The U.S. Department of Health and Human Services (HHS) has announced final changes to the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations. For the most part, the changes follow proposed amendments announced by Bush administration officials in March, including relaxing of the much-criticized consent-and-notice provision.
Consent and notice
In modifying this provision, HHS said it has strengthened the notice requirement and made consent optional for routine healthcare delivery purposes -- treatment, payment, and healthcare operations. The rule requires covered entities to provide patients with notice of their privacy rights and the privacy practices of the covered entity, and make a good-faith effort to obtain written acknowledgement from patients.
HHS said it removed previous mandatory consent requirements because they would inhibit patient access to healthcare. Entities retain the option of developing a consent process that works for the entity, and may continue consent requirements already in place, according to the rule.
Of import to radiology, this change eliminates the need to obtain written consent from patients prior to sending their images via teleradiology, said Herman Oosterwijk, president of healthcare technology consulting group OTech.
Marketing
In changes related to marketing, the final rule requires covered entities to obtain written authorization to use an individual's health information for marketing purposes, except for a face-to-face encounter or a communication involving a promotional gift of nominal value.
A covered entity is prohibited from selling patient lists and enrollees without individual authorization to third parties for the marketing activities of the third party. The rule also clarifies that doctors and other covered entities communicating with patients about treatment options or the entity's own health-related products and services are not considered marketing.
Incidental use and disclosure
In this final rule, HHS has acknowledged that uses or disclosure incidental to an otherwise permitted use or disclosure may occur. Such incidental uses and disclosures are not a violation, provided that the covered entity has met reasonable safeguards and minimum necessary requirements, according to the rule.
For example, doctors' offices may use waiting room sign-in sheets and hospitals may keep patient charts at bedside. In other examples, doctors could talk to patients in semi-private rooms, and doctors can confer at nurses' stations without fear of violating the rule if overheard by a passerby.
Authorization
HHS has clarified authorization requirements by, among other things, eliminating separate authorization requirements for covered entities. While patients will have to grant permission in advance for each type of nonroutine use or disclosure, providers will not have to use different types of forms. HHS said it also consolidated and streamlined core elements and notification requirements.
Minimum necessary
The final rule exempts from the minimum necessary standards any uses or disclosures for which the covered entity has received an authorization. Previously, the rule had exempted only certain types of authorizations from this requirement.
Uses and disclosure regarding FDA-regulated products and activities
This rule permits covered entities to disclose protected health information, without authorization, to a person subject to the jurisdiction of the Food and Drug Administration. These disclosures could be made for public-health purposes related to the quality, safety, or effectiveness of FDA-regulated products or activities, such as collecting or reporting adverse events, dangerous products, and defects or problems with FDA-regulated products, according to the rule.
Parents and minors
The final rule clarifies that state law, or other applicable law, governs in the area of parents and minors. Generally, the privacy rule provides parents with new rights to control the health information about their minor children, with limited exceptions based on state or other applicable law and professional practice, according to the rule.
In special cases in which minors control their own health information by law and that law does not define the parent's ability to access the child's health information, a licensed healthcare provider continues to be able to exercise discretion to grant or deny such access, as long as that decision is consistent with state or other applicable law, according to HHS.
Business associates
HHS is giving covered entities, except for small health plans, up to an additional year to change existing written contracts to comply with the business-associate requirements. The department said the additional time will ease the burden of renegotiating contracts all at once. HHS has also provided sample business-associate contract provisions.
Research
In this final rule, HHS has facilitated researchers' use of a single combined form to obtain informed consent for research and authorization to use or disclose protected health information for such research.
In addition, the final rule clarifies the requirements relating to researchers obtaining an Institutional Review Board (IRB) or Privacy Board waiver of authorization. Transition provisions have been expanded to prevent needless interruptions of ongoing research, according to HHS.
Limited data set
A limited data set that does not include directly identifiable information can now be created and disseminated for research, public health, and healthcare operations. Disclosure of the limited data set is conditioned on a covered entity and recipient entering into a data-use agreement. In this agreement, the recipient would agree to limit the use of the data set for the purposes it was given, ensure the security of the data, and agree not to identify the information or use it to contact any individual, according to the rule.
Other new provisions deal with:
- Hybrid entities.
- Healthcare operations -- changes in legal ownership.
- Group health plan disclosures of enrollment and disenrollment information.
- Accounting of disclosures.
- Disclosure for treatment, payment, or healthcare operations of another entity.
- Protected health information: exclusion for employment records.
The final regulations will be published in the Federal Register on August 14. Most covered entities must comply with the Privacy Rule by April 14, 2003, although small health plans have until April 14, 2004 to comply. For more information, visit the HHS Office of Civil Rights Web site at http://www.hhs.gov/ocr/hipaa.
By Erik L. RidleyAuntMinnie.com staff writer
August 13, 2002
Related Reading
HIPAA final privacy rule drives security implementation, June 7, 2002
CMS issues model for extending transaction code compliance, April 1, 2002
HIPAA to make challenging, costly demands on radiology, March 18, 2002
HIPAA, compliance programs fit like gloves, February 1, 2002
A roadmap for implementing HIPAA in radiology, July 26, 2001
Copyright © 2002 AuntMinnie.com