Final HIPAA privacy rule still too onerous for some

Much work is needed to comply, some experts say

Although the final version of the Health Inform-ation Portability and Accountability Act’s (HIPAA) privacy rule included some good news for those who feared it would be an unworkable, burdensome mess, there is good reason to think it will require considerable work for compliance.

When the medical privacy rule was finalized recently, providers noticed right away that they had won some long-fought battles, most notably on the issue of whether explicit consent would be required from patients for the disclosure of medical information during routine health care operations. In the final HIPAA rule, the U.S. Department of Health and Human Services (HHS) said that such explicit consent is not necessary and existing consent procedures might be sufficient.

Covered entities will have to provide patients with a written notice that explains the provider’s privacy practices and patients’ individual privacy rights, but in a big change from previous versions of HIPAA, HHS now says that providers will only have to make a good-faith effort to obtain a patient’s written acknowledgment of that statement. Under much stricter previous versions of the rule, patient care could not proceed without the patient’s written consent.

Most covered entities will have until April 14, 2003, to comply with HIPAA. Some small health plans have until April 14, 2004, to comply.

HHS takes a hard line on data for marketing

Marketing, however, is an area in which HHS did not back down much. HIPAA still prohibits providers from selling lists of patient names to pharmaceutical companies or other marketers without first getting the patient’s specific authorization. HHS also changed the marketing sections to make clear that covered entities cannot use business associate agreements to get around HIPAA’s requirements regarding marketing.

In a change from previous versions, the final rule explicitly prohibits pharmacies or other covered entities from selling personal medical information to a business that wants to market its products or services under a business associate agreement.

The business associate agreements still will require significant attention from providers, says Barrie K. Handy, JD, an attorney with the law firm Davis Wright Tremaine in Seattle. HIPAA permits a covered entity to disclose protected health information to a business associate who performs a function or activity on behalf of the covered entity involving the creation, use, or disclosure of protected health information, as long as the covered entity enters into a contract with the business associate containing specific privacy safeguards, Handy explains. There has been widespread concern that the April 2003 compliance date will not provide enough time for large hospitals to reopen and renegotiate their business associate agreements.

"The amendments allow covered entities to continue to operate under existing contracts with business associates for up to one year beyond the April 14, 2003, compliance date," Handy says. "A covered entity’s contract with a business associate would be deemed to be in compliance with the privacy rule until either the date the contract is renewed or modified after April 14, 2003, or until April 14, 2004, whichever is sooner."

Requirements for research authorization also have been simplified. For patient information used in medical research, the final HIPAA rule backed down from some of the strictest proposals of recent years.

At one point, the Clinton administration had proposed that 19 patient identifiers be removed from any information used in medical studies, but researchers argued that removing that much data would make the information useless.

The final rule backs off considerably, requiring only that researchers remove "direct identifiers" that could easily identify the patient. Examples are the person’s name, Social Security number, street address, and e-mail address.

HHS also removed the worst parts of the so-called "minimum necessary" provision involving communications between medical providers regarding patient care.

The American Hospital Association (AHA) in Chicago and others had argued that the provision would have prevented physicians and other covered entities from freely communicating as part of patient care.

But Handy cautions that the "minimum necessary" rule isn’t gone completely. He says the final amendment takes the same approach to the "minimum necessary" concept as proposed in revisions in March 2002. The final rule "emphasizes that minimum necessary’ is not intended to impede delivery of health care and is intended to offer covered entities flexibility to tailor the rule to the circumstances of their particular operations," Handy says.

For example, Handy says "minimum necessary" does not apply to a covered entity’s use or disclosure to another health care provider for treatment purposes. However, it does apply to uses or health disclosures for payment and health care operations.

In addition, HIPAA requires that patients must give specific authorization before entities covered by the rule can use or disclose protected information in nonroutine circumstances, such as releasing information to an employer.

Many health care providers and advocates welcomed the changes in the final rule, particularly the AHA, which had fought hard against earlier proposals. Dick Davidson, AHA president, said the final HIPAA rule is good news for patients because it strengthens the privacy of medical information without getting in the way of good patient care. Issuing the AHA’s response to the final version, he said it "puts common sense ahead of bureaucracy. Unfortunately, earlier proposals could have created logjams in providing patients with timely care and more paperwork in a system already choked with paper. Hospitals couldn’t work with a patient or physician to schedule any tests or surgery until the patient received and read a lengthy privacy notice and returned it to the hospital," he said.

[For more information, contact:

  • Barrie K. Handy, JD, Davis Wright Tremaine LLP, 2600 Century Square, 1501 Fourth Ave., Seattle, WA 98101-1688. Telephone: (206) 628-7404.]