[ Tuesday, March 26, 2002 ]
HHS changes the Privacy Rule
. As you might have heard, HHS has already revised the privacy rule. On Thursday of last week, HHS announced that some changes would be made to allow providers to use information prior to getting a consent in certain instances. The newly revised regulations are supposed to be published in tomorrow's Federal Register, but as with most things, you can get an advance copy here
. Also for the shorthand versions, you can get HHS' press release here
, and HHS' fact sheet here
Based on the press release and fact sheet, as well as on what some others are saying in the HIPAAsphere, there are 3 big items as well as a few smaller items in the revisions. (I'll admit it, I haven't read all 175 pages of the new regs yet, but I'll digest them for you here as soon as I do, and correct anything I get wrong from relying on HHS' condensation of its own words.)
FIRST, there's some loosening of the requirement to have a signed consent before a covered entity could use it for treatment, payment or healthcare operations. As originally written, no provider could use
protected health information ("PHI") until they had received a written consent from the patient. So, you go see your primary care physician and give him a written consent; your PCP can use and disclose your health information pursuant to that consent. Your PCP uses
the information to determine that you need a prescription; he can do that under your consent. Your PCP also calls (discloses
) the prescription into the pharmacy you select. The pharmacy doesn't have a signed consent from you, so it can neither use nor disclose the information in the prescription. Under the rules as drafted, the pharmacist can't begin to fill your prescription, even though it's been called in, until you come on down and sign a consent. Then, he can use
the prescription information to put the pills in the bottle. He can also then disclose
the information to your pharmacy benefit management company or insurance company and get paid. A better example still is a specialist physician. Your PCP refers you to a specialist, but the specialist can't even look at your chart until you get there and sign a consent. That's not a good thing if you're already in the hospital and suffering from some complication that makes it difficult for you to give consent. If you're comatose in a hospital bed and a specialist treats you before you come to and sign a consent, the specialist has used
your PHI without consent, and has therefore violated HIPAA. Not a pretty result, is it?
As revised, the consent requirement is removed where treatment, payment or health care operations are involved, as long as the covered entity gets an acknowledgement as soon as possible from the patient that the patient has received the covered entity's notice of privacy practices.
SECOND, the minimum necessary rule remains, but doctors, nurses and other professionals could discuss a patient's PHI so long as reasonable steps are taken to prevent bad disclosures. Incidental disclosures, such as might happen when doctors discuss treatment options with a patient in a semi-private room, would not be violations of HIPAA.
THIRD, the revisions make clear that state laws relating to a parent's right to access to a child's medical records remain in force. Read to its extreme, HIPAA prevented pediatricians from discussing a child's medical condition with the child's parents. The revisions provide a physician with the discretion to disclose or deny access to a parent according to the mandates of state law.
The proposed revisions will also make clear (I thought it was pretty clear already) that covered entities must get specific authorization from individuals before sending them marketing information. Researchers will be allowed to combine "informed consent" consents with HIPAA consents, and the revisions make even more clear the concept that if a researcher is following the "Common Rule" (and if you need to know what that is, you already do), HIPAA is being followed as well.
The revisions also apparently simplify the authorization process (you can use a single authorization form, as long as you meet the specific requirements), and also require HHS to come out with a model Business Associate Agreement ("BAA"). This is kind of silly, if you ask me, since the BAA requirements are so plainly spelled out in the original regs. Maybe it's just that I've already authored a handful of them, and hate it when someone provides a shortcut after I've already gone the long way around.
More to come, as always. . . .
Jeff [5:30 PM]
Blogger: HIPAA Blog - Edit your Template