HHS proposes big changes to HIPAA privacy regulations

But the changes to patient privacy regulations are likely to cut both ways, experts say

The Department of Health and Human Services (HHS) has proposed major changes to the privacy regulations set to go into effect April 2003. Health care attorneys say the changes go further in relaxing some of the most onerous provisions than most observers expected. But like most things involving the Health Insurance Portability and Accountability Act (HIPAA), some changes fly in the opposite direction, they add.

Many of the changes contained in the proposed rule address problems identified by HHS in the guidance it released last summer, says Rebecca Williams, a partner with Davis Wright in Seattle. But some of the proposed changes not foreshadowed in the guidance are likely to be good news for the health care industry, she adds.

The most significant change would be the elimination of the need for a written patient consent to allow providers to use protected health information for treatment, payment, and operations, says Williams. Providers argued that requirement would impede access to care and did not give patients any real control over their health information. HHS apparently agreed. The new rule simply would require providers to use good-faith efforts to obtain a written acknowledgement of the receipt of their notice of privacy practices.

The proposal also would give payers and providers more latitude in sharing health information for payment and operations, Williams says. Under the current rule, a covered entity can use health information for its own operational purposes, but there was confusion about whether a covered entity could disclose the information to another provider to obtain payment or for quality assurance or credentialing purposes. The proposed changes would permit the sharing of information for these and other similar purposes, she says.

That’s the good news. The bad news is that what many consider to be the most burdensome aspect of the current rule — the minimum-necessary rule — was left largely unchanged, says Paul Smith, a Davis Wright partner in San Francisco. In this area, HHS merely repeats its earlier assurances that covered entities have flexibility to address their unique circumstances and can make their own assessment of what protected health information is reasonably necessary for particular purposes.

The proposed rule would explicitly permit incidental disclosures resulting from such activities as discussions at nursing stations, the use of sign-in sheets, and calling out names in waiting rooms, he adds.

According to Leigh-Ann Patterson, a partner with Nixon Peabody in Boston, the proposed regulation also would tighten the restrictions on health-related marketing activities. The current rule allows private health care information to be used for marketing purposes without prior patient authorization, as long as the solicitation or promotional materials contain certain disclosures and opt-out provisions.

Patterson says the proposed change closes this loophole by requiring prior patient authorization before any protected health care information may be used for marketing purposes. That means permission-based marketing programs no longer will be the exception, but rather the rule.

The proposed rule also would give covered entities an extension of up to one year to modify their business associate agreements, says Steve Zubiago, a Nixon Peabody partner in Providence, RI. Although HHS was urged to eliminate the business-associate contract requirement — which requires providers to secure contractual obligations from their business associates stating that they too will abide by HIPAA’s privacy rule — HHS stood firm and instead attempted to make compliance less burdensome. Under the proposed change, covered entities will have until April 14, 2002, to amend their various contracts to incorporate the HIPAA privacy promise.

HHS is accepting comments on the proposed changes for 30 days. However, all sides expect the proposed changes to be fully implemented.

There still is considerable confusion regarding the manner in which privacy will be enforced by HHS. Bill Braithwaite, director at PriceWaterhouseCoopers in Washington, DC, says a good rule of thumb is this: "If you don’t surprise the patient, you won’t get into trouble." Sometimes, even if you do surprise patients, such as by publishing their e-mail address on the web accidentally, the damage can be ameliorated if they are contacted immediately, he adds.

According to Braithwaite, this approach is especially important in the area of medical research because many people in that environment are not accustomed to directly dealing with patients. "They forget that they are people rather than records in a database," he asserts. "They can cause you a lot of problems."

Braithwaite notes that providers now are waiting for the final rule for the HIPAA security requirements. The proposed rule for security was published in 1998, but the final rule has yet to appear. "It is kind of bizarre," asserts Braithwaite, who until recently was HHS’ point man on privacy and security. "The final rule has been ready for many months," he says. "It was finalized as soon as the final privacy rule was finalized."

The rationale for delaying it until now was that privacy and security must operate together, says Braithwaite, noting that HHS now says it expects to publish the final security rule in the summer.

Regardless of when the final rule appears, Braithwaite says providers must know something about security. Not only has the proposed rule for security been published, but the final privacy rule includes several security concepts, he says.

"Knowing something about security even without the final security rule is important," he asserts. "The basic philosophy is expressed in the HIPAA law quite clearly — covered entities shall maintain reasonable and appropriate administrative, technical, and physical safeguards."