[ Thursday, May 23, 2002 ]
Did I say later today? I must've meant tomorrow, er today, when I said that yesterday.
So, HHS has proposed eliminating the consent requirement. Let's recap a bit: under the final privacy regulations that became effective April 2001 and become enforceable April 2003, covered entities cannot use or disclose PHI except (i) with consent (if the use/disclosure is for treatment, payment or health care operations), (ii) with authorization (for most other uses), (iii) if the individual doesn't object (for generally non-offensive uses like in a facility directory), (iv) to the individual themselves, or (v) as otherwise permitted (such as disclosures to public health officials, etc.). Based on this, a physician to whom a patient is referred or a pharmacist could not use the information to plan treatment or fill a prescription until the patient actually appeared and signed a consent.
HHS proposed to fix this problem by eliminating the consent requirement entirely, and replacing it with a requirement that the provider simply give the patient a copy of the provider's notice of privacy practices and ask the patient to sign an acknowledgement of receipt (if the patient refuses to sign, that's OK). When you ask the patient for consent, you are getting an affirmative response from the patient: "Yes, it is fine with me if you use my PHI for the purposes you've outlined." When you simply give them a copy of your notice of privacy practices, you are instead operating on a "full disclosure" model. Instead of the patient affirmatively saying, "yes, you can," the provider is disclosing his/its intentions to the patient and it is up to the patient to either (i) ask the provider not to do something the patient finds objectionable or (ii) go to a different provider because something in the disclosure upsets or offends them. It's the difference between a permission slip and a disclosure document.
Providers already have to give patients a copy of their notice of information practices. Since you've already go to do that, why not just ask for a signed acknowledgement rather than a consent?
Good question. But do you, as a provider, obtain a consent now? You probably do, since you want to have explicit consent from the patient to disclose their health information to their insurance company so you can get paid. Ethically, providers have an obligation to their patients to maintain the confidentiality of the patient/provider relationship, so getting a signed consent is a good idea from an ethics standpoint. The fact that HIPAA says you don't need consent doesn't change your ethical obligations. Would disclosing your notice of privacy practices effectively be the same? Probably,but you'd be a lot better off defending a disclosure that the patient specifically consented to rather than one that was pursuant to a boilerplate document that the patient probably never read or didn't understand.
If you get consents signed now, my suggestion would be continue to get consents signed. You do need to have your consents tailored to meet the HIPAA guidelines, though. And you also need to have a notice of privacy practices drafted. You also need a privacy officer, employee training materials, policies and procedures, and a slew of other stuff. And you're working on developing all of that stuff now, aren't you?
Of course, you're also applying for the one-year extension on the transaction and code sets standards, pushing the compliance deadline back to October 2003. Don't forget, though, that you have to start testing those transaction by April. If you don't use a billing/coding company, make sure your billing folks and your computer folks get this process started.
Jeff [11:48 AM]
Blogger: HIPAA Blog - Edit your Template