Now the serious work begins on compliance
When the U.S. Department of Health and Human Services (HHS) recently issued the final privacy rule required by the Health Insurance Portability and Accountability Act (HIPAA), some provisions that had caused consternation over the past year were reworked significantly or deleted altogether. The most significant change involved whether explicit written consent would be required from patients for the disclosure of medical information during routine health care. Previous versions of the rule had required that providers obtain written consent from the patient for the use of protected medical information during treatment, and treatment could not proceed without that permission. But in the final HIPAA rule, HHS took a less strict stance and said that such explicit consent is not necessary.
Instead, covered entities will have to provide patients with a written statement that explains the provider’s privacy practices and the patient’s individual privacy rights. HHS still wants providers to try to obtain a patient’s written acknowledgment of that statement, but if that is not possible or practical, it is sufficient to show that the provider made a good-faith effort to do so.
Barrie K. Handy, JD, an attorney with the law firm of Davis Wright Tremaine in Seattle, says HHS has responded to concerns that the notice
of privacy practices was too long.
"The preamble encourages use of a layered notice’ — a short, summary notice that is placed on top of a longer notice containing all the required elements," he says. "This grant of authority, though it comes in the preamble rather than in the rule itself, will be welcome news to a vast number of plans and providers."
In addition, the final rule allows disclosure for treatment, payment, and certain health care operations of other covered entities; reduces accountable disclosures; and permits an extra year to achieve compliance for pre-existing business associate agreements. Covered entities, meaning nearly anyone who transmits patient information to another party, will have until April 14, 2003, to comply with HIPAA.
When giving the patient notice of privacy practices, the patient’s acknowledgment must be in writing, but the rules do not prescribe a form or require the individual’s signature to be on the notice itself. Instead, a covered health provider may, for example, have the individual sign a separate sheet or simply initial a cover sheet of the notice.
Handy says that in emergency situations, the notice must be provided as soon as is reasonably practical, and an acknowledgment is not required. If a provider cannot obtain the written acknowledgment, it must document its efforts and the reason for its inability to obtain the acknowledgment. The attempt must be made no later than the date of first service delivery, including service delivered electronically. A health care provider whose first treatment encounter with a patient is over the telephone may satisfy the notice requirement by mailing it to the individual no later than the day following the telephone conversation, he says.
HHS recommends that the notice include a tear sheet or other document that requests an acknowledgment be mailed back to the provider. If the individual chooses not to mail the acknowledgment back, the provider has made the necessary effort. If the health care provider’s initial contact with the patient is simply to schedule an appointment, the notice and acknowledgment requirements may be satisfied when the patient arrives for the appointment.
Providers waiting until the last minute
Most of the final HIPAA rule was the same as the revisions proposed in March 2002, but health care providers apparently are not getting started on compliance until the last minute, says Jack A. Rovner, JD, partner and co-chair of the Chicago Health Law Practice Group with the law firm of Michael Best & Friedrich in Chicago. He works closely with risk managers and others responsible for complying with HIPAA, and he says he is dismayed at what he has seen so far.
"What I see them doing and what they should be doing are not necessarily the same thing," he says. "If you haven’t started drafting your policies and procedures, that’s what you should be working on right now. The secret to compliance is having a set of policies and procedures that actually reflect your business processes, and implementing privacy requirements that address your actual business. I don’t see a lot of that happening yet."
Many health care providers have been working on HIPAA compliance for months, Rovner says, but they often get bogged down in analyses and retrospective assessment of how they have handled privacy issues in the past. That kind of analysis has a place in planning for HIPAA compliance, but many providers devote far too much time to it, he says.
"People have avoided focusing on the hard work of drafting policies and procedures, and instead they’re spending time on gap assessments — saying, This is what we used to do and this is what we need to do,’" he says. "You feel like you’re doing something, but if you do too much of that you’ll find yourself without policies and procedures on April 14."
Rovner recommends avoiding too much of a focus on what you did with private health information last year. That’s not so important, he says. The more important question is what you will do with it next year. He points out that health care organizations already protect private health information and always have to some extent, so it’s not like HIPAA requires a wholesale reworking of your system. The biggest challenge, he says, will be to effect a cultural change that prompts your employees to think more about protecting a patient’s privacy, to make that attitude second nature.
One major headache from the proposed HIPAA rule was eliminated in the end by changes that assure health care providers won’t be prevented from carrying out normal, necessary transmissions of information. Previous versions led to fears that no information could be sent from one provider to another without the patient’s specific permission, but the final rule allows a covered entity to disclose protected health information to any provider for the latter’s treatment activities and to another covered entity or any provider for its payment activities. Rovner explains that the rule also allows a covered entity to disclose protected health information to another in order for the second organization to conduct quality control, competency control, or fraud control operations, as long as each has a relationship with the patient and the information pertains to that relationship.
Though HHS eased its position on some HIPAA issues, it took a hard line on marketing. The final HIPAA rule still prohibits providers from selling patient names to any marketers, such as pharmaceutical companies, without first getting the patient’s specific authorization. That was exactly the situation that led to a class action lawsuit recently in Florida. The suit alleges that a Walgreen’s pharmacy, a local hospital, three doctors, and drug manufacturer Eli Lilly misused patient records for a marketing campaign that mailed free samples of Prozac to people whose records indicated they might benefit from the drug. One recipient filed a lawsuit, saying he
felt his privacy was invaded when Holy Cross Hospital in Fort Lauderdale, FL, and three doctors provided specific patient information for marketing of the drug.
To address a gray area that some providers had noted, HHS made clear that covered entities cannot use business associate agreements to get around HIPAA’s requirements regarding marketing. The final rule explicitly prohibits pharmacies or other covered entities from selling personal medical information to a business that wants to market its products or services under a business associate agreement.
Handy says the business associate agreements need the attention of risk managers. HIPAA permits a covered entity to disclose protected health information to a business associate who performs a function or activity on behalf of the covered entity that involves the creation, use, or disclosure of protected health information, so long as the covered entity enters into a contract with the business associate containing specific privacy safeguards, Handy explains. The April 2003 compliance date may not provide enough time for large hospitals to reopen and renegotiate business associate agreements unless they start working immediately, he says.
Minimum necessary’ rule still applies
The final rule takes the same approach to the "minimum necessary" concept as the version proposed in March. Handy explains that the concept of minimum necessary means covered entities and their business associates should not use or disclose protected health information beyond what is reasonably necessary for the purpose of the use or disclosure. But HHS allows for some exceptions. For example, minimum necessary does not apply to a covered entity’s use or disclosure of protected information to another health care provider for treatment purposes. However, it does apply to uses or disclosures for payment and health care operations.
The final rule exempts from minimum necessary restrictions all uses or disclosures for which the covered entity receives an authorization from the individual to whom the health information pertains or the individual’s authorized representative. HHS emphasizes that any authorization must include a description of the information covered "in a specific and meaningful fashion."
Like Rovner, Handy cautions that there is significant work to be done before April 2003. They both advise reading the HIPAA rule carefully, including the preamble, to determine what changes may be necessary in your policies and procedures. HHS’ explanations in the preamble probably "create or enhance legal duties that covered entities need to identify and keep in mind for risk management purposes," Handy says. (To see the entire HIPAA rule at the HHS web site, go to www.hhs.gov/ocr/hipaa/.)
However you approach HIPAA compliance, Rovner says you must avoid being paralyzed by the fear that HIPAA will turn your world upside down. That fear is not justified, he says.
"I don’t think people have taken a rational approach to HIPAA, and that’s why we’re not very far along in compliance," he says. "There’s too much hysteria. It’s complicated and requires work, but it’s not what everyone has made it out to be. It is not the end of health care as we know it."
Major Changes in HIPAA Privacy Rule
The final privacy rule required by the Health Insurance Portability and Accountability Act was published Aug. 14, 2002, in the Federal Register. The deadline for compliance is April 14, 2003 (April 14, 2004, for small health plans).
Here are the areas with major changes:
Copies of the Federal Register can be found at www.access.gpo.gov/su_docs/fedreg/frcont02.html. Click on "Wednesday, Aug. 14," and look under the "Health and Human Services Department."