, or health care operations would still have to be consistent with the provider's notice of privacy practice. Second, the elimination of the mandatory consent requirement applies only to consent for treatment, payment and health care operations; "it does not alter the requirement to obtain an authorization-for uses and disclosures of protected health information not otherwise permitted by the privacy rule."

Third, although the proposed rule would not require a provider to obtain consent, it permits providers to obtain consent if they wish to do so. Fourth, a provider with a direct treatment relationship with an individual should make a good faith effort to obtain that person's written acknowledgement of receipt of the provider's notice of privacy practices.

DISCLOSURES FOR TREATMENT, PAYMENT AND HEALTH CARE

The existing final privacy rule permits a provider or other covered entity to use and disclose protected health information for treatment, payment, or health care operations provided that consent has been obtained. This rule has been criticized in a number of quarters because a covered entity is permitted to use and disclose protected information only for its own payment and health care operations activities. Arguments were made to the Secretary of HHS that this restriction impedes the ability of providers to obtain reimbursement for health care services, conduct certain quality assurance or improvement activities, and to monitor fraud and abuse. The Secretary of HHS was particularly concerned that this limitation would make it difficult for providers to secure the information needed for reimbursement for health care services.

Predicated on these and other comments, the Notice of Proposed Rulemaking would permit a covered entity to disclose protected health information for the payment activities of another covered entity or health care provider and for certain health care operations of other covered entities. As described by the Secretary, "this proposal would broaden the uses and disclosures that are permitted as part of treatment, payment, and health care operations so as not to interfere inappropriately with access to quality and effective health care, while limiting this expansion in order to continue to protect the privacy expectations of individuals."

MINIMUM NECESSARY DISCLOSURE

The existing final rule provides that a covered entity must make reasonable efforts to use or disclose only the minimum amount of protected health information necessary to achieve the purpose of the use or disclosure. This has become known as the "minimum necessary disclosure" requirement. Providers, health plans, and health clearinghouses must have procedures and policies in place to ensure compliance with this requirement. As a practical matter, the minimum necessary disclosure requirement mandates that covered entities develop and implement policies and procedures appropriate to the entity's business practices and workforce that reasonably minimize the amount of protected health information used, disclosed, and requested; and for uses of protected health information that also limit who has access to such information.

The minimum necessary disclosure requirement has drawn extensive commentary from interested persons. The preamble to the proposed rule describes the nature of these comments: "with regard to oral communications, commenters expressed concern over whether health care providers may continue to engage in confidential conversations with other providers or with patients, if there were a possibility that they could be overheard. As examples, commenters specifically questioned whether health care staff can continue to: coordinate services at hospital nursing stations orally; discuss a patient's condition over the phone with the patient or another provider, if other people are nearby; discuss lab test results with a patient or provider in a joint treatment area; call out a patient's name in a waiting room; or discuss a patient's condition during training rounds in an academic or training institution."

Real world, practical considerations such as these encouraged the Secretary of HHS to issue a clarification on July 6, 2001, making it clear that the privacy rule "is not intended to impede customary and necessary health care communications or practices, nor to require that all risk of incidental use or disclosure be eliminated to satisfy its standards. So long as reasonable safeguards are employed, the burdens of impeding such communications are not outweighed by any benefits that may accrue to any individual's privacy interests." Believing that further action was necessary, the proposed rule would modify the existing regulation to explicitly permit certain incidental uses in disclosure that occur as a result of an otherwise permitted use or disclosure. Under the proposed rule, an incidental use or disclosure would be a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a by-product of an otherwise permitted use or disclosure.

BUSINESS ASSOCIATES

The existing final privacy rule requires health plans, health care providers, and health clearinghouses to have contracts with their business associates to ensure that the business associates protect the privacy of medical information. The final rule did not contain a proposed contract provision to implement this requirement. The proposed rule proffered by Secretary Thompson would include model business associate contract provisions to facilitate compliance with the business associates rule. In addition, the proposed rule would give covered entities (except for small health plans) up to an additional year to make required changes in existing contracts. This was done to ease the burden of a provider having to renegotiate all of its contracts with business associates simultaneously.

The modifications in the final rule discussed above are proposals only and have not been finalized. Even though the final parameters of all aspects of the privacy rule will not be known for some period of time, providers are strongly encouraged to take steps to come into compliance with other aspects of the privacy rule not affected by the March 27 proposed rule making.

George G. Olsen, JD, is a partner of the firm Williams & Jensen, PC, Washington, DC. He is also legal counsel for the National Association of Rehabilitation Agencies and Providers.

LOOKING FOR EXPERT ADVICE?

Experts here are available to answer all your questions!

Please contact us for more information about this feature, or to become an expert.

MEDIA CENTER

Interactive Media

Resources

	Calendar
	Consumer Resources
	Media Kit
	Advertiser Index EAB Reprints Submit an Article

ADDITIONAL ONLINE RESOURCES

Allied Media
24X7mag Clinical Lab Products (CLP) Orthodontic Products The Hearing Review Hearing Review Products Rehab Management		Physical Therapy Products Plastic Surgery Practice Imaging Economics RT Magazine Sleep Review

Subscribe | Advertise | About Us | Contact Us | Home

June/July 2002