HHS Issues Guidance on HIPAA Privacy
On July 6, 2001, the U.S. Department of Health and Human Services (HHS) issued guidance to the healthcare industry in order to answer certain questions that had been raised regarding perceived ambiguities in the privacy rule which was promulgated pursuant to the Health Insurance Portability and Accountability Act (HIPAA) at 45 CFR Parts 160 and 164 (Privacy Rule). HHS stated that this guidance is intended to be the first in a series of instructions to be issued by the department in order to further clarify the Privacy Rule prior to the required implementation date for healthcare providers and most health plans of April 14, 2003.
Specifically, HHS issued guidance in the following areas:
Below are the highlights:
1. General Overview
HHS made clear in its guidance that it expects to issue proposed modifications to the Privacy Rule prior to the compliance date in order to prevent any unintended effects on quality of care or access to care. Specific examples of areas in which HHS will propose changes included: (1) amendments to the consent requirements of the Privacy Rule in order to allow pharmacists to fill prescriptions phoned in by a patient's physician prior to obtaining written consent from the patient; (2) changes which will allow direct treatment providers to, prior to obtaining patient consent, schedule first-time appointments for patients who have been referred from other providers; (3) clarifications allowing covered entities to engage in any communications required to expedite quality care, including oral communications with family members and staff involved in the patient's care, and using patient names to find them in waiting areas.
2. Consent and Authorization
Regarding consent and authorization, HHS clarified numerous issues, including the fact that health plans and clearinghouses are not required to obtain consent if they are using protected health information (PHI) for treatment, payment, or healthcare operations. Additionally, if an individual who consents to use and disclosure of PHI for treatment, payment or healthcare operations obtains a healthcare service then revokes consent before the provider bills for the service, the provider may still bill such service, because the Privacy Rule provides that revocation of consent is not effective if the provider has already acted in reliance on the consent.
3. Minimum Necessary Standard
Several questions were addressed in the HHS guidance regarding how covered entities are to determine what is the minimum necessary information that can be used, disclosed or requested for a particular purpose. HHS stated that covered entities are to use a reasonableness standard consistent with best practices currently used by many organizations. HHS also explained that the minimum necessary standard was not intended to preclude nursing students and other trainees from having access to patient records in the course of their training, nor is the minimum necessary standard intended to prevent covered entities from maintaining patient charts at bedside or from using sign-in sheets in waiting rooms.
4. Oral Communications
The concern in the healthcare industry in reaction to the Privacy Rule's protection of oral communications generated questions regarding whether hospitals or doctor's offices needed to be soundproofed or whether semi-private rooms needed to be discontinued, in order to avoid the possibility of a third party overhearing any discussion of PHI. HHS stated that rather than requiring these burdensome modifications, the Privacy Rule is only intended to require a covered entity to establish "reasonable safeguards" that reflect reasonable efforts to prevent prohibited uses and disclosures, such as adding curtains, screens, or cubicles in areas where multiple patient and staff communications frequently take place.
5. Business Associates
Questions were raised regarding whether the Secretary had exceeded his authority in requiring business associates to comply with the Privacy Rule through contracts between covered entities and such business associates. The Secretary responded by saying that rather than "passing through" the requirements of the Privacy Rule to business associates by contract, business associates are subject to much narrower requirements than the Privacy Rule imposes. For example, the contractual requirements for business associates do not include having to appoint a privacy officer, train employees, or develop policies and procedures for use and disclosure of PHI. Also, HHS made clear that covered entities are not responsible for monitoring the activities of their business associates, and advised covered entities to include contractual provisions requiring business associates to advise the covered entity if violations of the contract have occurred.
6. Parents and Minors
Regarding parents and minors, HHS stated that parents are generally allowed to access their minor children's medical records except where the parent agrees that the child and the provider may have a confidential relationship, or when the provider reasonably believes the child has been subjected to abuse or neglect, or that revealing PHI to the parent may endanger the child. HHS also confirmed that the Secretary is reevaluating these provisions of the Privacy Rule.
7. Health-related Communications and Marketing
Many expressed concern regarding the right of providers and health plans to use PHI for marketing purposes. HHS reiterated that authorization is always required prior to such use except in three instances: (1) the marketing takes place during an in-person meeting, such as a medical appointment, (2) the marketing concerns products or services of "nominal value", and (3) the covered entity is marketing health-related products and services, is identified as such, and gives the individual the opportunity to opt-out of any additional marketing. Also the covered entity must make certain disclosures, such as whether the individual has been targeted based on health-status, and whether the covered entity is being compensated for such marketing.
8. Research
In the context of research, many questions were raised regarding the interplay between certain existing federal rules regarding research and the Privacy Rule. HHS made clear that where both sets of rules apply, both must be followed, and that the Privacy Rule regulates only the content and the conditions of the documentation that must be sought by covered entities prior to using or disclosing PHI for research purposes. Additionally, HHS clarified that the Privacy Rule does not prohibit researchers from conditioning a subject's participation in a research study on receiving authorization to use or disclose PHI.
9. Restrictions on Government Access to Health Information
Regarding disclosures required by law, HHS stated that it does not intend to override existing state laws that require disclosure of PHI for purposes of, for example, reporting particular diseases to public health officials. In contrast, existing state laws often grant law enforcement access to PHI for a broad range of purposes. HHS pointed out that the Privacy Rule sets forth restrictions regarding disclosures to law enforcement that in some cases will limit such access beyond what is currently allowed in many state laws.
10. Payment
Discussions regarding payment centered around reporting PHI to, for example, consumer credit reporting agencies and debt collection agencies. HHS indicated that it did not intend to displace existing federal laws governing such practices and does not see any conflict between the Privacy Rule and such laws.