HHS Issues Final Modifications to the HIPAA Privacy Regulations

The HIPAA privacy regulations originally were issued as a final rule on December 28, 2000, took effect on April 14, 2001 (with a compliance date of April 14, 2003), and apply to health plans, health care clearinghouses, and most health care providers (“covered entities”). In March 2002, HHS proposed modifications to these regulations. After reviewing numerous comments raised by the health care industry and consumer advocates concerning the proposed modifications, HHS released the final rule modifying the existing privacy regulations on August 9, 2002, and will publish the new final rule in the August 14, 2002, Federal Register.

The August 2002 modifications to the existing regulations are summarized below for your information and reference. We note that the August 2002 final rule largely adopts the modifications proposed in March 2002. The August 2002 final rule adds provisions, however, relating to: (1) the creation and use of a limited data set for certain research purposes, public health purposes, and health care operations (provided that a “data use agreement” is obtained from the recipient), (2) a prohibition on the use of business associates to circumvent the marketing requirements, and (3) further modification to lessen the burden of providing an accounting of disclosures of an individual’s protected health information (PHI).

• No Consent Required for Treatment, Payment and Health Care Operations. Under the existing regulations, covered entities that are health care providers with a direct treatment relationship are required to obtain from patients their written consent to the provider’s use and disclosure of their PHI for purposes of treatment, payment and health care operations. Under the August 2002 final rule, however, providers are no longer required to obtain patient consent. Rather, they simply must make a good faith effort to obtain from each patient an acknowledgment of receipt of the provider’s privacy notice not later than the first date the provider delivers services to the patient (except in emergency circumstances) and can then use or disclose PHI for purposes of treatment, payment and health care operations.
• Incidental Disclosures. Under the existing regulations, covered entities generally are required to make reasonable efforts to use or disclose no more than the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure, and must implement reasonable safeguards to protect the privacy of PHI. The August 2002 final rule makes clear that providers will not be deemed to have violated the regulations by virtue of an “incidental disclosure” of PHI that occurs in the course making a permissible use or disclosure. Thus, for example, so long as reasonable precautions are taken and the minimum necessary rule is followed (when applicable), doctors’ offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at nursing stations without fear of violating the rule if the PHI being communicated is seen or overheard by someone else who is in the room or passing by.
• Disclosures of PHI for Payment or Health Care Operations of Another Entity. Under the existing regulations, a covered entity cannot disclose PHI in connection with another entity’s payment and health care operations (e.g., disclosure of a patient’s insurance information from a hospital to an ambulance company to enable the ambulance company to bill for its services). The August 2002 final rule, however, allows a covered entity to disclose PHI in connection with another entity’s payment activities and certain health care operations (e.g., QA/QI, population-based disease-management, cost-containment, case management, education/training, accreditation, certification, and licensing activities, as well as fraud and abuse detection and compliance activities). This is particularly helpful to hospitals and academic medical centers which are permitted, under the August 2002 final rule, to share critical insurance and billing information with their attending physicians or faculty practice groups to help such physicians bill for services they render to patients in their private practice offices.
• Single Authorization Form. The existing regulations set forth different requirements for authorization forms depending on the purpose of the disclosure being authorized. The August 2002 final rule will allow use of a single type of authorization form, thereby eliminating the need for covered entities to develop multiple authorization forms. Moreover, the August 2002 final rule exempts from the minimum necessary standard any uses or disclosures for which the covered entity has received an authorization. Minimum necessary requirements are still in effect to ensure an individual’s privacy for most other uses and disclosures of PHI.
• Business Associate Agreements: One Year Extension; Sample Language Provided. The existing regulations require a covered entity to include certain privacy-related provisions in its contracts with its business associates (persons or entities that provide services to or perform services on behalf of the covered entity involving the use or disclosure of PHI). The August 2002 final rule includes sample business associate contract provisions. In addition, HHS has granted covered entities (except small health plans) an additional year to amend their existing contracts with business associates to incorporate the required business associate contract provisions. Note, however, that this one year “extension” only applies with respect to contracts that exist prior to October 13, 2002, the effective date of the August 2002 final rule. Further, if a contract with a business associate comes up for renewal or is modified (other than by an automatic mechanism such as an evergreen clause or escalator provision) between April 14, 2003, and April 14, 2004, at that time the contract also must be modified to include the required business associate contract provisions.
• Marketing Rules Restructured. The August 2002 final rule simplifies the exception under the existing regulations for use and disclosure of PHI for marketing purposes. It generally requires covered entities to obtain individuals’ specific written authorization before using their PHI to develop or send out any marketing materials. The August 2002 final rule also strengthens the marketing language to make clear that covered entities cannot use business associate agreements to circumvent the rule’s prohibition on using PHI for marketing without patient authorization. The August 2002 final rule reiterates, however, that covered entities are free to communicate with patients regarding treatment options and other health-related information. HHS also explains in the preamble to the August 2002 final rule that covered entities, including hospitals and other health care providers, are permitted to use PHI to distribute materials describing their own products and services without obtaining the patient’s specific HIPAA authorization. An authorization also is not required for face-to-face marketing communications or marketing communications that involve a promotional gift of nominal value.
• Disclosures Regarding FDA-Regulated Products and Services. The August 2002 final rule permits covered entities to disclose PHI, without a specific HIPAA authorization, to a person subject to the jurisdiction of the FDA for public health purposes related to the quality, safety or effectiveness of FDA-regulated products or activities such as collecting or reporting adverse events, dangerous products, and defects or problems with FDA-regulated products.
• Removal of Barriers to Use and Disclosure of PHI for Research. The existing regulations prohibit covered entities from combining the authorization to use the patient’s PHI for research purposes with other research consents (e.g., informed consent). The August 2002 final rule permits use of a single combined form. It also simplifies the research provisions of the privacy regulations to follow more closely the requirements under the “Common Rule,” which governs federally-funded research. In addition, the August 2002 final rule grants researchers the discretion to obtain research authorizations with no expiration date, and the August 2002 rule clarifies that when a research subject revokes his or her HIPAA authorization, the researcher may continue to use and disclose, for research integrity and reporting purposes, any PHI collected from the individual pursuant to that authorization before it was revoked. Finally, the transition provisions have been expanded to prevent needless interruption of ongoing research by providing that a covered entity need not obtain a HIPAA authorization, or an IRB or privacy board waiver of authorization, after the April 14, 2003, compliance date if the covered entity has obtained, prior to April 14, 2003, either: (1) an authorization or other express legal permission from an individual to use or disclose PHI for the research, (2) the informed consent of the individual to participate in the research, or (3) a waiver, by an IRB, of informed consent for the research in accordance with applicable federal regulations.
• Use and Disclosure of Limited Data Set: Data Use Agreement Required. The August 2002 final rule permits the creation and dissemination of a limited data set (that does not include directly identifiable information) for research, public health, and health care operations. The August 2002 final rule, however, conditions disclosure of the limited data set on a covered entity and the recipient entering into a data use agreement, in which the recipient agrees to: (1) limit the use of the data set for the purposes for which it was given, (2) ensure the security of the data, and (3) not identify the information or use it to contact any individual.
• Accounting of Disclosures: Additional Exceptions and Abbreviated Procedures. The existing regulations require a covered entity to provide to individuals an accounting of its disclosures of their PHI during the prior 6-year period other than disclosures to the individual, disclosures for purposes of treatment, payment, and health care operations, and certain other limited disclosures. The August 2002 final rule also excepts from the accounting requirement: (1) disclosures made pursuant to an individual’s authorization, (2) incidental disclosures, and (3) disclosures that are part of a limited data set. In addition, the August 2002 final rule provides an abbreviated approach for accounting for multiple research disclosures that includes providing a description of the research for which an individual’s PHI may have been disclosed and contact information.
• Employment Records Generally Excluded. The August 2002 final rule adds an exclusion to the definition of PHI to clarify that it does not include employment records containing medical information, although information in employee health service files (e.g., results of a medical examination or test performed on an employee) will still be PHI subject to the HIPAA privacy regulations.
• Election of Hybrid Entity Status. Under the existing regulations, an entity performing covered and non-covered functions whose covered functions are not its primary functions is a hybrid entity, and special rules apply to hybrid entities. Under the August 2002 final rule, an entity performing covered and non-covered functions may “elect” to be a hybrid entity. An entity electing to be a hybrid entity would have additional discretion with respect to designating its health care components that would be subject to the privacy standards, so long as any component that would be a covered entity if it were a separate legal entity is designated as part of the hybrid entity’s health care component(s).
• State Law Governs Parental Access to Minors’ PHI. With respect to parental access to minors’ PHI, the August 2002 final rule clarifies that parental access to minors’ PHI is governed by state law. Where state law is silent, the August 2002 final rule permits providers to use their discretion to provide or deny a parent access to his or her minor child’s records.
• Sale of Business. The August 2002 final rule clarifies that a covered entity may disclose PHI to a potential buyer in connection with the sale of the covered entity’s business as part of the covered entity’s “health care operations.”
• Disclosures to Plan Sponsors. The August 2002 final rule clarifies that a group health plan or health insurance issuer may disclose enrollment or disenrollment information to a plan sponsor without amending the plan documents.
• “Minimum Necessary” Standard as Applied to Workers’ Compensation Programs. The August 2002 final rule clarifies in the preamble that the minimum necessary standard is not intended to impede disclosures necessary for workers’ compensation programs.

While the August 2002 final rule lessens the overall compliance burdens facing health plans, health care clearinghouses, and covered health care providers, substantial challenges remain to be addressed before the April 14, 2003, compliance date, including development and implementation of appropriate written policies and procedures, effectuation of the privacy regulations’ individual rights provisions, and providing workforce training and education. Ropes & Gray continues to be at the forefront of working on these and many other HIPAA compliance issues. If you have any questions about the August 2002 final rule or your HIPAA implementation efforts, please contact any of the undersigned or your regular contact at the firm.