Health Information Compliance Alert

Despite the sound and fury surrounding the proposed changes to the HIPAA privacy rule, reports that the elimination of the consent requirement will gut the privacy rule are greatly exaggerated.

According to the revisions proposed March 21 by the Department of Health and Human Services, providers would not be required to obtain signed consent from patients before using or disclosing health information for treatment, payment or health care operations (TPO) purposes. A use or disclosure for non-TPO purposes would still call for a patient's signed authorization.

Providers have been virtually unanimous in support of the proposed change. "Hospitals and consumer research results confirm that the [consent] forms would have been a paperwork hassle without providing any additional privacy rights or protections for patients," says Dick Davidson, president of the American Hospital Association.

"It will really benefit patient care to not to have the consent requirement in place," agrees Kristen Rosati, an attorney with Coppersmith Gordon Schermer Owens & Nelson in Phoenix. "There are so many situations where requiring providers to get a written consent before they begin treating someone would have been very difficult."

Indeed, HHS acknowledges in a press release that the rule was changed in response to comments that the consent requirement would interfere with pharmacists filling prescriptions, referrals to specialists and hospitals, providing treatment over the phone and emergency medicine.

Still, privacy advocates are up in arms over the change. "The elimination of this prior consent requirement strikes at the very heart of the privacy regulation," according to a release from the Health Privacy Project at Georgetown University. "HHS could have fixed certain unintended consequences of the consent requirement (for example, the impact on filling prescriptions) with more targeted changes, but the Department instead chose a more radical and unfortunate approach."

But some experts argue the change isn't as "radical" as it might first appear. Most providers already use some form of written consent when using health information for payment purposes, says Bill Sarraille, in the Washington office of Arent Fox Kintner Plotkin & Kahn. "Under most state laws they're already required to do that."

Rosati agrees. "A lot of the protections built into the privacy standard were already built into patient protection statutes at the state level," she explains. "What was so difficult about the privacy standard consent requirement was its timing you had to get [consent] before you even treated the patient."

Under the proposed changes, covered entities still must present patients with a notice of information practices (See HICA Vol.1, No. 2, p.20) "Patients would be asked to acknowledge receipt of the privacy and practices," according to the HHS document.

Though some privacy advocates argued that the consent requirement empowered patients to negotiate where their information was disclosed, the consent required under the privacy rule was little more than an acknowledgement to begin with, argues Michael Roach, an attorney with Michael Best & Friedrich in Chicago.

"Unless it's an [emergency] situation where they have to treat, what provider is going to treat a patient who refuses to sign a consent?" Roach asks. "Under the current rules, if a person goes to a provider and that person refuses to sign the consent, the provider in most cases is almost assuredly going to refuse to treat because the provider can't use the information they get to bill for the patient's care," he explains.

"As a practical matter, the consent requirement didn't really protect patients," Rosati tells Eli. "Because providers were in position where they wouldn't be able be able to treat a patient who didn't sign a consent, the only protection a patient would have would be to walk away from treatment."