Davis Wright Tremaine LLP Davis Wright Tremaine LLP
Practice Areas - HIPAA/advisory bulletins
Home

Practice Areas: HIPAA
 

Legal Services

Related Practice Areas

Advisory Bulletins

Publications & Resources

HIPAA Search
 

 
News to Use
Recruiting
DWT in the Community
Seminars & Training
Bookstore
Lawyer Directory
Office Locations
Search & Site Map

Advisory Bulletin

DHHS Issues Guidance to Address Privacy Rule Uncertainties
By Becky Williams, Paul Smith and Rachel Glitz
[July 2001]

On Friday, July 6, 2001, the Department of Health and Human Services (DHHS) issued guidance (Guidance) on specific requirements contained in the final Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Guidance is available at http://www.hhs.gov/ocr/hipaa.

The Guidance addresses many of the issues raised in the more than 11,000 comments received during the additional comment period offered by DHHS in March. DHHS Secretary Tommy Thompson stated, "This Guidance is an opening step in helping physicians, health care providers and health plans understand their obligations to patients under the rule."

The Guidance is divided into ten sections:

-- General Overview

-- Consent

-- Minimum Necessary

-- Oral Communications

-- Business Associates

-- Parents and Minors

-- Health-Related Communications and Marketing

-- Research

-- Government Access

-- Payment

Although reassuring in tone, the Guidance basically restates the Privacy Rule's requirements and provides some fairly simple examples. Further, the Guidance does not have the force and effect of law. Of note, DHHS recognized that certain provisions of the existing Privacy Rule would lead to unintended results. In response, DHHS indicated that it would modify such provisions through the formal rulemaking process.

Please visit the Davis Wright Tremaine HIPAA website for more information on the Privacy Rule and HIPAA-related issues.

GENERAL OVERVIEW

The Privacy Rule applies to health plans, health care clearinghouses and those health care providers who conduct certain financial and administrative transactions electronically. According to the Guidance, the purpose of the Privacy Rule is: providing patients more control over their health information; setting boundaries on the use and release of health care records; establishing appropriate safeguards for health information; holding violators accountable; and striking a balance when public responsibility requires certain disclosures. Patients will benefit by knowing how their information may be used and disclosed, by limiting the release of protected health information to the minimum reasonably necessary and by having the right to examine and amend their own records. The Guidance emphasizes that the requirements of the Privacy Rule are flexible and scalable and can be tailored to fit the size and needs of the particular covered entity.

HIPAA was designed to address "the current patchwork of laws" regulating personal health information. HIPAA provides uniform minimum requirements - state laws that provide stronger privacy protections will continue to apply.

DHHS plans to modify the current Privacy Rule, including standards related to: phoned-in prescriptions, referral appointments, allowable communications and the scope of the rules. Any changes will be made in accordance with the Administrative Procedures Act, which entails publishing a notice of proposed rulemaking, inviting public comment and promulgating a final rule.

CONSENT

The Privacy Rule establishes a uniform standard for covered health care providers to obtain their patients' consent before using or disclosing protected health information for the purposes of treatment, payment or health care operations. Unless an exception applies (in an emergency, due to substantial communication barriers or when treatment is required by law), providers with a direct treatment relationship to the patient must obtain a written consent. Health plans, health care clearinghouses and providers with an indirect treatment relationship to patients do not need to obtain consent.

The Guidance clarifies the distinction between a consent and an authorization. Whereas a consent permits the use and disclosure of protected health information for all treatment, payment and health care operations, an authorization is more limited. An authorization permits covered entities to use and disclose only specified protected health information to specified individuals or for specified purposes that are almost always purposes other than treatment, payment or health care operations. Unlike a consent, an authorization has an expiration date. While an obstetrician may rely on a consent to send an appointment reminder to a patient, the obstetrician needs an authorization before supplying the patient's name and address to a company marketing baby products. Similarly, selling a patient mailing list, disclosing information to an employer for employment decisions or disclosing information for eligibility for life insurance all require authorization.

The Guidance suggests just two situations where an authorization would be required for the purposes of treatment, payment or operations. Both relate to the use and disclosure of psychotherapy notes. First, with a few exceptions, authorization is required for the disclosure of protected health information contained in psychotherapy notes to another provider who did not take the notes. Second, if a covered entity such as a health plan must disclose protected health information contained in psychotherapy notes to a secondary payer, then such disclosure also requires authorization.

The Guidance clarifies that certain aspects of the Privacy Rule ease providers' ability to comply. If a patient refuses to consent to the use or disclosure of his or her protected health information for treatment, payment or health care operations, then the provider does not have to treat the patient. Furthermore, a provider need only obtain a patient's consent one time. Patients must receive notice of a covered entity's privacy practices and must have an opportunity to review those practices before being asked to sign a consent. Although the consent requirement provides an exception when there are substantial barriers to communication with the patient, a covered entity still must comply with its obligations under the Americans with Disabilities Act (ADA). The communication barrier offers an exception to the Privacy Rule, not an excuse to violate the ADA. And, while a patient may request restrictions on the use or disclosure of his or her protected health information, the entity does not have to comply with that request. The entity is bound by the requested restriction only if it agrees to the patient's request.

According to the Guidance, the Privacy Rule raises certain unintended problems that DHHS plans to correct. Direct treatment providers, such as specialists or hospitals, to which a patient is referred for the first time traditionally use protected health information to set up an appointment or schedule a surgery. Yet these providers normally will not have an opportunity to obtain written consent in advance of the appointment, which would prohibit them from using such information. Similarly, the Privacy Rule, as written, does not permit a pharmacist to use protected health information to fill a prescription that was telephoned in by a patient's physician if the patient is a new patient to the pharmacy and has not yet provided written consent. This problem exists under any circumstance when a patient's first contact with a direct treatment provider is not in person.

The consent requirement does not interfere with providers' ability to consult with each other about a patient's care. Unless the provider being consulted also has a direct treatment relationship with the patient, no additional consent is necessary.

A patient may revoke his or her consent only to the extent that the entity has not already taken action in reliance on the patient's consent. Thus, if consent is revoked before the provider bills for services, the revocation would not interfere with the billing or reimbursement for care. The revocation is effective only if it is in writing.

Under the Guidance, providers may use professional judgment in certain circumstances that might otherwise appear to violate the rule. For example, any health care provider may provide treatment without first obtaining consent if delaying treatment to obtain that consent would compromise the patient's care. As long as the provider attempts to obtain consent as soon as reasonably practicable following treatment, the prior use or disclosure of protected health information is not improper. Similarly, a pharmacist may allow a friend or relative of a patient to pick up the patient's prescription if to do so is clearly in the patient's best interest. Thus, if a person requests a specific prescription for a specific individual, thereby verifying his or her involvement in the patient's care, the pharmacists may provide the prescription.

As another pharmacist clarification, pharmacists do not need to obtain a consent to advise customers about over-the-counter medicines provided that the pharmacist does not create or keep a record of any protected health information.

The Guidance also confirms that a consent for use or disclosure of protected health information may be signed electronically. A provider need not verify a signature if the patient signs it outside the provider's presence.

A covered entity is bound only by the terms of its own consent. An entity does not need to conform to the stricter standards of another covered entity just because the entity with the stricter standards is receiving protected health information. Unless the two covered entities are affiliated or participate in an organized health care arrangement and are using a joint consent, each is bound only by the content of its own consent form. If the covered entities are using a joint consent form, then there is no need to obtain additional consent forms in each state that the patient receives treatment, unless state law imposes additional requirements not covered by the Privacy Rule.

MINIMUM NECESSARY

According to the Guidance, DHHS understands that "medical information must be conveyed freely and quickly in treatment settings, and thus understand[s] the heightened concern that covered entities have about how the minimum necessary standard applies in such settings." To increase covered entities' confidence in their ability to freely exchange whatever communications are required for treatment purposes, DHHS clarifies certain practices in the Guidance and plans to propose corresponding changes to the Privacy Rule. Not surprisingly, DHHS does not believe that the minimum necessary restrictions will impede the delivery of quality health care.

According to the Guidance, the Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of and requests for protected health information to the minimum necessary to accomplish the intended purpose. Covered entities have flexibility to address their unique circumstances and may make their own assessment of what protected health information is reasonably necessary for particular purposes. The Guidance emphasizes that the minimum necessary rule is a "reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers today."

For uses of protected health information, a covered entity's policies and procedures must identify the persons or classes of persons who need access to the information to carry out their job duties, the categories or types of protected health information needed and conditions appropriate to such access. For example, according to the Guidance, hospitals may permit physicians, nurses and other providers involved in treatment to have access to the entire medical record without case-by-case review. Where use of the entire medical record is necessary, the covered entity's policies and procedures must explicitly so state and include a justification.

DHHS specifically states that the minimum necessary rules do not: prohibit covered entities from maintaining patient charts at bedsides; require that covered entities shred empty prescription vials; or require that x-ray light boards be isolated. Covered entities must take "reasonable precautions" to prevent inadvertent or unnecessary disclosure. By way of example, x-ray boards do not need to be totally isolated from all other functions; however, reasonable precautions should be taken so such boards are not accessible to the public. Along the same line, DHHS did not intend to prohibit the use of sign-in sheets but recognizes that the Privacy Rule is ambiguous about this common practice. DHHS states that it will propose modifications to the minimum necessary rule to increase covered entities' confidence that these practices are permissible.

With regard to medical residents, medical students, nursing students and other trainees, DHHS opines that the definition of "health care operations" covers training programs. Thus, covered entities may shape their policies and procedures to permit students and trainees access to patients' health information, including the entire medical record.

DHHS does not generally consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses. Covered entities may need to make certain adjustments to their facilities to minimize access, such as isolating and locking file cabinets or records rooms, or providing additional security, such as passwords, on computers maintaining personal information.

Routine or recurring disclosures may be addressed by policies and procedures. For non-routine disclosures, covered entities must develop reasonable criteria on which case-by-case determinations may be made.

Covered entities are responsible for disclosing the minimum information necessary. In situations where a covered entity believes that a requestor is seeking more than the minimum necessary, a covered entity may rely on the judgment of the person requesting the information, if so allowed by the Privacy Rule and if such reliance is reasonable, despite the covered entity's concerns. DHHS notes that the Privacy Rule does not prevent covered entities from discussing their concerns with the requestor and negotiating an information exchange that meets the needs of both parties.

Generally, the minimum necessary rules do not apply to disclosures to third parties that are authorized by the individual (unless the authorization was requested by a covered entity for its own purposes), including authorized disclosures to a life insurer for underwriting purposes or to federal or state agencies in order to receive benefits. Additionally, the Privacy Rule exempts from the minimum necessary rules information required by the transaction and code sets standards.

ORAL COMMUNICATIONS

The Guidance encourages a common sense approach to oral communications concerning protected health information. While the Privacy Rule requires covered entities to have reasonable safeguards in place to prevent unauthorized use and disclosure, DHHS does not expect those efforts to guarantee the privacy of protected health information from any and all potential risks. Accordingly, the Privacy Rule does not require: hospitals and doctors offices to be retrofitted to make them soundproof; all rooms be made private; or encryption of wireless or other emergency medical radio communications or telephone systems. In judging whether safeguards were "reasonable," DHHS will consider all the circumstances, including the potential effects on patient care as well as the financial and administrative burden of implementing such safeguards.

Providers are not restricted from speaking to each other or to their patients in their efforts to provide care. It is unavoidable that some conversations will be overheard; however, communication that is appropriate in an emergency room may not be appropriate in an elevator. The Guidance implies that a communication will be judged at least in part by the setting in which it is made. DHHS suggests the following are reasonable oral communications: health care staff may coordinate services at a hospital nursing stations; nurses and other health care professionals may discuss a patient's condition on the telephone with the patient, a provider or a family member; a health care professional may discuss laboratory test results with a patient or provider in a joint treatment area; health care professionals may discuss a patient's condition during training rounds in an academic or training institution; and a patient's name may be called out in a waiting room. DHHS promises to modify the Privacy Rule to reinforce and clarify that these and similar oral communications are not prohibited.

The Guidance suggests the following efforts to ensure privacy are "reasonable safeguards": asking waiting customers at pharmacies to stand back from the counter when another patient is being counseled; adding curtains or screens between patient treatment areas where oral communications are common; and installing cubicles, dividers and other shields in areas where multiple patient-staff communications occur routinely.

Covered entities generally do not need to provide patients with access to oral communications. While a patient is entitled to the protected health information contained in his or her designated record set, which is a set of records that the covered entity uses to make decisions about the individual, that information contains only recorded information. Thus, unless oral communications are recorded and transcribed, which is not generally required, such communications are not part of the record set that the patient is entitled to access. Certain oral disclosures, however, must be documented and made a part of the designated record set. For example, a physician who discloses a tuberculosis case to a public health authority may have to record that disclosure, whether the information was transmitted orally or in writing.

BUSINESS ASSOCIATES

The Privacy Rule permits a covered entity to disclose protected health information to business associates for treatment, payment and health care operations, as long as the business associate enters into an agreement providing assurances of confidentiality. The contractual undertakings a covered entity must obtain from its business associates are not as broad as the requirements that the Privacy Rule imposes on the covered entity. For example, a covered entity is not obligated to require its business associates appoint a privacy officer or even to develop policies and procedures for the use and disclosure of protected health information.

Covered entities need not actively monitor compliance by their business associates. The business associate contract must require the business associate to report violations, and a covered entity must take reasonable steps to cure the breach or must end the violation and, if unsuccessful, to terminate the contract if feasible. According to the Guidance, only if a covered entity failed to take these steps would it be in violation of the Privacy Rule.

PARENTS AND MINORS

Generally, the person who holds individual rights under HIPAA to control health information is the person who has the right to control the health care itself. In the case of a minor, this is generally the parent, guardian or other person acting in loco parentis, and these people therefore generally have the right to see the minor's medical records. This is not the case, however, where state law or a court allows the minor, or someone other than the parent, to consent to treatment-in these cases the minor or other person giving the consent controls the health information. The regulations also permit the exclusion of the parent where the parent consents to a confidential relationship between the minor and a physician or where the covered entity determines that disclosure to the parent would be harmful to the minor. According to the Guidance, the Secretary of DHHS is reassessing these provisions of the regulations.

The Privacy Rule does not permit minors to be treated without parental consent. Further, subject to the exceptions just mentioned, the Privacy Rule permits parents to obtain information concerning emergency treatment of minors, even if they did not consent to it. State law will control in these instances.

HEALTH-RELATED COMMUNICATIONS AND MARKETING

According to the Guidance, as questions arise about what activities constitute marketing under the Privacy Rule, DHHS will provide additional clarifications. For now, the Guidance identifies specific activities that are not treated as marketing. A covered entity is not marketing when it: describes the participating plans or providers in its network; notifies enrollees which doctors and hospitals are preferred providers; identifies a pharmacy that accepts a particular drug coverage; or describes the services offered by a provider or the benefits covered by a plan covers.

The Guidance explains that communications about treatment are not regarded as marketing. A covered entity may use an individual's protected health information to tailor a health-related communication to that person if is related to treatment. Recommending a specific brand-name or over the counter drug or making referrals is not barred by the Privacy Rule. Similarly, sending appointment and/or drug refill reminders is not considered marketing. The Guidance specifies that informing a smoker about a smoking-cessation program, even if that program is not provided by the recommending plan or provider, is not treated as marketing under the Privacy Rule. On the other hand, authorization is required to sell protected health information to third parties for their use and re-use or to disclose protected health information to outsiders for the outsiders' marketing purposes. Thus, a provider may not sell the names of pregnant women to baby formula manufacturers or parenting magazines, and a physician may not provide a patient list to a pharmaceutical company for a drug promotion program

No patient authorization is required for marketing if it occurs in face-to-face communications or is for products of nominal value. Otherwise, to avoid the need for an authorization, the communication must satisfy specified requirements. For example, the communication must identify the covered entity making the communication so that consumers know the source of the marketing call or materials and must state if the covered entity is being compensated. With certain exceptions, the communication also must inform individuals how to opt out of further marketing communications, and covered entities must make reasonable efforts to honor those requests. When the communication targets specific individuals, the covered entity must: determine that the product or service might be of benefit to those individuals who are contacted; identify the conditions or characteristics being targeted; and explain how the product or service relates to that individual's health.

A covered entity may disclose protected health information to business associates for marketing purposes if the business associate is undertaking marketing activities on behalf of the covered entity. A business associate may offer telemarketing services, but the caller must identify the sponsoring covered entity and offer individuals the opportunity to opt out of further marketing efforts.

RESEARCH

In general, the Privacy Rule requires de-identification of protected health information to be used for research. Alternatively, information may be used with patient authorization or with a waiver of such authorization by an Institutional Review Board (IRB) or Privacy Board. The IRB or Privacy Board does not have to be created by the covered entity-it can be created by the recipient researcher, or it could be an independent board.

The Guidance argues that the Privacy Rule is in many respects less restrictive than pre-existing federal regulations (called the Common Rule) and that the Privacy Rule should encourage participation in research by assuring participants of the confidentiality of their health information. Although IRB or Privacy Board determinations involve subjective judgment that may have differing results, the process builds on the Common Rule, and the deliberative process is an important aspect of patient protection. Where both the Privacy Rule and the Common Rule apply, a covered entity will have to comply with both. For example, it may be necessary to obtain both an informed consent under the Common Rule for participation in the trial and an authorization under HIPAA for use or disclosure of health information.

Researchers may require participants in a study to authorize the release of pre-existing health information. With proper authorization or waiver, researchers may create a database of protected health information, which may be used for future research, if individual authorization or a waiver is obtained.

Individuals are entitled to access to research information about themselves if it is contained in a designated record set. If research information is not contained in a designated record set, the individual would not be entitled to access to it. In addition, individuals may be denied access to information while the clinical trial is in progress, as long as they consent to this when they agree to participate in the trial.

The Privacy Rule creates exceptions to individuals' right of access to their health information to ensure that clinical laboratories are not required to disclose information if doing so would violate the Clinical Laboratory Improvements Act of 1998 or jeopardize the laboratory's CLIA exemption.

RESTRICTIONS ON GOVERNMENT ACCESS TO HEALTH INFORMATION

In an apparent attempt to defuse certain powder keg concerns raised by HIPAA opponents, DHHS emphasizes that the Privacy Rule does not require a covered entity to send medical information to the government for a government database or similar operation. The Privacy Rule does not grant any new government access to health information, except that the Office of Civil Rights (OCR) is given the authority to investigate HIPAA-related complaints and to ensure HIPAA compliance. DHHS notes that OCR needs access to information "pertinent to ascertaining compliance" to enforce the Privacy Rule. For example, OCR may need access to protected health information to investigate allegations that a covered entity refused to make a requested correction in a patient's medical record, that a covered entity did not provide complete access to a patient's records or that a covered entity used health information for marketing purposes without individual authorization.

DHHS states that the Privacy Rule does not expand current law enforcement access to individually identifiable health information. The Guidance argues that the Privacy Rule actually limits certain access that currently exists.

DHHS clarifies that a covered entity does not need to obtain patient permission to notify public health authorities of the occurrence of a reportable disease. Additionally, the Privacy Act of 1974 will continue to apply as it does now.

PAYMENT

Under a general consent, a covered entity may disclose protected health information for payment purposes. The definition of "payment" in the Privacy Rule is not intended to be exhaustive and includes the use of debt collection and location agencies, although the covered entity would need a business associate contract with such agency. The covered entity and its agent would have to comply with the Fair Debt Collection Practices Act. The Privacy Rule also permits limited disclosures to consumer reporting agencies, which should be sufficient to enable covered entities to comply with Fair Credit Reporting Act.

For more information about the Guidance or other HIPAA, privacy, security or standardization requirements, please go to the Davis Wright Tremaine HIPAA website.

This Davis Wright Tremaine HIPAA Alert is not to be construed as legal advice but merely the reporting of recent developments. If specific advice is required, please contact the attorney of your choice.

return to Advisory Bulletins main page

 
Davis Wright Tremaine LLP
Home | Practice Areas | News To Use | Recruiting | DWT in the Community
Seminars & Training | Bookstore | Lawyer Directory | Office Locations | Search & Site Map
Davis Wright Tremaine LLP Davis Wright Tremaine LLP
return to Advisory Bulletin main page