Guest Article

(From the Employer's Guide to HIPAA Privacy Requirements, Thompson Publishing Group)

HHS Issues Revised Version of Comprehensive Privacy Guidance

An updated guidance document on HIPAA's privacy rules was issued Dec. 4 by the U.S. Department of Health and Human Services (HHS). The comprehensive guidance, which HHS originally issued in July 2001, was revised to reflect the agency's August 2002 changes to the rules, and addresses many additional questions raised since the prior version came out.

"The guidance that follows is meant to communicate as clearly as possible the privacy policies contained in the Privacy Rule," HHS' Office for Civil Rights (OCR) explains in the introduction. "The guidance does not address all of the relevant provisions in the rule, although we anticipate adding segments in the future as we develop guidance on more Privacy Rule standards."

In three of the frequently asked questions that OCR added to the guidance, the agency describes the changes made to the rules, explains its decision to eliminate the consent requirement and clarifies that the compliance deadline remains April 14, 2003.

The guidance includes new sections on workers' compensation and public health disclosures. The section of the July 2001 guidance that discussed consent was retitled "Uses and Disclosures for Treatment, Payment and Health Care Operations" (TPO) to reflect the new focus of the rules' Section 164.506. The document also incorporates the frequently asked questions (FAQs) that OCR issued Oct. 8.

Workers' Compensation

Regarding workers' compensation, the guidance lists three types of PHI disclosures to workers' compensation insurers or other entities that do not require the individual's authorization:

Disclosures for workers' compensation purposes are subject to the "minimum necessary" standard unless they are required by law or based on an individual authorization. A covered entity may develop standard protocols as part of its minimum necessary policies and procedures that address the type and amount of PHI to be disclosed for such purposes, according to the guidance. In addition, if the PHI is requested by a state workers' compensation or other public official, covered entities may reasonably rely on the official's representations that the information requested is the minimum necessary for the intended purpose.

"The Department will actively monitor the effects of the Privacy Rule, and in particular, the minimum necessary standard, on the workers' compensation systems and consider proposing modifications, where appropriate, to ensure that the Rule does not have any unintended negative effects that disturb these systems," OCR adds.

Business Associates

The guidance includes an updated and expanded discussion of business associates that reflects the transition period established by the August 2002 final rules. In addition to the October FAQs on who is and is not a business associate, the guidance clarifies the possible roles of business associates in meeting the requirements for individual access to PHI.

A business associate contract must require the business associate to make PHI available to the covered entity as needed to meet the requirements for individual access, amendment and accounting of disclosures. However, the contract may assign the business associate the responsibility for handling these individual requests, "as may be appropriate where the business associate is the only holder of the designated record set, or part thereof," according to the guidance.

Minimum Necessary

The guidance also seeks to address concerns about the "minimum necessary" standard's impact on current practices. Covered entities should determine for themselves which PHI is "reasonably necessary for a particular purpose, given the characteristics of their business and workforce," OCR states. "This is not an absolute standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose." Rather, the standard is intended to be "consistent with the best practices and guidelines already used by many providers and plans today."

For instance, "a covered entity may use, disclose, or request an entire medical record without a case-by-case justification, if the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes," according to the guidance.

Implications

This latest HHS guidance includes few surprises on the issues that impact group health plans. Even the new section on workers' compensation does not add much to the agency's prior pronouncement in the August 2002 final rules and preamble. Likewise, the FAQs on workplace medical surveillance, marketing and minimum necessary do not raise any issues not addressed by the October FAQs and the final rules.

However, in the business associate section, which mostly includes the same FAQs as the October 2002 and July 2001 guidance, OCR added a surprising new question regarding reinsurers. According to the agency, a reinsurer does not become a plan's business associate simply by selling a reinsurance policy to a plan and paying claims under the policy. Only when the reinsurer performs another function on behalf of the plan other than providing reinsurance benefits is it considered a business associate.

This interpretation may surprise employers and health plans that were under the impression that a stop-loss insurer is a plan's business associate. Plans often share a lot of PHI with their stop-loss insurers. The preamble to the final rules states that PHI disclosures under a stop-loss contract are considered a "payment" function.

However, it remains unclear whether OCR makes a distinction between reinsurance and stop-loss insurance. The agency's rationale is that by providing reinsurance the reinsurer is not providing a service for the plan but is "acting on its own behalf." But because reinsurers generally are not considered health insurers, and thus are not covered entities under HIPAA, without a business associate contract they would not have any responsibilities to protect PHI under HIPAA. OCR's interpretation also may have implications as to whether fiduciary liability insurers are business associates.

The OCR guidance, titled "Standards for Privacy of Individually Identifiable Health Information," is available on the agency's Web site at www.hhs.gov/ocr/hipaa/privacy.html.

Reprinted with permission from the January 2003 newsletter of the Employer's Guide to HIPAA Privacy Requirements, © Thompson Publishing Group, Inc., 2002. All rights reserved.

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.