HIPAA Modifications Ease Burdens, But Don’t Take Anything for Granted

Steven J. Fox

Rachel H. Wilson

John W. Jones Jr.

Although the final privacy rule in the Health Insurance Portability and Accountability Act (HIPAA) eases some burdens for managed care organizations and providers, it still significantly restricts the use and disclosure of protected health information.

Covered entities must prepare to comply by the Aug. 14, 2003 deadline (exceptions are described below). This is a summary of changes to the original rule that was published in 2000.

Required permissions

Consent. Direct-treatment providers, such as physicians and hospitals, are no longer required to obtain consent before using or disclosing protected health information. The decision to seek consent will be optional and the form of that consent left to providers’ discretion, except when prescribed by state law.

Notice of privacy practices. In lieu of consent, providers must make a good-faith attempt to get a patient’s written acknowledgement of receipt of the Notice of Privacy Practices (NPP). The NPP must be provided on or before the first delivery of service (except in emergency situations), although the modified rule takes practical considerations into account. For example, if a provider’s first encounter with a patient is over the phone, the NPP requirement is satisfied if the provider mails the NPP to that person the day after the conversation. Even if the patient fails to return the acknowledgement, the provider will have attempted to obtain it.

In response to concerns that the NPP was too lengthy, the rule now recommends using a short summary, followed by the full NPP.

Authorization. Although the modifications make consent optional for purposes of treatment, payment, and health care operations, the privacy rule still requires patient authorization for any other use of personal health information.

The modified rule simplifies the consent procedure by mandating a single authorization format, as opposed to the three context-specific formats in the original rule. The core elements of an authorization are now: a description of the information to be used or disclosed; identification of those who are authorized to use or disclose the patient’s personal health information; identification of those to whom such information can be disclosed; the purpose for the use or disclosure; an expiration date or event; the individual’s signature and date, and if signed by a personal representative; a description of his or her authority to act for the individual.

Disclosures for payment & operations

Many observers feared that the original rule would interfere with obtaining payment for services, participation in quality-assurance programs, and monitoring of fraud and abuse. The modified rule will allow covered entities to share this information, without a patient’s authorization, for treatment and payment purposes.

Covered entities also can disclose personal health information when it supports the health care operations of another provider or organization (for instance, an MCO sharing information with a disease management vendor), but only where the disclosing and receiving parties have a relationship with the patient and when the information concerns the recipient’s relationship with the patient.

Minimum necessary rule

In general, the modifications clarify that the the minimum necessary rule is not an absolute standard in lieu of professional judgment. The rule’s intent is to ensure that one who discloses or uses protected health information limit such activity to the minimum amount of information needed for the intended purpose. Covered entities can make their own assessments of what is necessary to be disclosed for a given purpose.

Incidental disclosures. When the original privacy rule was published, many providers worried that it prohibited common communications and practices that are essential to treatment. For example, it was feared that physicians would not be able to have confidential conversations with patients if there was any possibility that they could be overheard.

HHS did not intend for the privacy rule to impede necessary practices, and says now that, in general, incidental disclosures are not violations, assuming that safeguards are in place to minimize unlawful disclosures. Accordingly, the modified rule explicitly permits certain incidental uses and disclosures — defined as those that cannot be reasonably prevented, are limited in nature, and occur as a byproduct of an otherwise permissible use or disclosure.

This could happen anywhere health care is provided. If a person happens to see individually identifiable health information on a waiting room sign-in sheet, on a patient’s chart at bedside, on an X-ray lightboard, or on a prescription vial, an incidental disclosure has occurred. This is permissible, but only to the extent that reasonable safeguards have been used and, where applicable, the minimum necessary standard has been implemented.

Business associate requirements

The changes to the business associate requirements are designed to ease the administrative and financial burdens associated with renegotiating existing agreements. The modified rule effectively extends the deadline for complying with these requirements. Qualifying existing contracts with vendors would have up to one additional year beyond the original privacy rule’s April 14, 2003, deadline to comply.

Under the modified rule, covered entities may take advantage of the extended transition period for vendor contracts that existed before Oct. 15, 2002, and do not expire or are not modified or amended before April 14, 2003. Contracts that renew automatically (evergreen contracts) also may take advantage of the extension. Any contracts that meet these criteria are deemed to comply with HIPAA until the contract is renewed or modified (after the compliance date) or April 14, 2004, whichever occurs first. The transition period does not apply to small health plans, which already have until April 14, 2004 to comply, or to oral contracts.

This “gift” from HHS invites the administrative headaches associated with keeping track of which business associate contracts are compliant and which are not. The safest course of action is to use HIPAA warranties and business associate contract provisions in all new contracts, and, if time and resources permit, to renegotiate existing contracts so that they will be in compliance by April 14, 2003.

Steven J. Fox is a partner and Rachel H. Wilson is an associate in the Washington office of the law firm Pepper Hamilton. John W. Jones Jr. is an associate in Pepper Hamilton’s Philadelphia office.

Our most popular topics on Managedcaremag.com