Guest Article

(From the April 1, 2002 issue of Deloitte's Washington Bulletin, a periodic update of legal and regulatory developments relating to Employee Benefits.)

Proposed HIPAA Privacy Regulations - Reviewing the Actual Language

Last week's Washington Bulletin noted that the Department of Health and Human Services was releasing proposed changes to their "final" rules on HIPAA privacy and reproduced HHS's description of those proposals. Now that the actual language of the proposed rules has been released, 67 FR 14775 (March 27, 2002), more analysis is possible.

Business Associates

HIPAA requires covered entities (health care providers, plans and clearinghouses) to impose certain privacy restrictions on their business associates through contract agreements. Generally, business associates must agree to provide the same privacy protections to "protected health information" (PHI), i.e., any "individually identifiable health information" that has ever been electronically transmitted, as other covered entities.

The proposed regulations would permit existing business associate contracts to remain in effect until the earlier of (1) the existing term of the contract ends, or (2) April 14, 2004, giving business associates another year to bring contract language into compliance with HIPAA requirements. The change indicates during that time, the covered entity still must impose requirements for the business associate to comply with any HHS compliance directives and respond to participant requests for access to their PHI, to amend any incorrect PHI and receive an accounting of any release of PHI for purposes other than treatment, payment, or operation of the plan.

The new proposed regulations provide model "business associate" contract language designed to become part of the contract between the covered entity and the business associate. This language should serve as a "safe harbor" contract provision. The language is extremely broad, in effect outlining the HIPAA privacy requirements and securing the associate's agreement to follow those requirements as part of the contract.

Patient Consents

By far the most controversial of the proposed rules is the elimination of the need for health care providers to obtain prior consent from patients to use health care information for treatment, payment, or operation of the plans covering such treatment. Reportedly many doctors' groups sought the consent requirement originally. Apparently, the workaday reality of actually obtaining such consents before calling to consult with a fellow health care provider such as a specialist or calling in a prescription to a pharmacist generated a change of mind. The proposals stress that providers would not be prohibited from seeking such consents. In lieu of requiring consent, the proposals specifically state covered entities would be "permitted" to seek such consents. But then to add to the confusion, the new language would state that such consents could not permit disclosures or uses of PHI that is not otherwise permitted by the regulations. Privacy advocates are likely to strongly oppose this change.

The elimination of the pretreatment consent form does not affect the health care provider's responsibility to give individuals notice of the provider's privacy practices. The responsibility to provide such notice no later than the first delivery of service would be limited to nonemergency treatments. But to ensure prompt delivery of this notice, providers would be required to make good faith attempts to obtain the individual's written acknowledgement of the notice, in all but emergency situations, or to document why such acknowledgement was not obtained. Failure to obtain acknowledgement of the notice, after a good faith attempt, would not prevent the delivery of care nor would it violate the privacy rules.

Incidental Disclosures and Minimum Necessary Requirement

The new rules would clarify that covered entities may share PHI with other covered entities for purposes of treatment, payment, and plan operation. Such operations include:

• quality assessment and improvement;

• population based activities to improve health or reduce costs;

• case management;

• training programs; and

• accreditation, licensing, and similar activities.

HHS issued privacy guidance in July 2001 that clarified covered entities were not required to eliminate all risk of incidental uses or disclosure of PHI, so long as the covered entity used reasonable safeguards to protect the information. The proposed rules would explicitly permit incidental uses, such as sign-in lists at doctors' offices, and disclosures that could occur when medical instructions are provided in a corridor.

The minimum necessary usage requirement would not apply to uses and disclosures if the affected individual had given a standard authorization. Covered entities would not be required to "reasonably ensure" the use of the minimum necessary disclosure standard, but only to comply with specific implementation standards.

Marketing

Unlike the final rules for marketing that permit marketing to patients and participants so long as an "opt-out" provision is offered, under the proposed rules individuals could receive marketing contacts only if the affected individuals had specifically authorized marketing materials. As with the existing rule, any face-to-face communications by a covered entity are excluded from the "marketing" rules. New proposed exclusions from marketing would also include information (1) describing the providers, products, or services offered by the covered entity or included in the plan, (2) for the treatment of the individual, and (3) for case management, care coordination, or alternative treatments.

Parents' Right to Child's Health Information

The existing rules on a parent's rights to a minor child's health information provide that state law on the issue will govern disclosures under HIPAA. The proposed regulations do not change this rule except to explicitly require case law decisions to be recognized as part of state law for these purposes.

Research

As part of these proposed rules, HHS has asked for comment on permitting research with data that contain limited identifiers, rather than changing the rules for all de-identified data. However, HHS has not proposed to change the limits on the research use of individually identifiable information.

HHS does propose to expand the circumstances under which researchers could modify or waive a participant's original authorization and use data for purposes beyond the original authorization. The propose rule would eliminate the need to find that expanded use would not adversely affect the subject's privacy rights and welfare and would substitute as a standard a finding that the use or disclosure "involves no more than a minimal risk to the privacy of the individual..." due to one or more of the following:

• planned protections of the identifiers;

• a plan to destroy identifiers as soon as possible; and

• written assurances the PHI will not be used for other purposes.

Authorizations

Currently the final rules have different requirements for authorizations, depending on the use of the disclosed information. HHS proposes to eliminate these special authorization requirements for uses by covered entities, other entities, and researchers, and simply impose one set of standards for all authorizations.

Request for Comment on De-Identification of PHI

HHS has not changed the current final rules for PHI de-identification, but it has asked for comments on alternatives that would permit certain identifiers to remain in the data. The existing final rules essentially require the elimination of all but coded identifiers that would offer "no reasonable basis to believe the information could be used to identify an individual."

Employer Issues

HHS has also proposed a number of changes of particular concern to employers, including:

• a specific reference in the regulations to permit the sharing of enrollment and disenrollment data with plan sponsors without the need to amend the plan document;

• an acknowledgement that PHI does not include "employment records"; and

• enabling a "hybrid entity" to define which of its parts are the "covered entity," for example the self-insured health plan, and which are non-covered components, and to permit the entity to include certain components that support the covered entity, and would be treated as a "business associate" with respect to the covered entity, to be included as part of the "covered entity."

The information in this Washington Bulletin is general in nature only and not intended to provide advice or guidance for specific situations. If you have questions or need additional information about this article, please contact Martha Priddy Patterson (202.879.5634) or Robert B. Davis (202.879.3094). Copyright 2002, Deloitte.