Contact Information

1415 Lavaca Street
Austin, TX 78701-1634
Phone:
(512) 708-8662
Fax:
(512) 708-1415
toma@txosteo.org

HHS Releases First Guidance on Patient Privacy Protections

Texas D.O. Online
September 2001

Background

As part of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Congress mandated the establishment of standards for the privacy of individually identifiable health information within three years. When Congress failed to meets its deadline, the law required the Department of Health and Human Services (HHS) to craft such protections by regulation. Thus, in November 1999, HHS released its proposed regulations following an extended comment period. (Of interest is the fact that HHS received over 52,000 public comments.)

In December 2000, HHS issued a final rule entitled, “Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule). Although the rule took effect April 14, 2001, as scheduled, HHS has the authority to make appropriate changes to the rule prior to the compliance date. Basically, the privacy rule establishes national safeguards to protect the confidentiality of medical information. It should be noted, however, that state laws with stronger protections will continue to apply over and above the federal privacy standards.

On July 6, 2001, HHS issued the first in a series of guidance materials in an attempt to explain and clarify key provisions of the new federal privacy protections. The guidance is part of an ongoing process to help health care providers and health plans come into compliance with the regulation by April 14, 2003.

The following provides a brief outline of the first guidance, which addresses the following standards in the Privacy Rule – Consent, Minimum Necessary, Oral Communications, Business Associates, Parents and Minors, Health-related Communications and Marketing, Research, Restrictions on Government Access to Health Information, and Payment. For more detailed information on the initial guidance, log on to www.hhs.gov/ocr/hipaa.

Compliance Schedule - The final rule took effect on April 14, 2001. As required by HIPAA, most covered health plans and health care providers have two full years, until April 14, 2003, to comply. Under the law, small health plans will have three full years.

Covered Entities – As required by HIPAA, the final rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., electronic billing and funds transfers) electronically. These entities are bound by the new standards even if they contract with others to perform some of their essential functions.

Protected Information - All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally, are covered by the final rule.

Consent

The Privacy Rule establishes a uniform standard for certain health care providers to obtain their patients’ consent for uses and disclosures of health information to carry out treatment, payment, or health care operations (TPO).

General provisions are as follows:

· Patient consent is required before a covered health care provider that has a direct treatment relationship with the patient may use or disclose protected health information (PHI) for purposes of TPO.

· Uses and disclosures for TPO may be permitted without prior consent in an emergency, when a provider is required by law to treat the individual, or when there are substantial communication barriers.

· Health care providers that have indirect treatment relationships with patients (such as labs that only interact with physicians) may use and disclose PHI for purposes of TPO without patient consent.

· If a patient refuses to consent to the use or disclosure of their PHI to carry out TPO, the health care provider may refuse to treat the patient.

· A patient’s written consent need only be obtained by a provider one time. The guidance further notes that this is true regardless of whether there is a connected course of treatment or treatment for unrelated conditions. A provider will need to obtain a new consent from a patient only if the patient has revoked the consent between treatments.

· The consent document must be written in plain language, inform the patient that information may be used and disclosed for TPO, state the patient’s rights to review the provider’s privacy notice, to request restrictions and to revoke consent, and be dated and signed by the patient (or representative). (An individual must be given a notice of the covered entity’s privacy practices and may review that notice prior to signing a consent.)

In addition, the rule notes that a covered entity must retain the signed consent for 6 years from the date it was last in effect. Transition provisions allow providers to rely on consents received prior to April 14,2003, for uses and disclosures of health information obtained prior to that date.

Minimum Necessary

The general requirement is that reasonable steps must be taken to limit the use or disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. Basically, covered entities are given the flexibility to design their own policies and procedures based on their unique circumstances. The guidance states that this is a “reasonableness standard,” that calls for an approach consistent with guidelines already used by many providers today to limit the unnecessary sharing of medical information.

The minimum necessary provisions DO NOT apply to the following:

· Disclosures to or requests by a health care provider for treatment purposes.

· Disclosures to the individual who is the subject of the information.

· Uses or disclosures made pursuant to an authorization requested by the individual.

· Uses or disclosures required for compliance with the standardized HIPAA transactions.

· Disclosures to the HHS when disclosure of information is required under the rule for enforcement purposes.

· Uses or disclosures that are required by other law.

In general, entities will have to adopt written privacy procedures. These include who has access to protected information, how it will be used within the entity, and when the information may be disclosed.

Important Points

· To limit PHI access, certain adjustments may need to be made, such as isolating and locking file cabinets or records rooms, or providing additional security, such as passwords, on computers maintaining personal information.

· Although HHS did not intend to prohibit the use of sign-in sheets in physicians’ waiting rooms, the Privacy Rule is ambiguous about this common practice. HHS notes that it will propose modifications to the rule to clarify that this and similar practices are permissible.

· Entitles can shape their policies and procedures for minimum necessary uses and disclosures to permit medical trainees access to patients’ medical information, including entire medical records.

Oral Communications

The Privacy Rule applies to patient health information in all forms – electronic, written, oral, and any other.

General Requirements

· Entities must reasonably safeguard PHI, including oral information. “Reasonably safeguard” means that reasonable efforts must be made to prevent uses and disclosures not permitted by the rule.

· Entities must have policies and procedures that reasonably limit access to and use of PHI to the minimum necessary. The minimum necessary standard does not apply to disclosures, including oral disclosures, among providers for treatment purposes.

· The guidance notes that many health care providers already make it a practice to ensure reasonable safeguards for oral information – for example, by speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area. Such conduct can be further built upon to develop the reasonable safeguards required by the Privacy Rule.

Important Points

· The guidance notes that it is understood that overheard communications are unavoidable, for example, in a busy emergency room. The following practices are permissible, if reasonable precautions (such as talking in a lowered voice) are taken: health care staff may orally coordinate services at hospital nursing stations; health care professionals may discuss a patient’s condition over the phone with the patient, a provider, or a family member; a health care professional may discuss lab test results with a patient or other provider in a joint treatment area; and health care professionals may discuss a patient’s condition during training rounds in an academic or training institution. HHS intends to propose language to clarify that these and similar oral communications (such as calling out patient names in a waiting room) are permissible.

· The rule does not require hospitals and doctors’ offices to be retrofitted, to provide private rooms and soundproof walls. Rather, reasonable safeguards must be provided to avoid prohibited disclosures. The rule does not require that all risks be eliminated to satisfy this standard. An example of an adjustment that may constitute a reasonable safeguard is adding curtains or screens to areas where oral communications often occur between doctors and patients.

Business Associates

PHI may be disclosed to a business associate ONLY to help the providers and plans carry out their health care functions – not for independent use by the business associate.

Definition of Business Associate

· A business associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI.

· A business associate is not a member of the health care provider, health plan, or other covered entity’s workforce.

· A health care provider, health plan, or other covered entity can also be a business associate to another covered entity.

· The rule includes exceptions. The business associate requirements do not apply to covered entities that disclose PHI to providers for treatment purposes – for example, information exchanges between a hospital and physicians with admitting privileges at the hospital.

The guidance states that a health care provider, health plan, or other entity is not liable for privacy violations of a business associate.

Parents and Minors

The Privacy Rule provides individuals with certain rights with respect to their PHI. These rights rest with that individual, or with the “personal representative” of the individual. Because a parent usually has authority to make health care decisions about his or her minor child, a parent is generally a “personal representative” of his or her minor child under the Privacy Rule.

There are exceptions in which a parent might not be the “personal representative.” In the following situations, the Privacy Rule defers to determinations under other law that the parent does not control the minor’s health care decision and, thus, does not control the PHI related to that care.

· When a state or other law does not require consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the service, the parent is not the minor’s personal representative under the Privacy Rule. For example, when a state law provides an adolescent the right to consent to mental health treatment without the consent of his or her parent, and the adolescent obtains such treatment without the consent of the parent, the parent is not the personal representative for that treatment.

· When a court determines or other law authorizes someone other than the parent to make treatment decisions for a minor, the parent is not the personal representative. For example, courts may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or the court may make the decision(s) itself. In order to not undermine these court decisions, the parent is not the personal representative in these circumstances.

In the following situations, the Privacy Rule reflects current professional practice in determining that the parent is not the minor’s personal representative with respect to the relevant PHI:

· When a parent agrees to a confidential relationship between the minor and the physician, the parent does not have access to the health information related to that conversation or relationship.

· When a physician reasonably believes that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child, the physician may choose not to treat the parent as the personal representative of the child.

Important Point

· The Privacy Rule also states that it does not preempt state laws that specifically address disclosure of health information about a minor to a parent. This is true whether the state law authorizes or prohibits such disclosure. Thus, if a physician believes that disclosure of information about a minor would endanger that minor, but a state law requires disclosure to a parent, the physician may comply with the state law without violating the Privacy Rule. Similarly, a provider may comply with a state law that requires disclosure to a parent and would not have to accommodate a request for confidential communications that would be contrary to state law.

Health-related Communications and Marketing

The Privacy Rule addresses the use and disclosure of PHI for marketing purposes. The rule defines marketing as “a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service.”

The guidance notes that in recommending treatments or describing available services, health care providers and health plans are advising individuals to purchase goods and services. To prevent interference with treatment or similar health-related communications with a patient, the rule identifies the following activities as NOT subject to the marketing provision, even if the activity actually meets the definition of marketing.

Thus, it is NOT marketing when a communication:

· Describes the participating providers or plans in a network.

· Describes the services offered by a provider or the benefits covered by a health plan.

In addition, it is not marketing for an entity to use a patient’s PHI to tailor a health-related communication to that patient, when the communication is: 1) Part of a provider’s treatment of the patient and for the purpose of furthering that treatment. For example, recommendations of specific pharmaceutical or referrals of patients to other providers are not marketing; and 2) Made in the course of managing the patient’s treatment or recommending alternative treatment. For example, mailing appointment reminder notices is not marketing, nor is informing a patient who smokes about an effective smoking-cessation program.

Limitations on Marketing Communications

An authorization for use or disclosure of PHI for marketing is always required unless one of the following three exceptions apply: 1) the marketing occurs during an in-person meeting with the patient; 2) the marketing concerns products or services of nominal value; and 3) the entity is marketing health-related products and services, the marketing identifies the entity responsible for the marketing, and the individual is offered the opportunity to opt-out of further marketing.

For all other communications considered marketing under the Privacy Rule, patient authorization must be obtained.

Important Points

· Patient authorization is needed when selling PHI to third parties. Under the rule, a hospital or other provider may not sell names to pregnant women to baby formula manufacturers or magazines.

· Patient authorization is needed when disclosing PHI to outsiders for independent marketing use. Under the rule, doctors may not provide patient lists to pharmaceutical companies for those companies’ drug promotions.

Research

The Privacy Rule establishes the conditions under which PHI may be used or disclosed for research purposes. However, health information that has been de-identified may be used or disclosed without regard to the provision.

The rule also defines the means by which individuals/human research subjects are informed of how medical information about themselves will be used or disclosed and their rights with regard to gaining access to information about themselves, when such information is held by covered entities. Where research is concerned, the rule protects the privacy of individually identifiable health information.

Important Points

· With few exceptions, the rule gives patients the right to inspect and obtain a copy of health information about themselves that is maintained in a “designated record set.” One of the permitted exceptions applies to PHI created or obtained for a clinical trial. The rule permits the patient’s access rights in these cases to be suspended while the clinical trial is in progress.

· To use or disclose PHI created from a research study that includes treatment (e.g., a clinical trial), additional research-specific elements must be included in the authorization form, which describe how the PHI will be used. For example, if the covered entity/researcher intends to seek reimbursement from the research subject’s health plan for routine costs of care associated with the protocol, the authorization must describe types of information that will be provided to the health plan. This authorization may be combined with the traditional informed consent document used in research.

Restrictions on Government Access to Health Information

Government-operated health plans and health care providers must meet the same requirements as private ones for protecting the privacy of PHI. The rule does not require or allow any new government access to medical information, with one exception: the rules does give the HHS Office for Civil Rights the authority to investigate complaints and to ensure that entities comply with the rule.

Payment

As provided by the Privacy Rule, an entity may use and disclose PHI for payment purposes. “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and for a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. The guidance notes that covered entitles are permitted to continue to use the services of debt collection agencies.

FYI: Proposed Changes

Congress specifically authorized HHS to make appropriate modifications in the first year after the final rule took effect. Rule changes will be published in the Federal Register and will invite public comment. After reviewing and addressing such comments, HHS will issue a final rule to implement appropriate modifications.

Examples of standards in the Privacy Rule for which HHS will propose changes are:

Phoned-in Prescriptions – A change will permit pharmacists to fill prescriptions phoned in by a patient’s doctor prior to obtaining the patient’s written consent.

Referral Appointments – A change will permit direct treatment providers receiving a first time patient referral to schedule appointments, surgery, or other procedures prior to obtaining the patient’s signed consent.

Allowable Communications – A change will increase the confidence of covered entities that they are free to engage in whatever communications are required for quick, effective, high quality health care, including routine oral communications with family members, treatment discussions with staff involved in coordination of patient care, and using patient names to locate them in waiting areas.

Minimum Necessary Scope – A change will increase covered entities’ confidence that certain common practices, such as use of sign-in sheets and X-ray lightboards, and maintenance of patient medical charts at bedside, are not prohibited under the rule.