HIPAA Privacy Regulations: More Changes in the Works
By: RYAN S. JOHNSON & ELIZABETH R.G. SPOHN
On March 27, 2002, the Department of Health and Human Services (HHS) published proposed modifications to the HIPAA Privacy Rule. Along with the proposed modifications, HHS also published model language for business associate agreements. The 30-day comment period ended April 26, 2002 and HHS is now in the process of finalizing the modified Privacy Rule. While there is no target date for publication of the modified rule, and no certainty about what the rule will say, the proposed modifications would substantially alter several major aspects of the Privacy Rule, including the consent requirement and the use of authorizations for marketing and research.
Consent & Notice
The modifications would abolish HIPAA's consent requirement. Providers would no longer need an individual's written consent to use or disclose protected health information for treatment, payment or health care operations. State law, however, will often require consent, despite the potential change to HIPAA. While some advocacy groups object to this modification, arguing that it eliminates a patient's opportunity to consider and discuss a provider's privacy practices, many health care organizations welcome the change as an easing of the HIPAA administrative burden. The elimination of the consent requirement allows providers to use patient information to set appointments, advise patients over the phone, and fill prescriptions prior to seeing the patient in person. Providers must still give patients a written notice explaining their privacy practices at a patient's first face-to-face encounter with the provider, and the proposed regulations would require providers to document good faith efforts to obtain patients' written acknowledgement of receiving the notice.
The modifications clarify and expand the requirement of patient authorization for marketing. HHS makes clear that the definition of "marketing" does not include face-to-face communications with patients (such as a conversation in which a physician recommends the use of a medication to a patient), or communications designed to help manage a patient's treatment (such as information on disease management programs, appointment reminders, and prescription refill reminders). The proposed modifications would eliminate the disclosure and opt-out option previously available under the Privacy Rule, which would have allowed providers to market to patients without authorization as long as the communication made certain disclosures and gave the patient the option to opt out of future marketing communications. Under the proposed modifications, patient authorization would be required for all communications defined as "marketing," regardless of whether the provider was paid for the communication or the communication made the disclosures.
The proposed modifications to the Privacy Rule retain the prohibition against using protected health information for research purposes without a written authorization or a waiver approved by an Institutional Review Board or Privacy Board. However, the proposed modifications would make some research less onerous by eliminating the need for researchers to obtain multiple permission forms-under the "old" rules, providers generally needed one form for a patient to consent to participate in the research study, and another related to the participant's privacy rights. The proposed modification would allow the HIPAA-required authorization to be combined with an informed consent for all types of research, not merely research that involves treatment of the individual.
Another proposed modification would change the criteria for obtaining waivers of authorization so that the Privacy Rule would more closely follow the requirements of the Common Rule, which governs federally funded research. Under the proposed modifications, the eight current criteria for waiver of a research subject's authorization would be reduced to three:
- the use or disclosure of protected health information must involve no more than minimal risk to the individual;
- the research could not practicably be conducted without the waiver or alteration of the authorization; and
- the research could not practicably be conducted without access to and use of the protected health information.
The proposed modifications would also allow covered entities to use and disclose protected health information for a specific research study that began prior to April 14, 2003 if the covered entity has obtained, prior to the compliance date, an authorization or other express legal permission from the individual authorizing the use and disclosure of protected health information in connection with the research study. The proposed modification responds to the research community's concerns that research would be disrupted and data would be lost if covered entities were forced to attempt to obtain consents to use archived information obtained or created prior to April 14, 2003. Again, however, keep in mind that state law provisions for research may be more strict about requiring consent than HIPAA would be.
It is impossible to know exactly what the finalized Privacy Rules will look like, or when they will be published, but the government is still standing by the April 14, 2003 compliance date. Covered entities should continue working towards HIPAA compliance, and wait for further updates on the proposed rules.