Steven J. Fox
Rachel H. Wilson
John W. Jones Jr.

Steven J. Fox

Rachel H. Wilson

John W. Jones Jr.

Although the final privacy rule in the Health Insurance Portability and Accountability Act (HIPAA) eases some burdens for managed care organizations and providers, it still significantly restricts the use and disclosure of protected health information.

Covered entities must prepare to comply by the Aug. 14, 2003 deadline (exceptions are described below). This is a summary of changes to the original rule that was published in 2000.

Required permissions

Consent. Direct-treatment providers, such as physicians and hospitals, are no longer required to obtain consent before using or disclosing protected health information. The decision to seek consent will be optional and the form of that consent left to providers' discretion, except when prescribed by state law.

Notice of privacy practices. In lieu of consent, providers must make a good-faith attempt to get a patient's written acknowledgement of receipt of the Notice of Privacy Practices (NPP). The NPP must be provided on or before the first delivery of service (except in emergency situations), although the modified rule takes practical considerations into account. For example, if a provider's first encounter with a patient is over the phone, the NPP requirement is satisfied if the provider mails the NPP to that person the day after the conversation. Even if the patient fails to return the acknowledgement, the provider will have attempted to obtain it.

In response to concerns that the NPP was too lengthy, the rule now recommends using a short summary, followed by the full NPP.

Authorization. Although the modifications make consent optional for purposes of treatment, payment, and health care operations, the privacy rule still requires patient authorization for any other use of personal health information.

The modified rule simplifies the consent procedure by mandating a single authorization format, as opposed to the three context-specific formats in the original rule. The core elements of an authorization are now: a description of the information to be used or disclosed; identification of those who are authorized to use or disclose the patient's personal health information; identification of those to whom such information can be disclosed; the purpose for the use or disclosure; an expiration date or event; the individual's signature and date, and if signed by a personal representative; a description of his or her authority to act for the individual.

Disclosures for payment & operations

Many observers feared that the original rule would interfere with obtaining payment for services, participation in quality-assurance programs, and monitoring of fraud and abuse. The modified rule will allow covered entities to share this information, without a patient's authorization, for treatment and payment purposes.

Covered entities also can disclose personal health information when it supports the health care operations of another provider or organization (for instance, an MCO sharing information with a disease management vendor), but only where the disclosing and receiving parties have a relationship with the patient and when the information concerns the recipient's relationship with the patient.

Minimum necessary rule

In general, the modifications clarify that the the minimum necessary rule is not an absolute standard in lieu of professional judgment. The rule's intent is to ensure that one who discloses or uses protected health information limit such activity to the minimum amount of information needed for the intended purpose. Covered entities can make their own assessments of what is necessary to be disclosed for a given purpose.

Incidental disclosures. When the original privacy rule was published, many providers worried that it prohibited common communications and practices that are essential to treatment. For example, it was feared that physicians would not be able to have confidential conversations with patients if there was any possibility that they could be overheard.

HHS did not intend for the privacy rule to impede necessary practices, and says now that, in general, incidental disclosures are not violations, assuming that safeguards are in place to minimize unlawful disclosures. Accordingly, the modified rule explicitly permits certain incidental uses and disclosures — defined as those that cannot be reasonably prevented, are limited in nature, and occur as a byproduct of an otherwise permissible use or disclosure.

This could happen anywhere health care is provided. If a person happens to see individually identifiable health information on a waiting room sign-in sheet, on a patient's chart at bedside, on an X-ray lightboard, or on a prescription vial, an incidental disclosure has occurred. This is permissible, but only to the extent that reasonable safeguards have been used and, where applicable, the minimum necessary standard has been implemented.

Business associate requirements

The changes to the business associate requirements are designed to ease the administrative and financial burdens associated with renegotiating existing agreements. The modified rule effectively extends the deadline for complying with these requirements. Qualifying existing contracts with vendors would have up to one additional year beyond the original privacy rule's April 14, 2003, deadline to comply.

Under the modified rule, covered entities may take advantage of the extended transition period for vendor contracts that existed before Oct. 15, 2002, and do not expire or are not modified or amended before April 14, 2003. Contracts that renew automatically (evergreen contracts) also may take advantage of the extension. Any contracts that meet these criteria are deemed to comply with HIPAA until the contract is renewed or modified (after the compliance date) or April 14, 2004, whichever occurs first. The transition period does not apply to small health plans, which already have until April 14, 2004 to comply, or to oral contracts.

This "gift" from HHS invites the administrative headaches associated with keeping track of which business associate contracts are compliant and which are not. The safest course of action is to use HIPAA warranties and business associate contract provisions in all new contracts, and, if time and resources permit, to renegotiate existing contracts so that they will be in compliance by April 14, 2003.

Steven J. Fox is a partner and Rachel H. Wilson is an associate in the Washington office of the law firm Pepper Hamilton. John W. Jones Jr. is an associate in Pepper Hamilton's Philadelphia office.

Managed Care’s Top Ten Articles of 2016

There’s a lot more going on in health care than mergers (Aetna-Humana, Anthem-Cigna) creating huge players. Hundreds of insurers operate in 50 different states. Self-insured employers, ACA public exchanges, Medicare Advantage, and Medicaid managed care plans crowd an increasingly complex market.

Major health care players are determined to make health information exchanges (HIEs) work. The push toward value-based payment alone almost guarantees that HIEs will be tweaked, poked, prodded, and overhauled until they deliver on their promise. The goal: straight talk from and among tech systems.

They bring a different mindset. They’re willing to work in teams and focus on the sort of evidence-based medicine that can guide health care’s transformation into a system based on value. One question: How well will this new generation of data-driven MDs deal with patients?

The surge of new MS treatments have been for the relapsing-remitting form of the disease. There’s hope for sufferers of a different form of MS. By homing in on CD20-positive B cells, ocrelizumab is able to knock them out and other aberrant B cells circulating in the bloodstream.

A flood of tests have insurers ramping up prior authorization and utilization review. Information overload is a problem. As doctors struggle to keep up, health plans need to get ahead of the development of the technology in order to successfully manage genetic testing appropriately.

Having the data is one thing. Knowing how to use it is another. Applying its computational power to the data, a company called RowdMap puts providers into high-, medium-, and low-value buckets compared with peers in their markets, using specific benchmarks to show why outliers differ from the norm.
Competition among manufacturers, industry consolidation, and capitalization on me-too drugs are cranking up generic and branded drug prices. This increase has compelled PBMs, health plan sponsors, and retail pharmacies to find novel ways to turn a profit, often at the expense of the consumer.
The development of recombinant DNA and other technologies has added a new dimension to care. These medications have revolutionized the treatment of rheumatoid arthritis and many of the other 80 or so autoimmune diseases. But they can be budget busters and have a tricky side effect profile.

Shelley Slade
Vogel, Slade & Goldstein

Hub programs have emerged as a profitable new line of business in the sales and distribution side of the pharmaceutical industry that has got more than its fair share of wheeling and dealing. But they spell trouble if they spark collusion, threaten patients, or waste federal dollars.

More companies are self-insuring—and it’s not just large employers that are striking out on their own. The percentage of employers who fully self-insure increased by 44% in 1999 to 63% in 2015. Self-insurance may give employers more control over benefit packages, and stop-loss protects them against uncapped liability.