The trusted source for
healthcare information and
Lawyers at the offices of Davis Wright Tremaine recently took the time to analyze the massive final privacy regulation issued by the Department of Health and Human Services (HHS) on Dec. 20, 2000. Here are the parts of the regulations that Clark Stanton, JD, Paul Smith, LLB, and Reece Hirsch, JD, partners in the San Francisco office; Kathy Fritz, RN, APN, JD, an associate attorney in the Portland office; and Richard Marks, JD, a partner in the Washington, DC, office, found particularly interesting.
• The extension of the regulation to include all individually identifiable health information.
The most significant change is that the regulations now extend to all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form, the lawyers say. This includes purely paper records and oral communications. In contrast, the proposed rule only covered information that had at some point existed in electronic form. The difficulty of tracking electronic and non-electronic information had convinced many observers that the distinction made in the proposed rule was unworkable, but there are concerns that HIPAA (the Health Insurance Portability and Accountability Act of 1996) may not authorize this expansion of the regulations’ coverage.
• The change in business partner agreements.
Business partner agreements (now called business associate contracts) need no longer give patients direct rights over health care information in the hands of a covered entity’s business associate. In addition, the final regulations also withdrew from the proposed rule a hotly debated requirement that business associate contracts declare patients to be third-party beneficiaries of the contract.
• The clarification of business association monitoring.
The final regulations clarify that covered entities are not required to actively monitor business associates for compliance with their contracts, although they must take action if they know of practices that violate the agreement. The regulations also clarify that physicians on hospital medical staffs are not, by virtue of their staff membership, business associates of the hospital. "When a hospital shares protected health information with a third party that it contracts with to carry out some facet of its operations, the provider will have to enter into an agreement with that business associate to ensure that the business associate is observing the same safeguards that the covered entity is required to adhere to," Hirsch says. "Building that language into all of the hospital’s vendor contracts will be burdensome."
• The introduction of the organized health care arrangement.
The final regulations introduce the concept of an organized health care arrangement, which is a clinically integrated setting in which patients receive care from more providers than one, or an organized system of health care, or a combination of group health plans or group health plans and insurers. Participants in an organized health care arrangement are permitted to use and disclose information for the health care operations of the arrangement, just as they are for their own health care operations. Participation in an organized health care arrangement does not, by itself, make the participants business associates of one another.
• The additional requirement for patient consent.
Subject to limited exceptions, providers and other covered entities will need to obtain a patient’s consent to the entity’s disclosure of the patient’s health information for treatment, payment and the entity’s own operations. This is a significant shift from the proposed rule, which would have permitted such use of information without the patient’s authorization. The consent requirement is an important provision that wasn’t in the proposed regulation, Hirsch says. "It means that a hospital must obtain this new consent to privacy practices as part of every admission."
• The limited use of patient information for fundraising.
Providers will be pleased to know that the regulations permit them to use limited patient information, without patient authorization, in connection with their fundraising activities, including fundraising by related foundations.
• The retention of the "minimum necessary" standard.
The final regulations retain the minimum necessary standard first set forth in the proposed rule, under which a disclosure of protected health information, even where authorized by the regulations, must be limited to the minimum necessary to accomplish the purpose for which it is made. Under the final regulations, however, this determination does not have to be made when responding to a request from another covered entity. Instead, the final rule states that a covered entity requesting protected health information from other covered entities must limit its request to what is reasonably necessary to accomplish the purpose for which the request is made.
The good news is the exception to the standard, Hirsch explains. "For example, if you are a physician who is sharing a medical record with another physician for the purpose of consultation, the physician doesn’t have to worry about restricting access to portions of the medical record that may not be directly relevant to the consultation."
If a provider is sharing health information with a billing company or even among departments in its own facility, however, the hospital will have to decide how much information is sufficient. "That is a muddy issue," he says. "The regulations do not provide specific guidance so ultimately the provider must make its own good-faith judgment. And the judgment will have to be made on a case-by-case basis. This can be viewed as a fairly burdensome requirement."
• The new requirements for group health plans.
The final regulations include new requirements relating to disclosures of protected health information by group health plans. Group health plans include insured and self-insured plans sponsored by employers, and other employee welfare benefit plans subject to ERISA (the Employee Retirement Income Security Act of 1974). However, self-administered plans having fewer than 50 participants are not covered. For a group health plan to share protected health information with a plan sponsor — typically, the employer, there must be specific restrictions on the sponsor’s use and disclosure of the information. For example, the sponsor must restrict access to protected health information to employees who perform health plan administrative functions on behalf of the sponsor.
• The continuation of special requirements for research purposes.
The final regulations continue the special requirements for use of protected health information for research purposes, such as approval by an institutional review board or a privacy board. However, the requirements in the final regulations are more comprehensive and restrictive than in the proposed rule.
• The delegation of the privacy regulations enforcement.
Enforcement of the privacy regulations has been delegated to the HHS Office of Civil Rights. The regulations do not provide for a private right of action that would permit patients to sue for violations, but there are both civil and criminal penalties for violation, including a fine of up to $250,000 and imprisonment for up to 10 years for knowingly disclosing or obtaining protected health information if done for commercial or personal gain or for malicious harm.
The final HIPAA privacy rule will also impose new requirements on the activities of hospitals marketing products or services to their patients, Hirsch says.
Some people have thought this provision liberalizes the ability of the health care provider to use patient information to engage in marketing solicitation, he says. "I don’t think it creates that much flexibility. In fact, it creates some new hurdles for providers to jump through before they can engage in certain marketing activities."
The provision says that the covered entity doesn’t have to get the authorization of a patient to do marketing communication if the entity is communicating face-to-face with the individual or if the communication relates to products or services of nominal value. (This provision applies to the marketing of hospitals’ services, as well.)
But if it is another form of communication and if it involves the services of the hospital or a third party, then the entity must meet a series of requirements. "You have to make sure the patient understands who the communication is coming from. You have to disclose any financial relationship if you are getting paid to make the communication, and you have to let the patient know how to opt out of receiving future communications," he says. The entity also has to make reasonable efforts to ensure that patients who opt out are no longer receiving communications.
If the entity is targeting patients based on a particular medical condition, it has to explain to the individuals why they were targeted and how the product that is being marketed relates to their health.
"I don’t believe most health care providers are currently following that rigorous a standard when they are engaging in marketing to patients," Hirsch says.
[Editor’s note: For more information about the privacy rule, Reece Hirsch can be contacted at (415) 276-6514 or email@example.com.]