Featured Publications

Holland & Knight's Real Estate Section Adds David Allswang in Chicago

CHICAGO – David B. Allswang has joined Holland & Knight's Chicago office as a partner in the firm's Real Estate Section. Allswang concentrates his practice in the area of real estate law, with an emphasis on commercial leasing on behalf of landlords and tenants.

More

Artist Commissioned to Create Tillie K. Fowler Memorial Sculpture in Jacksonville

JACKSONVILLE, Fla. – Rhode Island-based sculptor Brower Hatcher has been commissioned by the Cultural Council of Greater Jacksonville through its Art in Public Places Program to create an outdoor sculpture to honor the late Tillie K. Fowler. The artist was commissioned to commemorate the life and work of Fowler, a dedicated Jacksonville attorney and pioneering leader in local and national politics.

More

Search Our Library

Search

  • Printer friendly
  • Email this page to a friend
  • Generate a PDF version of this page

Articles & White Papers

Analysis of Final HHS HIPAA Privacy Rules
 
 August 12, 2002
 
Shannon Hartsfield - Tallahassee
Michael R. Manthei- Boston

August 12, 2002

MEMORANDUM

TO: Clients and Friends

FROM: Holland & Knight LLP
HIPAA Team

RE: Analysis of Final HHS HIPAA Privacy Rules



1. INTRODUCTION

The Department of Health and Human Services (HHS or Department) has modified the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), which implement the privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in a final rule appearing in the Federal Register on August 14, 2002 (the Final Rule). While the final modifications to the federal health privacy rules under HIPAA do not substantially alter the proposed rules issued by the Bush Administration in March 2002 (the Proposed Rules), myths nonetheless flew around the airwaves and presses the next day. Some of the most responsible media reported, inaccurately, that the Bush rule “guts” the Clinton rule; that patients have “lost” federal privacy rights; that drug companies are now free to buy patient lists and “direct market” to patients to get them to switch to their drugs; and that the exceptions have virtually swallowed the rule.

Even where the reporting was not inaccurate, it was often inexcusably incomplete. For example, perhaps the most widely reported “angle” on the final privacy rule was that it will force patients to forfeit substantial privacy rights because the Bush Administration withdrew Clinton Administration patient “consent” requirements. Every one of these stories omitted the fact that the original Clinton HIPAA privacy rule did not require consents either; that more widely applicable and far more protective “authorizations” are still required in most cases; that the exceptions to authorizations do not go beyond those traditionally applied in the health care industry and under state law; and that health plans and providers still must notify patients of the numerous avenues in the rule for restricting the disclosure of their protected health information, and of their rights to correct and amend their medical records.

In truth, after seven years and two Administrations, the final privacy rules are a remarkable political compromise that elegantly balance uniquely American privacy dogma against uniquely American healthcare quality and technology; patient protections against administrative workability; state against federal power; private rights against government authority; and individualism against community. Rather than blasting the rules and the bureaucrats for their inadequacies, the media should recognize that these regulators, on both sides of the aisle, have done what Congress itself could not do after 20 years of political debate.

2. THE PRIVACY RULE’S IMPACT ON EMPLOYERS AND ERISA PLANS

In the Final Rule, HHS has stated emphatically that “the Privacy Rule does not apply to employers, nor does it apply to the employment functions of covered entities, that is, when they are acting in their role as employers.” HHS recognizes that some employers obtain a great deal of health information about employees when carrying out routine employment functions relating to hiring, compliance with the Occupational Safety and Health Administration (OSHA) requirements, Family Medical Leave Act (FMLA), and other regulations and activities.

The Privacy Rule now contains a revised definition of “Protected Health Information” (PHI). PHI now does not include “[e]mployment records held by a covered entity in its role as employer.” HHS, in response to comments received on the proposed revisions, elected not to specifically define “employment records.” HHS noted, however, that these records would include information an employer would need to carry out its obligations related to the FMLA, sick leave requests, drug screening, workplace medical surveillance, fitness-for-duty exams, and other similar programs and activities.

The Final Rule also provides clarification regarding employers as “hybrid entities.” A covered entity may elect to operate as a hybrid entity, but would not have to do so if its only non-covered functions were those relating to its status as an employer, because employment records are explicitly exempted from the definition of PHI. HHS also stated that an employer is not a hybrid entity merely because it has a self-funded health plan.

Several comments regarding the Proposed Rules dealt with workers compensation programs. There was concern that the “minimum necessary” standard would prevent insurers, employers, and state administrators from getting the information required to pay claims. HHS stated, however, that the Privacy Rule is not intended to interfere with existing state workers' compensation systems. The preamble to the Final Rule also states that the minimum necessary standard allows covered entities to disclose any PHI that is reasonably necessary for workers' compensation purposes and is intended to allow PHI to be shared for those purposes “to the full extent permitted by [s]tate or other law.”

The Final Rule simplifies many of the compliance requirements for fully insured group health plans. In fact, these plans are exempt from many of the Privacy Rule requirements as long as the only PHI held by the plan is summary information and/or information about enrollment and disenrollment, which is considered to be PHI.

The recent changes also simplify certain compliance requirements for self-insured plans. For example, HHS clarified that, if the Privacy Rule allows a covered entity to share PHI with another covered entity, then the covered entity is permitted to disclose PHI to a business associate of the other covered entity. Additionally, an HMO may disclose PHI to a group health plan or a third-party administrator acting as a business associate of the plan because the HMO and the group health plan are operating as an organized health care arrangement as defined in the Privacy Rule.

3. CONSENTS AND AUTHORIZATIONS

Consent. Citing concerns and numerous comments to the effect that requiring covered entities to obtain written consent prior to using PHI for treatment, payment and healthcare operations purposes would have unintended consequences that would compromise the quality and timelines of healthcare delivery, HHS adopted its proposal in the Proposed Rules to eliminate the consent requirement of § 164.506. Under the Final Rule, all covered entities now have regulatory authority to use and disclose PHI for treatment, payment and healthcare operations without obtaining the individual’s consent.

The preamble to the final regulation states that HHS considered a number of options in response to comments to the Proposed Rules, but chose to eliminate the consent requirement because it was the only change that provided a “global fix” to what HHS and many commentators considered to be the operational problems and unintended treatment consequences associated with consent. HHS addressed the concerns of those commentators who wanted to retain or strengthen the consent rules by reference to a California health information privacy law that does not require consent and that in other respects is very similar to the Final Rule. HHS cited survey results showing that, despite the California law that permitted disclosures of health information without an individual’s consent, consumers in California did not have greater concerns about confidentiality than other health care consumers.

Other rights provided by the Final Rule are not affected by the elimination of the consent requirement. Although covered entities will not be required to obtain an individual’s consent, any uses or disclosures of protected health information for treatment, payment or health care operations must still be consistent with the covered entity’s notice of privacy practices. Also, the removal of the consent requirement applies only to consent for treatment, payment and health care operations; it does not alter the requirement to obtain an authorization under §164.508 for uses and disclosures of protected health information not otherwise permitted by the Privacy Rule or any other requirements for the use or disclosure of protected health information. Furthermore, individuals retain the right to request restrictions, in accordance with §164.522(a). This allows individuals and covered entities to enter into agreements to restrict uses and disclosures of protected health information for treatment, payment and health care operations that are enforceable under the Privacy Rule.

Although consent for use and disclosure of protected health information for treatment, payment and health care operations is no longer mandated, this Final Rule allows covered entities to have a consent process if they wish to do so. Covered entities that choose to obtain consent may rely on industry practices to design a voluntary consent process that works best for their practice area and consumers, but they are not required to do so.

The Final Rule effectuates the aforementioned changes in the same manner as in the Proposed Rules. The consent provisions in §164.506 are replaced with a new provision at §164.506(a) that provides regulatory permission for covered entities to use or disclose protected health information for treatment, payment and health care operations. A new provision is added at §164.506(b) that permits covered entities to obtain consent if they choose to, and makes clear any such consent process does not override or alter the authorization requirements in §164.508. Section 164.506(b) includes a small change from the proposed version to make it clearer that authorizations are still required by referring directly to authorizations under §164.508.

Additionally, the Final Rule includes a number of conforming modifications, identical to those in the Proposed Rules, to accommodate the new approach. The most substantive corresponding changes are at §§164.502 and 164.532. Section 164.502(a)(1) provides a list of the permissible uses and disclosures of protected health information, and refers to the corresponding section of the Privacy Rule for the detailed requirements. The provisions at §§ 164.502(a)(1)(ii) and (iii) that address uses and disclosures of protected health information for treatment, payment and health care operations are collapsed into a single provision, and the language is modified to eliminate the consent requirement.

The references in §164.532 to §164.506 and to consent, authorization or other express legal permission obtained for uses and disclosures of protected health information for treatment, payment and health care operations prior to the compliance date of the Privacy Rule were deleted. The proposal to permit a covered entity to use or disclose protected health information for these purposes without consent or authorization applies to any protected health information held by a covered entity whether created or received before or after the compliance date. Therefore, transition provisions are not necessary.

In the Final Rule, the Department also adopts its proposal to allow covered entities to disclose PHI for the treatment, payment and certain health care operations purposes of another entity. Specifically, the Final Rule at §164.506(c):

    • States that a covered entity may use or disclose protected health information for its own treatment, payment or health care operations.
    • Clarifies that a covered entity may use or disclose protected health information for the treatment activities of any health care provider.
    • Permits a covered entity to disclose protected health information to another covered entity or any health care provider for the payment activities of the entity that receives the information.
    • Permits a covered entity to disclose protected health information only to another covered entity for the health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the information, the protected health information pertains to such relationship, and the disclosure is:
        • For a purpose listed in paragraphs (1) or (2) of the definition of health care operations, which includes quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, case management and care coordination, conducting training programs, and accreditation, licensing, or credentialing activities; or
        • For the purpose of health care fraud and abuse detection or compliance.
    • Clarifies that a covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.

Authorization. The Privacy Rule required individual authorization for uses and disclosures of protected health information for purposes that are not otherwise permitted or required under the Privacy Rule. The Privacy Rule prohibited, with limited exceptions, covered entities from conditioning treatment, payment, or eligibility for benefits or enrollment in a health plan, on obtaining an authorization. The Privacy Rule also permitted, with limited exceptions, individuals to revoke an authorization at any time. Additionally, the Privacy Rule sets out core elements that must be included in any authorization. These elements are intended to provide individuals with the information they need to make an informed decision about giving their authorization. This information includes specific details about the use or disclosure, and provided the individual fair notice about his or her rights with respect to the authorization and the potential for the information to be redisclosed. Additionally, the authorization must be written in plain language so individuals can read and understand its contents. The Privacy Rule required that authorizations provide individuals with additional information for specific circumstances under the following three sets of implementation specifications: In §164.508(d), for authorizations requested by a covered entity for its own uses and disclosures; in §164.508(e), for authorizations requested by a covered entity for another entity to disclose protected health information to the covered entity requesting the authorization to carry out treatment, payment or health care operations; and in §164.508(f), for authorizations requested by a covered entity for research that includes treatment of the individual.

To address complaints that the authorization requirements of the prior final rule were too complicated and confusing, the Department proposed in the Proposed Rules and adopted in the Final Rule changes to simplify the aut