HHS Proposes Changes to the HIPAA Privacy Rule

By Joseph J. Wang

On March 27, 2002, the U.S. Department of Health and Human Services (HHS) proposed modifications to its "Privacy Rule," a health information privacy regulation issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The proposed revisions are intended to fix the problems, or minimize the unintended negative consequences, associated with the previously published Privacy Rule, the requirements of which have been a great source of debate within the medical community. The proposed changes can be found at the Office for Civil Rights (OCR) Web site, available at http://www.hhs.gov/ocr/hipaa/.

Two areas of ongoing concern addressed in the proposal are: (1) how to maintain strong privacy protection of medical records without hindering patient access to health care; and (2) how to ensure regulatory effectiveness without increasing the administrative burden of implementation. HHS proposal aims to address these concerns through the following revisions.

Uses and Disclosures for TPO

The proposal would not require providers in a direct treatment relationship with a patient to obtain patient consent prior to using or disclosing the patientís protected health information (PHI) for treatment, payment, and health care operations (TPO). However, providers could voluntarily seek out patient consent and they would have complete discretion in designing the consent process. This revision is intended to facilitate patient access to quality health care quickly and easily. Note that for non-TPO purposes, providers and other covered entities must still obtain patient authorization for use and disclosure of PHI.

The proposal would permit a covered entity to disclose PHI to another covered entity without authorization for payment and operation activities. Although this revision would expand the TPO provisions for uses and disclosures of PHI, it would greatly facilitate the flow of information between entities that are involved in the payment and operational sides of delivering quality health care. To ensure patient expectations of privacy are not unduly compromised under this revision, the proposal would limit the types of health care operations in the expansion and limit the sharing of PHI to covered entities that have, or have had, a relationship to the patient whose PHI is being requested. Disclosures and requests must still comply with the minimum necessary provisions of the Privacy Rule and the use of de-identified information is strongly encouraged when feasible.

Notice of Privacy Practices for PHI

While the consent requirements would be relaxed under the proposed revisions, the notice requirements would be more stringent. The proposal would require that covered health care providers not only provide a patient with whom they have a direct treatment relationship notice of privacy practices by date of first service delivery, but also make a good faith attempt to obtain the patientís written acknowledgement of having received notice. If a health care provider acting in good faith is unable to obtain a patientís written acknowledgment, he or she would be required to document the effort and provide a reason for failure. The purpose of this good faith acknowledgment requirement is to promote patient understanding of privacy practices and allow patients the opportunity to request additional restriction on the use of their PHI. Note that health care providers in emergency treatment situations and other covered entities are exempt from the good faith acknowledgement requirement and that the notice requirements under the Privacy Rule, such as using plain language, remain unchanged.

Minimum Necessary and Oral Communications

The proposal would also permit certain incidental uses and disclosures resulting from permissible uses and disclosures under the Privacy Rule so long as reasonable safeguards are in place and the minimum necessary standard is followed. For example, an incidental disclosure could be the conversation between a provider and his or her patient concerning treatment options that is overheard by another patient. Under the proposal, this situation would not be a violation of the Privacy Rule given that the providers applied reasonable safeguards and abided by the minimum necessary standard. HHS recognizes that it would be impractical to require covered entities to eliminate all risk of incidental uses or disclosures without severely impeding health care communications all together.

Business Associates

The proposal would allow covered entities, except small health plans, up to one additional year to bring business associate contracts into compliance with the Privacy Rule. HHS recognizes the administrative burden that larger covered entities face in having to reopen and renegotiate existing vendor and service contracts. The proposal also provides model contract provisions to assist covered entities in implementing the business associates provisions of the Privacy Rule.

Uses and Disclosures of PHI for Marketing

The proposal would require covered entities to obtain patient authorization for all communications defined as "marketing." HHS believes this requirement would provide greater consumer privacy protection not found in the opt-out provisions under the original Privacy Rule. As in the Privacy Rule, the proposed modifications would not require authorizations for face-to-face communications between the provider and patient nor for marketing communications that concern products and services of nominal value.

Although authorization is required of most marketing communications, physicians and other covered entities are still permitted to engage in necessary and important treatment communications. These communications may concern disease management, wellness programs, prescription refill reminders, and appointment notifications. HHS recognized the importance of such communications and regards them as exceptions to the definition of "marketing" under the Privacy Rule.

Parents as Personal Representatives of Unemancipated Minors

On the issue of access and disclosure of a minorís PHI, the proposal would clarify current standards under the Privacy Rule and defer to state law when state law is definitive on the issues of access and disclosure. When state law provides discretion or is silent, the provider may use discretion to allow or deny access to a parent as long as such decisions are consistent with state or other applicable law. If the parent is not the personal representative of the minor, the proposed revision would not require providers to allow parental access to a minorís medical records.

Uses and Disclosures for Research Purposes

The proposal would revise the waiver criteria in research to comport more closely with the federal Common Rule criteria that the risk to individual privacy in use and disclosure of PHI is minimized and research could not be conducted practicably without the waiver or alteration. HHS hopes that the proposed modifications will remove redundancy in the waiver criteria and resolve conflicts in research according to the Common Rule. In addition, the proposal would aim to simplify the authorization process in research by creating a single set of requirements that would apply to all authorizations generally. This proposal would eliminate the need for separate authorization forms in clinical research. Further, the proposal also has research transition provisions that permit a covered entity to use or disclose PHI for a specific research study if authorization was obtained prior to the compliance date, regardless of whether the research study actually begins before the compliance date.

Uses and Disclosures for which Authorization is Required

The proposal would create a single type of authorization form rather than different ones for research, individual use, or use by a covered entity. As discussed above, the new authorization requirements would eliminate the need to have separate and different authorization forms, simplifying the process.

De-Identification of PHI

The proposal would condition the disclosure of limited data sets between a covered entity and its recipient on the basis of an agreement that the recipient would limit the use of the data set for the intended purpose and not re-identify the information.

Other Changes

The proposed modifications to the Privacy Rule also include some technical corrections and other clarifications concerning changes of legal ownership; group health plan disclosures of enrollment and disenrollment information to plan sponsors; the definition of "individually identifiable health information"; accounting of disclosures of PHI; uses and disclosures regarding FDA-regulated products and activities; and hybrid entities.

Implications for Texas

If the proposed modifications to the Privacy Rule survive public scrutiny and are ultimately implemented, the level of privacy protections for medical records under Texas law would change. Section 181.101 of the Health and Safety Code adopts the Privacy Rule standards relating to "uses and disclosures of protected health information, including requirements relating to consent" and "notice of privacy practices for protected health information." Since these are areas covered by the proposed modification, Texas law would be revised accordingly. Although the proposed modifications relating to marketing and research activities are important to consider, these revisions are less likely to affect medical privacy in Texas since current law provides consumer protections that are consistent with and more stringent than the federal standards under the Privacy Rule.