HIPAA rule finalized to reduce worst of consent burden, prevent marketing use

As work begins on compliance, many providers are way behind

Some of the worst nightmares embedded in the Health Insurance Portability and Accountability Act (HIPAA) were removed from the final version of the rule, but there still is a great deal to be done if you are to make the compliance deadline.

To some observers, many risk managers are allowing their organizations to bog down in overwrought analyses instead of formulating the policies and procedures that must be in place within a few months.

When the Department of Health and Human Services (HHS) issued the final HIPAA rule recently, some provisions that had caused consternation over the past year were reworked significantly or deleted altogether. The most significant change involved whether explicit written consent would be required from patients for the disclosure of medical information during routine health care operations. Previous versions of the rule had required that providers obtain written consent from the patient for the use of protected medical information during treatment, and treatment could not proceed without that expressed permission. But in the final HIPAA rule, HHS took a less strict stance and said that such explicit consent is not necessary.

Instead, covered entities will have to provide patients with a written statement explaining the provider’s privacy practices and individual privacy rights. HHS still wants providers to try to obtain a patient’s written acknowledgment of that statement, but if that is not possible or practical, it is sufficient to show that the provider made a good-faith effort.

Barrie K. Handy, JD, an attorney with the law firm of Davis Wright Tremaine in Seattle, says HHS has responded to the concerns of many risk managers that the notice of privacy practices was too long.

"The preamble encourages use of a layered notice’ — a short, summary notice that is placed on top of a longer notice containing all the required elements," he says. "This grant of authority, though it comes in the preamble rather than in the rule itself, will be welcome news to a vast number of plans and providers."

In addition, the final rule allows disclosure for treatment, payment, and certain health care operations of other covered entities; reduces accountable disclosures; and permits an extra year to achieve compliance for pre-existing business associate agreements. Covered entities, meaning nearly anyone who transmits patient information to another party, will have until April 14, 2003, to comply with HIPAA.

Signing cover sheet is enough proof

When providing the patient notice of privacy practices, the patient’s acknowledgment must be in writing, but the rules do not prescribe a form, or require the individual’s signature to be on the notice itself. Instead, a covered health provider may, for example, have the individual sign a separate sheet or simply initial a cover sheet of the notice.

Handy says that in emergency situations, the notice must be provided as soon as is reasonably practical, and an acknowledgment is not required. If a provider cannot obtain the written acknowledgment, it must document its efforts and the reason for its inability to obtain the acknowledgment. The attempt must be made no later than the date of first service delivery, including service delivered electronically. A health care provider whose first treatment encounter with a patient is over the telephone may satisfy the notice requirement by mailing it to the individual no later than the day following the telephone conversation, he says.

HHS recommends that the notice include a tear sheet or other document that requests an acknowledgment be mailed back to the provider. If the individual chooses not to mail the acknowledgment back, the provider has made the necessary effort. If the health care provider’s initial contact with the patient is simply to schedule an appointment, the notice and acknowledgment requirements may be satisfied when the patient arrives for the appointment.

Most of the final HIPAA rule was the same as the revisions proposed in March 2002, but health care providers apparently are not getting started on compliance until the last minute, says Jack A. Rovner, JD, partner and co-chair of the Chicago Health Law Practice Group with the law firm of Michael Best & Friedrich in Chicago. He works closely with risk managers and others responsible for complying with HIPAA, and says he is dismayed at what he has seen so far.

"What I see them doing and what they should be doing are not necessarily the same thing," Rovner says. "If you haven’t started drafting your policies and procedures, that’s what you should be working on right now. The secret to compliance is having a set of policies and procedures that actually reflect your business processes, and implementing privacy requirements that address your actual business. I don’t see a lot of that happening yet."

Many health care providers have been working on HIPAA compliance for months, Rovner says, but they often get bogged down in the analyses and retrospective assessment of how they have handled privacy issues in the past. That kind of analysis has a place in planning for HIPAA compliance, but many providers devote way too much time to it, he says.

"People have avoided focusing on the hard work of drafting policies and procedures, and instead they’re spending time on gap assessments — saying this is what we used to do and this is what we need to do," he says. "You feel like you’re doing something; but if you do too much of that, you’ll find yourself without policies and procedures on April 14."

Rovner advises risk managers to avoid focusing on what they did with private health information last year. That’s not so important, he says. The more important question is what you will do with it next year. He points out that health care organizations already protect private health information and always have to some extent, so it’s not like HIPAA requires a wholesale reworking of your system. The biggest challenge, he says, will be to effect a cultural change that prompts your employees to think more about protecting a patient’s privacy to make that attitude second nature.

One major headache from the proposed HIPAA rule was eliminated by changes that assure health care providers won’t be prevented from carrying out normal, necessary transmissions of information. Previous versions led to fears that no information could be sent from one provider to another without the patient’s specific permission. But the final rule allows a covered entity to disclose protected health information to any provider for the latter’s treatment activities and to another covered entity or any provider for its payment activities. Rovner explains that the rule also allows a covered entity to disclose protected health information to another in order for the second organization to conduct quality control, competency control, or fraud control operations, as long as each has a relationship with the patient and the information pertains to that relationship.

Though HHS eased its position on some HIPAA issues, it took a hard line on marketing. The final HIPAA rule still prohibits providers from selling patient names to any marketers, such as pharmaceutical companies, without first getting the patient’s specific authorization. That was exactly the situation that led to a class-action lawsuit recently in Florida. The suit alleges that Wal- greens pharmacy, a local hospital, three doctors, and Indianapolis drug manufacturer Eli Lilly & Co. misused patient records for a marketing campaign that mailed free samples of Prozac to people whose records indicated they might benefit from the drug. One recipient filed a lawsuit, saying he felt his privacy was invaded when Holy Cross Hospital in Fort Lauderdale, FL, and three doctors provided specific patient information for the drug marketing.

And to address a gray area that some providers had noted, HHS made clear that covered entities cannot use business associate agreements to get around HIPAA’s requirements regarding marketing. The final rule explicitly prohibits pharmacies or other covered entities from selling personal medical information to a business that wants to market its products or services under a business associate agreement.

Handy says the business associate agreements need the attention of risk managers. HIPAA permits a covered entity to disclose protected health information to a business associate who performs a function or activity on behalf of the covered entity that involves the creation, use or disclosure of protected health information, so long as the covered entity enters into a contract with the business associate containing specific privacy safeguards, Handy explains. The April 2003 compliance date may not provide enough time for large hospitals to reopen and renegotiate their business associate agreements unless you start working immediately, he says.

The final rule takes the same approach to the "minimum-necessary" concept as generally proposed in March. Handy explains that the concept of minimum necessary means that covered entities and their business associates should not use or disclose protected health information beyond what is reasonably necessary for the purpose of the use or disclosure. But HHS allows for some exceptions. For example, minimum necessary does not apply to a covered entity’s use or disclosure to another health care provider for treatment purposes. However, it does apply to uses or disclosures for payment and health care operations.

The final rule exempts from minimum necessary restrictions all uses or disclosures for which the covered entity receives an authorization from the individual to whom the health information pertains or the individual’s authorized representative. HHS emphasizes that any authorization must include a description of the information covered "in a specific and meaningful fashion."

Like Rovner, Handy cautions that there is significant work to be done before April 2003. They both advise reading the HIPAA rule carefully, including the preamble, to determine what changes may be necessary in your policies and procedures. HHS’s explanations in the preamble probably "create or enhance legal duties that covered entities need to identify and keep in mind for risk management purposes," Handy says. (To see the entire HIPAA rule at the HHS web site, go to www.hhs.gov/ocr/ hipaa.)

However you approach HIPAA compliance, Rovner says you must avoid being paralyzed by the fear that HIPAA will turn your world upside down. That fear is not justified, he says.

"I don’t think people have taken a rational approach to HIPAA and that’s why we’re not very far along in compliance," he says. "There’s too much hysteria. It’s complicated and requires work, but it’s not what everyone has made it out to be. It is not the end of health care as we know it."