HHS proposes changes to HIPAA requirements

By Elizabeth E. Hogue, Esq.
Burtonsville, MD

On March 27, 2002, the U.S. Department of Health and Human Services (HHS) published proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) privacy requirements that may impact providers as follows:

Providers with direct treatment relationships with individuals no longer would be required to obtain an individual’s consent prior to disclosing information about the patient for treatment, payment, and health care operations. Providers may, however, obtain consent if they choose to do so.

Providers that choose to obtain consent will have complete discretion in designing the consent process.

Except in emergency situations, providers with direct treatment relationships with individuals would be required to make a good-faith effort to obtain patients’ written acknowledgement of receipt of providers’ notices of privacy practices at the time of first service delivery. The form of such acknowledgements is left up to the discretion of providers. If providers cannot obtain acknowledgement, they must document their good-faith efforts and the reasons for failure.

Incidental uses and disclosures consistent with the minimum-necessary standard would be permitted.

Certain existing contracts with business associates would be "grandfathered." That is, pro-viders would be required to bring contracts with business associates into compliance when the provider renews or modifies the contract after April 14, 2003, or April 14, 2004, whichever is sooner.

Authorization would be needed for uses and disclosures for marketing purposes, except for items of nominal value, but not for treatment purposes.

State statutes would govern release of information to the parents of unemancipated minors. If state law permits a minor to obtain care without the consent of a parent, but is silent as to whether the parent can access the related medical records of the minor, then the provider may provide access or deny access to the parent, if such denial of access is consistent with state law.

The list of items that must be included in authorizations would be standardized.

Sharing of information as part of due-diligence process related to a sale, transfer, merger, or consolidation, including the transfer of records, generally would be permitted.

Providers could include sample language in contracts with business associates to ensure compliance.

If these proposed changes are finalized, what should providers do?

1. Providers should continue to obtain consent to release of health care information. Even though this requirement may be dropped from the final regulations, it is good risk management for providers to obtain consent anyway. Since providers historically have obtained consent, continuation of this practice unlikely will be burdensome.

2. Whether the proposed changes are adopted or not, providers should continue to take a common-sense approach to HIPAA privacy requirements. It has been suggested that without the proposed modification, providers who receive referrals would not be permitted to contact patients to provide services without patients’ consent because contacting patients would be a "use" of information without patients’ consent. Commentary that’s been received on the proposed modifications, as well as old-fashioned common sense, suggest that this result is not acceptable.

3. If written acknowledgement of notice is required, providers should include such an acknowledgement in forms they already ask patients to sign upon admission. No new forms are necessary to meet this requirement.

4. Providers should review the model language in the appendix to the proposed changes that addresses the issue of obligations of business associates. Providers should utilize this model language in revised contracts to the extent it is applicable to specific relationships with business associates.

5. Providers may be concerned about distinguishing between marketing activities and treatment activities. The key for providers seems to be that concerns about these differences should not impede access to care or quality of care.

Providers must continue to monitor additional developments with regard to compliance with the HIPAA compliance requirements.

[A complete list of Elizabeth Hogue’s publications is available by contacting: Elizabeth E. Hogue, Esq., 15118 Liberty Grove, Burtonsville, MD 20866. Telephone: (301) 421-0143. Fax: (301) 421-1699. E-mail: ehogue5@comcast.net.]