HHS dispels myths’ about privacy guidance

Health care providers will be well-served to disregard many of the "myths" surrounding the U.S. Department of Health and Human Services (HHS) final regulation on patient privacy, according to Linda Sanchez of HHS’ Office of Civil Rights and author of the agency’s recent privacy guidance.

The first myth is that "extraordinary" activities will be required for heath care providers to be in compliance with the new rule, which now is scheduled to go into effect in April 2003, Sanchez told listeners to the Philadelphia-based Health Care Compliance Association’s Aug. 8 audio conference on the privacy guidance.

Another myth is that health care providers still have a lot of time to come into compliance. Long-time privacy expert and health care attorney Jim Pyles says that while dispelling rumors about the final privacy rule is important, so is understanding that the new target dates for compliance are not likely to change. "You need to pay attention to it, and you need to pay attention to it now," warns Pyles of Powers Pyles in Washington, DC.

Health care providers who are banking on a further reprieve from Congress are making a risky gamble, he says. Pyles notes that one bill already introduced in Congress would delay the compliance date for the standards under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 until 24 months after they are issued. But even if that bill passes, it will not alter the effective date for privacy requirements.

Meanwhile, litigation has surfaced in several states challenging the scope of the final rule. But those legal challenges face an uphill battle because they are taking on the constitutionality of the act itself, he adds.

Sanchez further clarified several key areas:

- Minimum necessary. According to Sanchez, there was a great deal of angst among providers regarding the minimum necessary requirements. Many people did not understand this was a "reasonable’ standard," she explains. "Many people seemed to think this was an absolute’ standard."

Sanchez says the general idea is that providers should be making uses and disclosures of information that are consistent with good practices that a "prudent professional" might exercise. She says that information can come from a variety of sources, and it is then up to providers to make sure it makes sense within their own facility.

- Oral communications. Another myth concerns the restrictions on oral communications, which are viewed by many as an entirely new policy. Sanchez says that’s not the case and that HHS plans to provide further clarification regarding information that third parties might overhear.

"It was certainly not the intent that people be in violation of the rule if adequate safeguards have been put in place and minimum necessary [requirements] were followed," she says. If providers take "reasonable steps," they should be in compliance, she says. That means that entirely new configurations are not required, she adds.

- Business associates. "There is a lot of confusion regarding business associates," warns Sanchez. One myth that surfaces almost everywhere, she says, is that the entire privacy rule applies to business associates. "That is not the case," she counters.

The rule requires covered entities to use contracts to get assurance from business associates that they will properly safeguard information, says Sanchez. However, the safeguards required by that contract are much more restricted than what is required of covered entities themselves.

Sanchez says the other major question in this area is whether covered entities are liable for all the actions of business associates. She says a covered entity is not required to monitor the activities of a business associate, even though that might be a good business practice. What is required is for covered entities to take "reasonable steps" to cure any material breach of the contract, she explains.