|
|
The Clinton Administration gave healthcare providers and their associates an early Christmas present this year. The "final" privacy regulations, required under the Health Insurance Portability and Accountability Act ("HIPAA"), were formally released on December 20, 2000 by President Clinton at a ceremony at DHHS in Washington, DC. The regulations were published in the Federal Register on December 28, 2000 and become effective 60 days later. All covered entities must be in compliance with the final rule by February 26, 2003. These regulations were part of a large group of new regulations issued by the outgoing administration late in 2000. In addition to releasing the final regulations, President Clinton issued an Executive Order, dated December 29, 2000, which prohibits federal law enforcement agencies from re-using "protected health information" discovered during governmental health oversight activities under HIPAA for "unrelated civil, administrative, or criminal investigations of a non-health oversight matter" except under limited circumstances. This Executive Order extends some of the HIPAA privacy restrictions to entities which do not meet the HIPAA definition of "covered entity", including Federal officials who gain access to protected health information during those oversight activities required under the HIPAA regulations. The Executive Order states that protected health information covered by the Order may not be re-used or re-disclosed except where the Deputy Attorney General determines that, on a balancing of interests test, the balance of relevant factors and interests (such as public health and safety versus patient privacy) weighs "clearly" in favor of its use. When the Deputy Attorney General authorizes use of the information, he/she must "impose appropriate safeguards against unauthorized use". In issuing this Executive Order, President Clinton noted that federal legislation would be needed to expand protection of health care information further. Background of the Final Rule The proposed privacy regulations, published in early 1999, generated more than 52,000 comments from both the provider and the consumer communities. As noted in the preamble to the final regulations, these comments covered a wide-range of opinions. Some comments from providers took the position that the proposed regulations are too burdensome and go too far in restricting the disclosure of health information. Many consumers, on the other hand, commented that the proposed regulations don't go far enough in protecting the patient's right to privacy. DHHS spent the last year and a half reconciling the concerns of all of the interested parties in the issue of access to, and disclosure of, health care information. According to the preamble to the final regulations, this final rule "establishes for the first time a set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care". It is important to remember that, while these regulations set a federal standard, they clearly do not preempt any state or local laws or regulations that are more stringent, or which provide privacy protections beyond those covered within the regulations. The final regulations become effective
60 days after their publication in the Federal Register. Covered
entities must be in compliance with the regulations 24 months
after the effective date (except for "small health plans"
which must be in compliance 36 months after the effective date). In this two-part article we will discuss the major provisions of the final regulations, and how those provisions will affect both providers and consumers. In Part I we will review the major changes that were made from the proposed regulations to the final rule, and discuss some of the major terms and their definitions contained in the regulations. It will be important for all covered entities to understand these terms when implementing their privacy programs. In part II (to be published in next month's Pastin Report) we will discuss the many policies and procedures, and operational changes that most covered entities will need to undertake in order to be in compliance with the final regulations in two years. If you wish to read the regulations in their entirety (including the preamble discussion of public comments to the proposed regulations) they can be found at the following: http://aspe.os.dhhs.gov/admnsimp/. Some Major Changes From the Proposed Regulations In response to a number of comments, DHHS made some significant changes in the regulations including the following: 1. The draft regulations mandated certain privacy protections to "individually identifiable health information" that was, or had been transmitted in, electronic form. The final regulations go further, and apply to medical information (that meets the regulatory definition of "individually identifiable health information") in any form, including paper documentation and oral communications. DHHS determined that the draft regulations were too limiting in applying only to electronic information. This change means that applicable entities will have to implement broad-based privacy policies and procedures covering virtually all patient information. 2. The final regulations require that in most instances the health care provider "who has a direct treatment relationship with a patient" must obtain the patient's consent to "use and disclose" protected health information even for treatment, payment and health care operations. This is a major change from the draft regulations, which allowed the provider to use and disclose protected health information for those same purposes without the express consent of the patient. 3. The final regulation changes the proposed term "business partner" to "business associate", and clarifies when such a business associate is subject to the covered entity's privacy restrictions. Under the final rule, the business associate must abide by the mandated privacy protection if its performance of a service "involves the disclosure of protected health information by the covered entity to the business associate". The draft regulations had proposed extending the privacy requirements to any "business partner" when, as a part of the business relationship, protected health information was disclosed or used so that the partner could "act on behalf of the covered entity". 4. The draft regulations had limited disclosure to health care providers involved in a patient's care regimen to the "minimum necessary". Due to many comments which found this far too limiting for quality health care, DHHS modified the final regulations to allow disclosure of a patient's complete medical record to his/her providers for purposes of treatment. However, the regulations do require health care facilities to designate which clinical staff members have authorization and need to have such full access. 5. The final regulation deleted a provision that had, under the proposed regulations, made the patient a "third party beneficiary" of any agreement between the covered entity and the business partner/associate. It is important to note that there is no private right of action under HIPAA, or these regulations, which would give the individual the right to seek personal damages for a violation of the privacy protections 6. In the preamble to the final regulations, DHHS clarified the distinction between the term "consent" and the term "authorization". Consent as used in Section 164.506 of the regulations means the "process by which the covered entity seeks agreement from the individual regarding how it (entity) will use and disclose the individual's protected health information for treatment, payment and health care operations" purposes. Authorization, on the other hand, means an "agreement to use or disclose protected health information for purposes (other than under consent) or to authorize another covered entity to disclose health information to the requesting covered entity". It is important to understand that, for purposes of these privacy regulations, the term "consent" does not mean an agreement by a patient to accept treatment (as in "consent to treat"). These regulations apply only to the use and disclosure of protected health information. 7. When DHHS issued its proposed regulations last year, the Secretary included sample forms that providers could use to obtain authorization from a covered individual to release information. In the final rule, DHHS has chosen not to include any sample forms, although it may publish forms at a later date. For now, it will be up to the provider community to create its own authorization forms. 8. The final regulations contain a new provision, Section 164.522(b) which addresses the issue of confidential communication by covered entities. This provision allows an individual to request that the covered entity communicate all health information to the individual at a location other than his/her normal, home address, and that the entity use a means other than traditional mail or telephone call to the individual's home. This provision is designed to allow the individual to direct all such communication to a location that is private. This would, for example, allow a victim of domestic abuse to direct all communication concerning health care information to the victim at her office, or to a neighbor or relative's home, so that the alleged abuser would not have access to the information. Providers will have an absolute responsibility to meet the individual's request under this provision; the requirement for health plans is less. 9. Many comments to the proposed regulations questioned whether a Foundation would be able to access patient information in order to solicit fundraising donations. In response to these concerns, DHHS has added a new provision concerning this issue. Section 164.514(f) allows a covered entity to use or disclose to an "institutionally related foundation" certain information for the "purpose of raising funds for its own benefit" without obtaining specific authorization from the individual. The information that may be disclosed is demographic information about the individual, and the dates that the individual received health care. The covered entity may not disclose actual healthcare or treatment information without the patient's authorization, and the individual has the right to "opt out" of the disclosure of any information under this provision. In addition, any fundraising solicitation must include information telling all individuals of their right to prohibit disclosure of any information under this provision, if that is the individual's wish. Terms You Need to Know The final regulations contain dozens of terms and definitions which govern the activity covered and requirements mandated by the final rule. The following are some of the more significant terms that every covered entity will need to know and understand in order to be in compliance with the regulations. This is not a complete list, and does not contain all of the language found in the actual regulation. Every Compliance Officer is encouraged to read the final regulation in its entirety in order to implement all applicable requirements within your organization. Business Associate means a person (or organization) who "performs, or assists in the performance of" any activity on behalf of a covered entity that involves the use or disclosure of "individually identifiable health information", or provides "legal, actuarial, accounting, consulting, data aggregation ... management, administrative, accreditation, or financial services" for a covered entity during which such protected information may be disclosed. An employee of a covered entity who may perform these types of services is not considered a "Business Associate" under the regulations. A Covered Entity under these regulations is a health care provider, a health plan and/or a health care clearinghouse. A Disclosure under the regulation is defined as the "release, transfer, provision of access to, or divulging in any other manner" of information protected under the regulation. A Health Plan means any individual or group plan (such as insurance, Medicare or other federal health care program, managed care, employer or union plan etc) that provides or pays for the cost of medical care. The regulations include a long list of examples of what is, and what is not, a Health Plan. Health Care is defined as any care, services or supplies related to the treatment of an individual patient. It is important to note that the definition includes the dispensing of medications, provision of medical equipment or devices designed to treat the health of the individual. A Health Care Clearinghouse is an entity including a billing company, re-pricing company, health management information system or community based information program that "processes or facilitates the processing of health information" from one entity to another. The term Health Care Operations is an important one; it means any activity of a covered entity that involves activity protected by the regulation. There is an extensive list in the regulations (at Section 164.501) of the types of activities included in this definition, which you should read carefully. Some of the activities which may be conducted without the patient's express authorization include: quality assessment and improvement; case management; peer review; clinical training programs; underwriting and insurance rating; legal services and auditing functions; investigation of possible fraud and abuse; business planning and development; internal grievance procedures; due diligence; and fundraising activities as described within the regulation. Under the final regulations, a Health Care Provider means a provider of any medical or health services, or any person or entity that furnishes, is paid for or bills for health care services "in the normal course of business". This is a very broad term and covers many types of entities that are involved in the provision of health care. One definition that has undergone significant change from the proposed regulations is that of Health Information; under the final regulations, this term means "any information, whether oral or recorded in any form or medium" that is "created or received" by a provider, institution, employer, insurer, health care clearinghouse (or other entity described in the regulation) relating to the past or current medical or mental condition of a patient and/or health care provided to the individual, or the past, present or future payment of such health care. Another of the key terms is Individually Identifiable Health Information, defined as health information "including demographic information collected from an individual" that is created or documented by a health care provider or clearinghouse relating to the past or present medical or mental health condition of the individual and/or any health care treatment provided to that individual, which either identifies the individual or could be reasonably believed to identify the individual. Protected Health Information means any "individually identifiable health information" that is transmitted via electronic media, maintained in electronic format or medium, or "transmitted or maintained in any other form or medium", unless specifically excluded from this category under the terms of the regulation. The final regulation makes a distinction between a health plan and a Small Health Plan, which is defined as a health plan with annual receipts of $5 million or less. It is important to repeat that these are just a few of the many defined terms contained in the final regulations, many of which will have significant impact on entities' ability to achieve compliance. It is important therefore that all Compliance Officers read all of them very carefully. In Part II of this article we will discuss
some of the things health care entities will have to do in the
next two years to achieve compliance, including the adoption
of specific policies and procedures, system changes, and the
appointment of a Chief Privacy Officer and Contact Person. Some
of the more complex issues raised by these regulations include
the concept of "consent" where the patient may be incapacitated
and have no legal representative to act on his or her behalf;
the requirement that all providers have written guidelines concerning
their privacy policies which they must provide to all patients
at the time of treatment; the requirement that a provider be
able to provide an individual with a log of all disclosures made
of the individual's protected health information; and whether
certain activities that may have been "routine" within
a health care facility come under the health care operations
exception. We will discuss these, and other daunting questions
in Part 2 in next month's Pastin Report. Geralyn Kidera, JD, is Senior Vice President
of the Council of Ethical Organizations and Health Ethics TrustSM, and can
be reached at gkidera@corporateethics.com
or 703-683-7916. The material in this area is proprietary and protected by copyright registration to the Council of Ethical Organizations. Reproduction or dissemination-by any means-including photocopying and transmittal by FAX-is a violation of federal copyright law (17 USC 101 et seq) punishable by fines of up to $100,000 per violation. Violators will be prosecuted. Do not copy, quote, duplicate electronically or by any means disseminate without specific written permission. |
