The Department of Health and Human Services (”HHS”) issued comprehensible, no surprises guidance under the final HIPAA privacy rule that went into effect on April 14, 2001. From the perspective of all but the health care provider community, the guidance was pretty much a nonevent; HHS addresses issues that are primarily of relevance to providers. If there is a message that resonates with all covered entities under the rule, it is that the sky is not falling and a rule of reason will be the Government’s compliance mantra. On the other hand, covered entities (and others affected by the rule) should not hold out hope that the rule will still change in any significant way. Any implementation activities delayed on that basis should now move forward.

The absence of any real policy change in the guidance was widely expected. When HHS reopened the comment period earlier this year, there was initial widespread speculation (fueled to some degree by the new administration) that the Bush administration would delay the rule’s effective date and go back to the drawing board on some of the more controversial issues. The issues thought likely to be revisited included preemption of state laws, “minimum necessary” use and disclosure, the need for business associate contracts, and oral versus electronic transmission of data. This speculation was short lived. Although HHS Secretary Tommy Thompson simultaneously allowed the rule to go effective on April 14 and promised soon to issue guidelines and/or modifications, the most knowledgeable observers doubted he would support any modification without following the notice and comment requirements of the Administrative Procedure Act (”APA”). This collective wisdom was right. The July 6 guidance clarifies several controversial provisions and only portends modifications (that will be made in accordance with the APA) in at least four areas. These planned modifications are at the margin of the rule and will have no significant effects on implementation efforts.

Guideline Overview – Plenty for Providers but Only Snippets for the Rest of the Health Care Community

Much of the guidance addresses “common sense” interpretations of the privacy rule in the context of a debate that has, on occasion, focused on extreme views. Overall, there is little that is new. As anticipated, HHS does not address some of the more controversial provisions of the rule, such as a parent’s guaranteed access to a child’s health records and the perimeters of “minimum necessary,” both of which it now intends to address through rule modification. It is also silent on the preemption of state laws.

For health plans, the guidance is of much more limited relevance than for providers. But one key message should be heard by all covered entities, not just providers: the guidance stresses the reasonableness of compliance efforts by covered entities. In the minimum necessary discussion, for example, HHS states that covered entities have “substantial discretion” in implementing the minimum necessary standard and may rely on “standard protocols” for routine disclosures. Further, this standard “is intended to make covered entities evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to [protected health information]. It is intended to reflect and be consistent with, not override, professional judgments and standards.” Although the guidance focuses on “disclosure” versus “use” of protected health information, it implies that covered entities will be required to be reasonable in all their actions, not adhere to wooden absolutes. Thus, HHS is unlikely to nitpick a covered entity’s implementation of the rule or its day-to-day operation under the rule, where its actions are “reasonable” for a covered entity of its size and sophistication.

In terms of actual guidance for health plans, there are a few items of interest. First, the overlap between “treatment, payment and health care operations” (”TPO”) and “marketing,” is discussed with a clarification that certain marketing communications must receive an authorization (or at least an opt-out opportunity) even if they also fit within payment or health care operations. Thus, if an action constitutes both marketing and health care operations, the health plan must meet all HIPAA requirements concerning marketing communications.

Second, the guidance arguably “clarifies” that when a health plan must obtain protected health information from a provider to complete certain Coordination of Benefits (”COB”) or third-party payer transactions, the health plan must first receive the patient’s authorization. HHS explains that since “the provider’s disclosure is for the TPO purposes of the plan [and not the provider], it would not be covered by the provider’s consent” obtained from the same patient. Putting aside the question of how often this COB fact pattern actually arises, to many this clarification seems more like a misreading of the final rule. For example, some believe that the rule provides that if the consent given to the provider relates to TPO, it does not matter if it is for the purposes of the TPO of the provider or the TPO of the plan. However, the rule and preamble appear silent on this issue, leaving one to ask if HHS has inadvertently modified the rule. Clearly, the ramifications for other TPO issues are great.

Modifications on the Way

Although HHS states in the guidance that it “continues to review the input received during the recent public comment period to determine what changes are appropriate to ensure that the rule protects patient privacy as intended without harming consumers’ access to care or the quality of that care,” it gives four examples of standards in the rule “for which we will propose changes.” Again, no surprises. They are:

  • Phoned-in Prescriptions – to permit pharmacists to fill prescriptions phoned in by a patient’s doctor before obtaining the patient’s written consent

  • Referral Appointments – to permit direct treatment providers to schedule appointments and procedures with a referral patient before obtaining the patient’s signed consent

  • Allowable Communications – to expressly permit a covered entity to engage in any communication required for quick, effective, high quality health care, including calling out a patient’s name in a waiting area

  • Minimum Necessary Scope – to expressly permit common provider practices such as sign-up sheets and maintenance of patient medical charts at bedside

In addition, HHS notes that it “may” reevaluate the privacy rule to ensure that parents have appropriate access to information about the health and well-being of their minor children. Specifically, HHS is referring to two exceptions to a parent’s right of general access to such information: (1) when the parent agrees that the minor and the provider may have a confidential relationship, the provider is allowed to withhold information from the parent to the extent of that agreement; and (2) when the provider reasonably believes in his or her professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child, the provider is permitted not to treat the parent as the personal representative with respect to health care information.

The focus of the guidance and the areas of the privacy rule HHS has earmarked for modification signal that HHS is planning no major changes to the rule. And like the guidance, any changes probably will have limited effect on the health plan community in particular. Health plans should, accordingly, continue their compliance efforts based on the rule as issued. And, as HHS has proven time and again, promised regulations or guidance are rarely released on schedule.

The only remaining hope for opponents of the rule, but an unlikely one at that, may be a court victory by a group who filed a challenge to the Administrative Simplification provisions of HIPAA, and the privacy regulations, largely on constitutional grounds, on July 16, 2001, in Federal Court in Columbia, South Carolina.

Summary of Q’s and A’s

In a question and answer format, HHS responds to a number of Frequently Asked Questions (”FAQs”) received during the comment period. HHS groups the FAQs and answers in 9 categories, for which we offer highlights:

  • Consent: Providers need to obtain a patient’s written consent only once. That consent may be general and nonspecific but a notice of privacy practices must precede it. Providers may not use protected health information to set up appointments or procedures before receiving consent. As the rules currently stand, pharmacists may not fill phone-in prescriptions before obtaining consent from a new customer, but HHS has identified this provision for modification. Pharmacists may give advice on over-the-counter drugs. Family and friends may pick up prescriptions for patients if they are involved in the patient’s care. Finally, revocation of consent must be in writing.

  • Minimum Necessary: A covered entity must make reasonable efforts to limit use and disclosure of and requests for protected health information to the minimum necessary to accomplish the intended purpose. Disclosures for treatment purposes between providers are exempted, as are disclosures to third parties that are authorized by the individual.

  • Oral Communications: Private rooms and sound proofing walls are not required. Covered entities need not provide individuals with logs of oral communications in which their protected health information was discussed.

  • Business Associates: The privacy rule does not pass through its administrative requirements to business associates. So, a business associate need not appoint a privacy officer or develop policies and procedures unless it agrees to do so under contract with the covered entity. A business associate must advise its covered entity when it violates a term of the contract.

  • Patients and Minors: The privacy rule does not address consent to treatment (only access to health information), nor does it preempt state law that addresses consent to treatment. Generally, a parent can get all information about a child’s treatment and condition after the child receives emergency medical care without a parent’s prior consent.

  • Communications and Marketing: The privacy rule does not otherwise expand a provider’s ability today to use protected health information to market goods and services to patients. Marketing does not include a covered entity’s disclosure of its participating providers or network plans, the services offered by a provider, or the benefits covered by a health plan. A covered entity may use or disclose protected health information to create or make a marketing communication – based on any applicable consent but without authorization only if (A) the communication (1) is face-to-face, (2) involves free products or services of nominal value, or (3) concerns health-related products and services (of either the covered entity or a third party); (B) the marketing identifies the covered entity that is responsible for the marketing; and (C) the individual is offered an opportunity to opt-out of further marketing. Whether disease management and preventive care fall under marketing will depend on the specifics of how the activity is conducted. Finally, covered entities cannot permit business associates to use protected health information for their own purposes absent authorization.

  • Research: Where both the privacy rule and the Common Rule apply, both regulations must be followed. The rule requires documentation of waiver approval by either an IRB or a Privacy Board, not both, before a covered entity may disclose protected health information without authorization.

  • Restrictions on Government Access: The privacy rule has not expanded the Government’s access to protected health information and, in fact, limits law enforcement access to a greater degree than currently exists today. If subject to the federal Privacy Act and the privacy rule, one must comply with both.

  • Payment: The rule does not prevent reporting to consumer credit reporting agencies or otherwise create any conflict with the Fair Credit Reporting Act.

On a procedural note, HHS has now fully embraced FAQs as a preferred means of disseminating HIPAA guidance. HHS announced in the guidance that the HHS Office of Civil Rights (”OCR”) will provide assistance to covered entities as they prepare to comply with the rule through additional FAQs to be posted on OCR’s website (see http://www.hhs.gov/ocr/hipaa). HHS posts FAQs for the HIPAA Standards for Electronic Transactions at http://www.aspe.hhs.gov/admnsimp/.

Above article published on

http://www.wileyrein.com/publications.cfm?sp=articles&newsletter=4&id=3248

Tags: , , , ,
Posted August 10, 2009 by admin under Electronic Prescription

Leave a Reply