HIPAA Advisory Bulletin

HHS Releases Final Amendments to HIPAA Privacy Rule
Analysis & Comments on Major Changes to HIPAA Patient Privacy

By Rachel Glitz, Carol Pratt, Paul T. Smith, Rebecca L. Williams, and Joan Wilson


Federal Register, August 14, 2002

The U.S. Department of Health & Human Services (HHS) has released final changes to the privacy regulations issued under the Health Insurance Portability and Accountability Act of 1996. The changes will be published in the Federal Register on August 14. They can be downloaded from the website of the HHS Office for Civil Rights at http://www.hhs.gov/ocr/hipaa/.

The amendments make important changes to the HIPAA privacy regulations due to go into effect in April 2003. The changes were foreshadowed by proposed amendments published in March of this year. http://www.dwt.com/practc/hc_ecom/bulletins/04-02_DHHSProp.htm. By and large, the final amendments adopt the proposed changes with few major differences.

As anticipated, the most important change from the current final regulation is the elimination of the need for a written patient consent to allow providers to use protected health information (PHI) for treatment, payment and health care operations. This consent was purely symbolic, because HIPAA would have prevented anyone who refused to give it from obtaining treatment. The requirement would also have resulted in a great deal of regulatory complexity, and threatened to impede access to health care. In its place, the regulation now requires only that direct health care providers use good faith efforts to obtain a written acknowledgement of receipt of their notice of privacy practices.

HHS has responded to concerns of many providers and health plans that the notice of privacy practices was too long. The preamble encourages use of a "layered notice" - a short, summary notice that is placed on top of a longer notice containing all the required elements. This grant of authority, though it comes in the preamble rather than in the rule itself, will be welcome news to a vast number of plans and providers.

The changes also give payers and providers greater latitude in sharing health information for payment and operations. Previously, a covered entity would have been able to use health information for its own purposes, but could not, for example, have given the information to another provider to use to obtain payment or for other operational purposes, such as quality assurance. The changes will permit limited sharing of information for these and other similar purposes.

On the other hand, that most burdensome aspect of the current rule, the minimum necessary rule, emerges from the amendments largely unaltered, although HHS has stated that covered entities have flexibility to address their unique circumstances and can make their own assessment of what protected health information is reasonably necessary for particular purposes.

Another significant modification provides an extension period for covered entities to amend existing written agreements with business associates to include confidentiality provisions to implement the business associate requirements.

The final amendments contain no major departures from those proposed in March. Perhaps the biggest difference is the addition of a class of information, called a "limited data set," which is not completely de-identified, but which can nevertheless be used for research, public health or health care operations. This approach was discussed in the preamble to the proposed regulations, and has now been adopted.

The final changes clarify that the development of research repositories and databases for future research is itself considered research, and would therefore generally require patient authorization. This clarification places a premium on carefully-drafted authorizations by suggesting that a well-drafted authorization could permit the creation of databases that may be used for research purposes that were not contemplated at the time the authorization was obtained.

The final changes to the rules relating to marketing are not exactly as proposed, although the main thrust - narrowing the situations in which PHI can be used for marketing without the individual's authorization - is preserved. There are also changes to the rules relating to the content of written authorizations, and the ability of covered entities to combine them with other documents, and to condition the provision of services or benefits on the individual's agreement to give an authorization.

The final amendments also contain provisions easing the burden on covered entities for accounting to patients for the use or possible use of their health information for research purposes.

A more detailed summary follows. If you would like to discuss these changes with a member of our HIPAA Practice Group, please visit our website at www.ehealthlaw.com or email us at hipaa@dwt.com.


CONSENT FOR TREATMENT, PAYMENT & HEALTH CARE OPERATIONS

One of the most controversial elements of the HIPAA privacy rule has been the requirement that direct care providers obtain the patient's written consent to the use or release of protected health information for treatment, payment and health care operations. The final amendments eliminate this requirement, and substitute a requirement that direct health care providers make a "good faith effort" to obtain a written acknowledgement of receipt of the provider's Notice of Privacy Practices. Health plans are not required to obtain this acknowledgement, but may do so if they choose. The final amendments make the written consent optional on the part of all covered entities, including providers with direct treatment relationships.


NOTICE OF PRIVACY PRACTICES

Covered entities are required to provide patients and enrollees with a Notice of Privacy Practices, describing the uses and disclosures that may be made of their PHI, and their rights over their PHI. Acknowledgement of receipt of the notice now serves in lieu of a consent for the use of PHI for treatment, payment and health care operations. The amendments require direct health care providers to make a "good faith effort" to obtain this acknowledgement; health plans are not required to seek it, but may do so it they choose.

The acknowledgement must be in writing, but the rules do not prescribe a form, or require the individual's signature to be on the notice itself. Instead, a covered health provider may, for example, have the individual sign a separate sheet or simply initial a cover sheet of the notice.

In emergency situations, the notice must be provided as soon as is reasonably practical, and an acknowledgement is not required. If a provider cannot obtain the written acknowledgement, it must document its efforts and the reason for its inability to obtain the acknowledgement.

The attempt must be made no later than the date of first service delivery, including service delivered electronically. A health care provider whose first treatment encounter with a patient is over the telephone may satisfy the notice requirement by mailing it to the individual no later than the day following the telephone conversation. HHS recommends that the notice include a tear sheet or other document that requests an acknowledgement be mailed back to the provider. If the individual chooses not to mail the acknowledgement back, the provider has made the necessary effort. If the health care provider's initial contact with the patient is simply to schedule an appointment, the notice and acknowledgement requirements may be satisfied when the patient arrives for the appointment.

HHS responded to concerns of many providers and health plans that the required notice of privacy practices was so long that it was unfriendly to patients and consumers. The preamble explicitly allows use of a "layered notice." This is a short, summary notice that is placed on top of a longer notice containing all the required notice elements. Indeed, HHS encourages covered entities to use layered notices, though it does not require their use.


DISCLOSURES TO ANOTHER ENTITY FOR PAYMENT & OPERATIONS

The final rule permits covered entities to disclose PHI to other covered entities and to any provider (whether covered or not) for use by the recipient for treatment. Prior to the amendments, however, the regulation generally precluded disclosure for use by the recipient for payment or other operational purposes. The amendments create some flexibility here, although disclosure for these purposes is still restricted. In particular, disclosure for operational purposes requires that both the disclosing and the receiving entities have a relationship with the individual whose information is being exchanged.

For payment, the amendments allow a covered entity to disclose PHI to another covered entity or any health care provider (whether or not a covered entity) to assist the recipient in obtaining payment. These disclosures would still be subject to the minimum necessary standard. HHS gives the example of an ambulance company that has transported a patient to a hospital's emergency room. It may not be practical for the ambulance company to request the patient's billing information during transport, so the company must obtain the information from the hospital. The amendments allow the hospital to disclose the patient's PHI to the ambulance company as necessary for it to obtain payment.

For health care operations, the amendments allow a covered entity to disclose PHI to another covered entity for limited operational purposes of the recipient if two conditions are met: First, both covered entities must have or have had a relationship with the individual who is the subject of the information. Second, the PHI must pertain to the recipient's relationship with the individual. If these conditions are met, the PHI may be disclosed for the following purposes: (i) the recipient covered entity's quality assessment and improvement activities; population-based activities relating to improving health or reducing health care costs; the recipient covered entity's case management and care coordination; the recipient covered entity's training programs; and the recipient covered entity's accreditation, licensing or credentialing activities; or (ii) fraud and abuse detection or compliance. Like disclosures for payment, these disclosures are subject to the minimum necessary standard.

A covered entity that participates in an organized health care arrangement (OHCA) may also disclose PHI about an individual to another covered entity that participates in the OHCA for the health care operations of the OHCA. Here the covered entity making the disclosure does not need to have a relationship with the individual in order to make the disclosure.

The final rule clarifies that "health care operations" includes the sale, transfer, merger or consolidation of a covered entity with another entity that is a covered entity, or will become one upon completion of the transaction, and related due diligence activities. Consequently, any transfer of records that contain PHI also qualifies as a "health care operation," if the transfer is part of such a transaction.


MINIMUM NECESSARY RULE

The final amendment takes the same approach to the "minimum necessary" concept as generally proposed in March. Thus, several minor modifications were adopted. In addition, HHS's commentary emphasizes that minimum necessary is not intended to impede delivery of health care, and is intended to offer covered entities flexibility to tailor the rule to the circumstances of their particular operations.

At the same time, HHS's explanations in the preamble probably create or enhance legal duties that covered entities need to identify and keep in mind for risk management purposes.

The concept of minimum necessary is that covered entities and their business associates should not use or disclose protected health information beyond what is reasonably necessary for the purpose of the use or disclosure. HHS's intent "is to make covered entities evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to, and disclosure of, protected health information." The rules also define exceptions to this general principle.

For example, minimum necessary does not apply to a covered entity's use or disclosure to another health care provider for treatment purposes. However, it does apply to uses or disclosures for payment and health care operations.

The final rule adopts the proposal that exempts from minimum necessary restrictions all uses or disclosures for which the covered entity receives an authorization from the individual to whom the PHI pertains or the individual's authorized representative. HHS emphasizes that any authorization must include a description of the information covered "in a specific and meaningful fashion."

At the same time, the preamble notes that the final rule does not require a covered entity to use or disclose PHI pursuant to an authorization. Rather, says HHS, the covered entity's use or disclosure is permissible. Thus, if the covered entity is concerned that an authorization (HHS's example uses psychotherapy notes) is not warranted or excessive, the covered entity may want to consult with the individual to determine whether or not the authorization is consistent with the individual's wishes. This language in the preamble may in certain circumstances create a new duty of inquiry on the part of covered entities. Failure to meet that duty may create tort exposure under state law, in addition to a regulatory that HHS may enforce. The circumstances under which this additional inquiry may be needed should be addressed in covered entities' policies and procedures and in their notices of privacy practices.

There remains a special approach under minimum necessary to disclosure of an individual's entire medical record for payment or health care operations. The commentary in the preamble emphasizes that covered entities should document the specific justification for using or disclosing an entire medical record for these purposes. The preamble also underscores that minimum necessary principles are supposed to be consistent with, not in opposition to, professional judgment, as reflected in each covered entity's policies and procedures.

The preamble notes that the privacy rule already exempts from minimum necessary restrictions the required or situationally required standard data elements in the HIPAA transaction and code sets (TCS). However, the preamble emphasizes covered entities' duty to make minimum necessary assessments for the optional data elements in standard transactions. Usually, but not always, a provider may rely on a payer's request for the data elements that the payer needs to process a claim. HHS says, however, that the covered entity may rely on the payer's request for information "if reasonable to do so."

HHS offers two examples using a pharmacist and a payer, which in one of the examples is a PBM, or pharmacy benefits manager, to illustrate that a pharmacist may need to negotiate with the payer to reduce the scope of the information that the payer seeks, if the pharmacist thinks the request goes beyond what is reasonably necessary for the payment processing. If this example is extrapolated to health care payment generally, the need for evaluation of payers' information requests under minimum necessary could be a significant burden. Presumably, HHS's example is only intended for a small set of exceptional cases. However, the preamble does not say that.

Once again, the language in the preamble creates a duty on the part of covered entities to identify situations where they may need to exercise judgment and then to make an assessment using "reasonable" criteria. This duty therefore must be addressed by covered entities in their policies and procedures. Where there are many provider-payer relationships, and a high TCS volume, this process must be carefully managed in order to avoid delay and significant transaction costs.

In a similar vein, the preamble emphasizes that a covered entity may reasonably rely on a researcher's documentation or on the representation of an IRB or privacy board regarding the minimum necessary information requested for research purposes.

HHS also explains why the minimum necessary rule will not interfere with disclosures for workmen's compensation purposes under state law. Those disclosure will either be required by law (and thus outside minimum necessary restrictions), or will be the minimum necessary reasonably to comply with information requests authorized, but not required, under a particular state's workmen's compensation scheme.

HHS also notes that disclosures to financial institutions for processing payment transactions are subject to minimum necessary restrictions. While a covered entity is allowed reasonably to rely on a financial institution's request for information, the covered entity must make its own assessment of the minimum necessary information necessary for the financial institution's purposes. Here again, this may create a duty under state tort law in addition to a requirement subject to HHS's administrative enforcement.


INCIDENTAL DISCLOSURES

Compliance with the Privacy Rule does not eliminate every risk of incidental use or disclosure of PHI. The final amendment follows the proposed rule by permitting some incidental uses and disclosures, whether or not treatment-related, if they occur as a by-product of a use or disclosure that is otherwise permitted. For example, doctors' offices may use waiting room sign-in sheets, hospitals may keep patient charts at the bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at nurse's stations without fear of violating the rule if overheard by a passerby. However, the covered entity must apply reasonable safeguards and, where applicable, implement the minimum necessary standard. The commentary to the final rule does not describe the kinds of safeguards a covered entity is expected to implement to limit incidental disclosures.

In its 2001 guidance, HHS did describe several "reasonable safeguards," suggesting, for example, that customers at pharmacies should be asked to stand back from the counter when another patient is being counseled; that curtains or screens should be added between patient treatment areas where oral communications are common; and that cubicles, dividers and other shields be installed in areas where multiple patient-staff communications routinely occur. The commentary to both the proposed and final rule emphasizes that erroneous or careless disclosures are not excused. New commentary clarifies that incidental disclosures do not need to be included in any required accounting of disclosures. The commentary suggests that further guidance may be forthcoming in response to frequently asked questions or other materials addressing specific scenarios raised by the industry.


COVERED ENTITIES' EMPLOYMENT RECORDS

The final rule follows the proposed amendment by excluding a covered entity's own employment records from PHI. However, the rule does not explicitly define "employment records." Instead, HHS recommends that a covered entity adopt a functional test, distinguishing its role as an employer from its role as a health care provider. If, for example, a hospital receives an employee's medical record in the course of providing her with treatment, it does not matter that the hospital happens to be her employer - her record is PHI. If, however, the hospital employee submits a doctor's statement to her supervisor to document her absence from work, the hospital does not need to treat that statement as PHI. Other health information that could be treated as employment related, and not PHI, includes medical information that is needed for an employer to carry out its obligations under the FMLA, ADA and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, drug screening results, workplace medical surveillance, and fitness-for-duty-tests of employees.


LIMITED DATA SETS

The final rule adopts a new standard for certain uses and disclosures of information that is not completely de-identified, but which is contained in a "limited data set." A covered entity may still rely on the existing methods of de-identification - using a statistician to certify that the risk of re-identification is very small, or removing specified identifiers. The final rule offer the additional ability to use or disclose slightly more information in a "limited data set," if the use or disclosure is for the purpose of research, public health or health care operations, so long as the set excludes 16 specified identifiers that are listed in the rule, and the covered entity enters into a data use agreement with the recipient of the limited data set.

A limited data set is PHI that excludes specific, readily identifiable information, not only about the individuals themselves, but also their relatives, employers, and members of their households. The final rule specifies the 16 identifiers which must be excluded.

To use or disclosure a limited data set for the purpose of research, public health or health care operations, a covered entity must enter into a data use agreement with the recipient of the information. The agreement may take the form of a formal contract if the relationship is with a business associate, but a covered entity that wants to create and use a limited data set for its own research purposes, for example, could meet the standard by requiring members of its workforce to sign a confidentiality agreement. The format of this agreement is not specified. However, the agreement must meet detailed requirements similar to those of a business associate agreement, including specifying permitted uses and disclosures, identifying who may use or receive the limited data set, and restricting further use and disclosure.

Disclosure of PHI in a limited data set need not be included in any accounting of disclosures provided to the individual.


BUSINESS ASSOCIATE AGREEMENTS

The privacy rule permits a covered entity to disclose protected health information to a business associate who performs a function or activity on behalf of the covered entity that involves the creation, use or disclosure of protected health information, so long as the covered entity enters into a contract with the business associate containing specific safeguards. There has been widespread concern that the April 2003 compliance date of the final rule does not provide enough time for large organizations to reopen and renegotiate their agreements with business associates.

In response to this concern, the amendments allow covered entities to continue to operate under existing contracts with business associates for up to one year beyond the April 14, 2003 compliance date. This transition period is available to a covered entity if it has an existing contract or other written arrangement with a business associate, and the contract is not renewed or modified between the effective date of the proposed rule and April 14, 2003. A covered entity's contract with a business associate would be deemed to be in compliance with the privacy rule until the sooner of (i) the date contract is renewed or modified after April 14, 2003 or (ii) April 14, 2004.

The transition period for business associate contracts does not apply to small health plans, which are not in any event required to comply with the privacy rule until April 14, 2004. The transition period for entering into business associate contracts also does not apply to (i) oral contracts or other arrangements not reduced to writing and (ii) new written contracts entered into after April 14, 2003. The fact that an automatically renewing or "evergreen" contract becomes eligible for extension during the transition period does not require the covered entity to renegotiate the contract to include business associate provisions.

An appendix to the proposed rule offers model business associate contract provisions to assist covered entities in meeting their compliance obligations under the business associate rules.


USE & DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR MARKETING

The current rule permits covered entities to use PHI for marketing without a specific patient authorization in limited circumstances: in face-to-face encounters, for products and services of nominal value, and for health-related services if certain conditions are met.

In line with the proposed amendments, the final rule continues to permit the first two activities - marketing in face-to-face encounters, and the giving of promotional gifts of nominal value. The use of PHI for other marketing activities, however, will now require patient authorization. Certain communications relating to treatment and health plan coverage are excluded from the definition of marketing, and therefore do not require authorization.

The final amendments clarify that what constitutes marketing is not determined by the author's intent - it is any communication about a product or service that, on its face, encourages the recipients of the communication to purchase or use a product or service. However, marketing does not include communications to an individual for treatment, case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or care settings.

Covered entities may also use PHI to communicate with beneficiaries and members about health insurance products offered by the covered entity that could enhance or substitute for existing health plan coverage. This includes communications that describe a health-related product or service, or the payment for such a product or service, that is provided by the covered entity or included in its plan of benefits.

Under this exemption, a health plan is not engaging in marketing when it advises its enrollees about other available health plan coverage that could enhance or substitute for existing health plan coverage. For example, if a child is about to age out of coverage under a family's policy, this provision will allow the plan to send the family information about continuation coverage for the child.

A health plan is also not engaging in marketing when communicating about health-related products and services available only to plan enrollees or members that add value to, but are not part of, a plan of benefits. To qualify for this exclusion, a value-added item or service must meet two conditions. First, the value-added item or service must be health related. Second, it must add value to the plan's membership alone, rather than being a pass through of a discount or item available to the public at large.


PARENTS AS PERSONAL REPRESENTATIVES OF MINORS

The privacy regulation generally gives control of an unemancipated minor's health information to the parent, guardian, or person acting in loco parentis. The amendments modify the rule in three situations: (1) where state or other law expressly identifies the parent's or child's rights; (2) where state or other applicable law is silent and the parent is the personal representative of the minor; and (3) where state or other applicable law is silent and the parent is not the personal representative of the child.

Where state or other applicable law expressly identifies the parent's or child's rights to access or control the minor child's records, that law governs. Thus, if state law (statutory or court-made) permits the child to obtain health care without parental consent, e.g. testing for HIV status, it is the minor who may exercise the privacy rights accorded under HIPAA. The minor also has control over his or her records when the parent has agreed to the child's obtaining confidential treatment. If state law gives the provider the discretion to determine access or control of the minor child's records, HIPAA will not override this. The provider will continue to make such decisions using his or her best professional judgment.

Where state or federal law is silent on a parent's right to access or control a minor child's protected health information, parents stand in the shoes of the minor child. Thus, parents will generally be able to access and control the health information about their children. State law will determine whether a parent is a personal representative of a child. The privacy regulations express an intent not to interfere with state or other applicable law relating to competency or parental rights.

Where a parent is not a child's personal representative, the final amendment provides that a covered entity may provide or deny access to a parent as long as that this discretion is permitted under state or other law, and the decision to permit or deny access or is made by a licensed health care professional in the exercise of his or her professional judgment. Where state law is silent, this provision does not give the parent who is not the personal representative a right to demand access to protected health information.

Finally, in all cases, disclosure of the child's protected health information will be permitted or denied if disclosure or denial is necessary to avert serious or imminent threat to the health or safety of the minor child.


USE & DISCLOSURE FOR RESEARCH

Authorizations: Under the final rule, a single set of authorization requirements applies to all uses and disclosures requiring an authorization, including those for any research purpose. As in the proposed rule, there is no distinction between research that does or does not include treatment except that the provision of treatment may be conditioned on the subject's signing an authorization. By way of an exception to the general rule forbidding compound authorizations, authorizations for research may be combined with an informed consent to participate in the research study, another authorization, or any other legal permission related to the research.

A final amendments make a significant change regarding the requirement that authorizations specify an expiration date or event. In the proposed rule, "end of research study" or the equivalent could be used for research, and "none," or similar language, could be used for research that involved disclosure of PHI for the creation or maintenance of a research database or repository. In the final amendments "none" may be used in authorizations for any research study, as long as the authorization includes a statement that the authorization will have no expiration date.

In the preamble to the final amendments, HHS rejected a proposal for blanket authorizations to cover future, unspecified research and explicitly retained the requirement that an authorization be obtained for each use or disclosure of protected health information for research purposes.

Waivers: The final rule adopted the three criteria previously proposed that an IRB or Privacy Board must use in approving requests for a waiver of authorization for research. Under the final rule, to qualify for a waiver of written authorization:

  • the use or disclosure of protected health information involves no more than minimal risk to the privacy of the individual;
  • the research could not practicably be conducted without the waiver or alteration; and
  • the research could not practicably be conducted without access to the protected health information.

In performing the 'minimal privacy risk' analysis, IRBs or Privacy Boards must consider whether there is:

  • an adequate plan to protect the identifiers from improper use or disclosure;
  • an adequate plan to destroy the identifiers at the earliest opportunity, unless retention of identifiers is required by law or is justified by research or health issues; and
  • adequate written assurance that the PHI will not be used or disclosed to a third party except as required by law or permitted by an authorization.

HHS rejected criticisms that the waiver provisions will be difficult to implement because the criteria are too subjective and IRBs or Privacy Boards do not have the necessary expertise in performing privacy risk analyses. According to HHS, because HIPAA's waiver criteria are similar to the Common Rule's, IRBs and Privacy Boards are experienced in making minimal risk determinations that include weighing risks to subjects' privacy. Nonetheless, HHS indicated it will respond to reports of actual problems and provide guidance, as necessary.

Subject's rights: Under the final rule, disclosure of PHI pursuant to an authorization is exempt from the general requirement that when requested covered entities provide individuals an accounting of disclosures for the previous six years. However, an accounting is required for research disclosures obtained under either a waiver of authorization or one of the two research exceptions to the authorization requirements - reviews preparatory to research and research on decedents. HHS rejected proposals to exempt all research disclosures from the accounting requirement but did provide a simplified accounting procedure for large research studies to decrease the administrative burden on researchers. For studies that involve at least 50 individuals whose PHI is disclosed pursuant either to a waiver or an exception, the accounting need only include a list of all research protocols under which a subject's PHI may have been disclosed and the name and contact information of the researcher to whom the disclosure was made. HHS also clarified that an accounting is not required for disclosures of PHI contained in a limited data set.

The final rule does not change the right of an individual to revoke his or her authorization unless the covered entity has acted in reliance on the authorization. In response to concerns that a subject's right to revoke an authorization will compromise the integrity of research studies, HHS declined to change the revocation provision but did clarify significantly its application. In the preamble, HHS clarified that under the revocation provision, covered entities may continue to use or disclose PHI collected prior to the revocation and pursuant to an authorization as necessary to maintain the integrity of the research study. Examples of permitted disclosures include submissions of marketing applications to the FDA, reporting of adverse events, accounting of the subject's withdrawal from the study and investigation of scientific misconduct.

Subject recruitment: A number of new provisions in the final rule and clarifications by HHS in the preamble to existing provisions affect the recruitment of research subjects. Despite comments to the contrary, HHS clarified that recruitment of subjects for research is "research" - not health care operations or marketing - and is subject to the general authorization requirements. Furthermore, because development or use of research databases falls within the definition of "research," a covered entity may disclose PHI in a database to sponsors for subject recruitment only pursuant to an authorization or a waiver.

However, neither an authorization nor a waiver is required to disclose PHI contained in a limited data set. Thus, limited data sets will make it easier to create databases of potential subjects that can be mined for particular clinical trials. However, there are a couple of important limitations on the use of PHI in a limited data set for subject recruitment. First, the PHI in a limited data set may not be used to contact subjects. Second, because telephone numbers, internet provider addresses, and email addresses are not part of a limited data set, this information may not be collected by covered entities from prospective subjects by interactive websites advertising clinical trials.


WRITTEN AUTHORIZATIONS

HHS has made several changes to the authorization requirements where use or disclosure is not otherwise permitted. Authorizations may contain additional material beyond what is required, as long as it is consistent with the required language. An authorization is not valid if the covered entity knows it has expired or been revoked or contains materially false information, or if it lacks essential information.

Generally, authorizations may not be combined with other documents, except related consents for research-related treatment. However, two or more HIPAA-required authorizations may be combined, except if one of them is for psychotherapy notes, or if one of them is a condition for the provision of services.

Previously, only research-related services could be conditioned on the provision of an authorization for the use or disclosure of PHI. The amendments add two more circumstances in which a covered entity can condition services on the provision of an authorization: a health plan may condition enrollment on the prospective enrollee's providing an authorization for the plan's underwriting activities; and any covered entity may condition services on an authorization if the services are being provided for the purpose of generating information for disclosure to a third party.

The final amendments implement the previously proposed changes that standardize the core provisions in authorization forms, to simplify the document and reduce the need to maintain different forms.


DISCLOSURES OF ENROLLMENT & DISENROLLMENT BY GROUP HEALTH PLANS

The final rule follows the proposed rule by clarifying that group health plans are permitted to share enrollment and disenrollment information with plan sponsors without amending plan documents as is necessary to share information for broader purposes. This policy was stated in the preamble to the final rule, but not in the regulation itself. To make the policy clear, the proposed rule adds an explicit exception to clarify that group health plans (and health insurance issuers and HMOs) are permitted to disclose enrollment or disenrollment information to a plan sponsor, without meeting the plan document amendment and other related requirements.


HYBRID ENTITIES

A covered entity that performs non-covered functions must designate its health care components to ensure that only those portions of its activities are subject to the privacy rule. The final rule leaves intact the simplified definition of "health care component" and the more detailed definition of "hybrid entity," proposed in March. As a result, it does not matter whether a covered entity's non-covered functions are its primary activity or just a small part of its operations: any covered entity that performs both covered and non-covered functions and that designates health care components is a hybrid entity and must adequately separate its health care functions, which are subject to the privacy rule, from its other components, which are not. Designation remains voluntary, provided that, if a covered entity does choose to designate health care components, it must include any component that would meet the definition of a covered entity if it were a separate legal entity.

 

FOR FURTHER INFORMATION, PLEASE CONTACT THE AUTHORS:

Rachel Glitz, (415) 276-6537, rachelglitz@dwt.com
Carol Pratt, (503) 778-5279, carolpratt@dwt.com
Paul T. Smith, (415) 276-6532, paulsmith@dwt.com
Rebecca L. Williams, (206) 628-7769, beckywilliams@dwt.com
Joan Wilson, (907) 257-5337, joanwilson@dwt.com

This Health Law Advisory is a publication of the Health Law Group of Davis Wright Tremaine LLP. Our purpose in publishing this Advisory is to inform our clients and friends of developments in health care law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

return to Advisory Bulletins main page
 
 
 
Davis Wright Tremaine LLP
Home | Practice Areas | News To Use | Recruiting | DWT in the Community
Seminars & Training | Bookstore | Lawyer Directory | Office Locations | Search & Site Map
Davis Wright Tremaine LLP