Health Information Compliance Alert

Drum roll, please

In a final rule published in the Aug. 14 Federal Register, the Department of Health and Human Services has finalized its revamping of the Clinton administrations controversial Health Insurance Portability and Accountability Act privacy standards and the new rule dramatically reduces the paperwork burdens HIPAA-covered entities were formerly saddled with.

The main theme flowing within the framework of HHS new privacy rule is the principle of providing strong privacy protections for patients without inhibiting access to quality health care, according to the Department. The main modifications that comprise the rule include:

Consent is scrapped. One of the key changes made to the privacy rule is the removal of the consent requirements for information disclosures connected with routine health care delivery purposes that is, treatment, payment and health care operations. Instead, covered entities will have to provide patients with a notice of the providers privacy practices and the patients privacy rights, and do their best to obtain the patients written acknowledgement of that notice. Obtaining formal consent will be optional.

Some marketing restricted. Pharmacies, health plans and other covered entities must acquire a patients written authorization before using a patients protected health information for marketing purposes, except in rare situations. However, the rule does afford doctors and other covered entities some latitude to freely discuss treatment options and other health-related information with patients. For example, the HHS says health care plans are permitted to inform patients of additional plan coverage and value-added items and services, such as discounts on prescriptions or eyeglasses. Also, covered entities are prohibited from using business associate contracts to circumvent the marketing provisions.

Only one authorization required. Separate authorization requirements for covered entities are eliminated. Though patients will have to grant permission in advance for each type of non-routine use or disclosure, providers will only have to use one form.

Modifications to business associate agreements. Covered entities (save for small health plans) are given up to an additional year to change their current written contracts to comply with the business associate contracts. HHS has provided sample business associate contract provisions.

Researchers need one form. Medical researchers will use a single combined form to obtain informed consent for the research and authorization to use or disclose PHI. The new rule also attempts to clarify the requirements relating to a researcher obtaining an IRB or Privacy Board waiver of authorization "by streamlining the privacy waiver criteria to more closely follow the Common Rule, which governs federally funded research."

Incidental use and disclosure not considered violations. The HHS admits it: Accidents happen. Provided that the covered entity has met reasonable safeguards and minimum necessary requirements, incidental uses or disclosures will not be considered violations of the new rule. Doctors offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, and doctors may talk to patients in semi-private rooms, among other examples.

Other changes include uses and disclosures regarding Food and Drug Administration-regulated products and activities, clarifications on the rights of parents and minors, conditional disclosure of the limited data set, and other modifications.