Analysis of Final HHS HIPAA Privacy Rules
August 12, 2002
TO: Clients and Friends
FROM: Holland & Knight LLP
RE: Analysis of Final HHS HIPAA Privacy Rules
The Department of Health and Human Services (HHS or Department) has modified the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), which implement the privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in a final rule appearing in the Federal Register on August 14, 2002 (the Final Rule). While the final modifications to the federal health privacy rules under HIPAA do not substantially alter the proposed rules issued by the Bush Administration in March 2002 (the Proposed Rules), myths nonetheless flew around the airwaves and presses the next day. Some of the most responsible media reported, inaccurately, that the Bush rule “guts” the Clinton rule; that patients have “lost” federal privacy rights; that drug companies are now free to buy patient lists and “direct market” to patients to get them to switch to their drugs; and that the exceptions have virtually swallowed the rule.
Even where the reporting was not inaccurate, it was often inexcusably incomplete. For example, perhaps the most widely reported “angle” on the final privacy rule was that it will force patients to forfeit substantial privacy rights because the Bush Administration withdrew Clinton Administration patient “consent” requirements. Every one of these stories omitted the fact that the original Clinton HIPAA privacy rule did not require consents either; that more widely applicable and far more protective “authorizations” are still required in most cases; that the exceptions to authorizations do not go beyond those traditionally applied in the health care industry and under state law; and that health plans and providers still must notify patients of the numerous avenues in the rule for restricting the disclosure of their protected health information, and of their rights to correct and amend their medical records.
In truth, after seven years and two Administrations, the final privacy rules are a remarkable political compromise that elegantly balance uniquely American privacy dogma against uniquely American healthcare quality and technology; patient protections against administrative workability; state against federal power; private rights against government authority; and individualism against community. Rather than blasting the rules and the bureaucrats for their inadequacies, the media should recognize that these regulators, on both sides of the aisle, have done what Congress itself could not do after 20 years of political debate.
2. THE PRIVACY RULE’S IMPACT ON EMPLOYERS AND ERISA PLANS
In the Final Rule, HHS has stated emphatically that “the Privacy Rule does not apply to employers, nor does it apply to the employment functions of covered entities, that is, when they are acting in their role as employers.” HHS recognizes that some employers obtain a great deal of health information about employees when carrying out routine employment functions relating to hiring, compliance with the Occupational Safety and Health Administration (OSHA) requirements, Family Medical Leave Act (FMLA), and other regulations and activities.
The Privacy Rule now contains a revised definition of “Protected Health Information” (PHI). PHI now does not include “[e]mployment records held by a covered entity in its role as employer.” HHS, in response to comments received on the proposed revisions, elected not to specifically define “employment records.” HHS noted, however, that these records would include information an employer would need to carry out its obligations related to the FMLA, sick leave requests, drug screening, workplace medical surveillance, fitness-for-duty exams, and other similar programs and activities.
The Final Rule also provides clarification regarding employers as “hybrid entities.” A covered entity may elect to operate as a hybrid entity, but would not have to do so if its only non-covered functions were those relating to its status as an employer, because employment records are explicitly exempted from the definition of PHI. HHS also stated that an employer is not a hybrid entity merely because it has a self-funded health plan.
Several comments regarding the Proposed Rules dealt with workers compensation programs. There was concern that the “minimum necessary” standard would prevent insurers, employers, and state administrators from getting the information required to pay claims. HHS stated, however, that the Privacy Rule is not intended to interfere with existing state workers' compensation systems. The preamble to the Final Rule also states that the minimum necessary standard allows covered entities to disclose any PHI that is reasonably necessary for workers' compensation purposes and is intended to allow PHI to be shared for those purposes “to the full extent permitted by [s]tate or other law.”
The Final Rule simplifies many of the compliance requirements for fully insured group health plans. In fact, these plans are exempt from many of the Privacy Rule requirements as long as the only PHI held by the plan is summary information and/or information about enrollment and disenrollment, which is considered to be PHI.
The recent changes also simplify certain compliance requirements for self-insured plans. For example, HHS clarified that, if the Privacy Rule allows a covered entity to share PHI with another covered entity, then the covered entity is permitted to disclose PHI to a business associate of the other covered entity. Additionally, an HMO may disclose PHI to a group health plan or a third-party administrator acting as a business associate of the plan because the HMO and the group health plan are operating as an organized health care arrangement as defined in the Privacy Rule.
3. CONSENTS AND AUTHORIZATIONS
Consent. Citing concerns and numerous comments to the effect that requiring covered entities to obtain written consent prior to using PHI for treatment, payment and healthcare operations purposes would have unintended consequences that would compromise the quality and timelines of healthcare delivery, HHS adopted its proposal in the Proposed Rules to eliminate the consent requirement of § 164.506. Under the Final Rule, all covered entities now have regulatory authority to use and disclose PHI for treatment, payment and healthcare operations without obtaining the individual’s consent.
The preamble to the final regulation states that HHS considered a number of options in response to comments to the Proposed Rules, but chose to eliminate the consent requirement because it was the only change that provided a “global fix” to what HHS and many commentators considered to be the operational problems and unintended treatment consequences associated with consent. HHS addressed the concerns of those commentators who wanted to retain or strengthen the consent rules by reference to a California health information privacy law that does not require consent and that in other respects is very similar to the Final Rule. HHS cited survey results showing that, despite the California law that permitted disclosures of health information without an individual’s consent, consumers in California did not have greater concerns about confidentiality than other health care consumers.
Other rights provided by the Final Rule are not affected by the elimination of the consent requirement. Although covered entities will not be required to obtain an individual’s consent, any uses or disclosures of protected health information for treatment, payment or health care operations must still be consistent with the covered entity’s notice of privacy practices. Also, the removal of the consent requirement applies only to consent for treatment, payment and health care operations; it does not alter the requirement to obtain an authorization under §164.508 for uses and disclosures of protected health information not otherwise permitted by the Privacy Rule or any other requirements for the use or disclosure of protected health information. Furthermore, individuals retain the right to request restrictions, in accordance with §164.522(a). This allows individuals and covered entities to enter into agreements to restrict uses and disclosures of protected health information for treatment, payment and health care operations that are enforceable under the Privacy Rule.
Although consent for use and disclosure of protected health information for treatment, payment and health care operations is no longer mandated, this Final Rule allows covered entities to have a consent process if they wish to do so. Covered entities that choose to obtain consent may rely on industry practices to design a voluntary consent process that works best for their practice area and consumers, but they are not required to do so.
The Final Rule effectuates the aforementioned changes in the same manner as in the Proposed Rules. The consent provisions in §164.506 are replaced with a new provision at §164.506(a) that provides regulatory permission for covered entities to use or disclose protected health information for treatment, payment and health care operations. A new provision is added at §164.506(b) that permits covered entities to obtain consent if they choose to, and makes clear any such consent process does not override or alter the authorization requirements in §164.508. Section 164.506(b) includes a small change from the proposed version to make it clearer that authorizations are still required by referring directly to authorizations under §164.508.
Additionally, the Final Rule includes a number of conforming modifications, identical to those in the Proposed Rules, to accommodate the new approach. The most substantive corresponding changes are at §§164.502 and 164.532. Section 164.502(a)(1) provides a list of the permissible uses and disclosures of protected health information, and refers to the corresponding section of the Privacy Rule for the detailed requirements. The provisions at §§ 164.502(a)(1)(ii) and (iii) that address uses and disclosures of protected health information for treatment, payment and health care operations are collapsed into a single provision, and the language is modified to eliminate the consent requirement.
The references in §164.532 to §164.506 and to consent, authorization or other express legal permission obtained for uses and disclosures of protected health information for treatment, payment and health care operations prior to the compliance date of the Privacy Rule were deleted. The proposal to permit a covered entity to use or disclose protected health information for these purposes without consent or authorization applies to any protected health information held by a covered entity whether created or received before or after the compliance date. Therefore, transition provisions are not necessary.
In the Final Rule, the Department also adopts its proposal to allow covered entities to disclose PHI for the treatment, payment and certain health care operations purposes of another entity. Specifically, the Final Rule at §164.506(c):
- States that a covered entity may use or disclose protected health information for its own treatment, payment or health care operations.
- Clarifies that a covered entity may use or disclose protected health information for the treatment activities of any health care provider.
- Permits a covered entity to disclose protected health information to another covered entity or any health care provider for the payment activities of the entity that receives the information.
- Permits a covered entity to disclose protected health information only to another covered entity for the health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the information, the protected health information pertains to such relationship, and the disclosure is:
- For a purpose listed in paragraphs (1) or (2) of the definition of health care operations, which includes quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, case management and care coordination, conducting training programs, and accreditation, licensing, or credentialing activities; or
- For the purpose of health care fraud and abuse detection or compliance.
- Clarifies that a covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.
Authorization. The Privacy Rule required individual authorization for uses and disclosures of protected health information for purposes that are not otherwise permitted or required under the Privacy Rule. The Privacy Rule prohibited, with limited exceptions, covered entities from conditioning treatment, payment, or eligibility for benefits or enrollment in a health plan, on obtaining an authorization. The Privacy Rule also permitted, with limited exceptions, individuals to revoke an authorization at any time. Additionally, the Privacy Rule sets out core elements that must be included in any authorization. These elements are intended to provide individuals with the information they need to make an informed decision about giving their authorization. This information includes specific details about the use or disclosure, and provided the individual fair notice about his or her rights with respect to the authorization and the potential for the information to be redisclosed. Additionally, the authorization must be written in plain language so individuals can read and understand its contents. The Privacy Rule required that authorizations provide individuals with additional information for specific circumstances under the following three sets of implementation specifications: In §164.508(d), for authorizations requested by a covered entity for its own uses and disclosures; in §164.508(e), for authorizations requested by a covered entity for another entity to disclose protected health information to the covered entity requesting the authorization to carry out treatment, payment or health care operations; and in §164.508(f), for authorizations requested by a covered entity for research that includes treatment of the individual.
To address complaints that the authorization requirements of the prior final rule were too complicated and confusing, the Department proposed in the Proposed Rules and adopted in the Final Rule changes to simplify the authorization provisions by consolidating the implementation specifications into a single set of criteria under §164.508(c), thus eliminating paragraphs (d), (e) and (f), which contained the separate implementation specifications. Under the Final Rule, paragraph (c)(1) requires all authorizations to contain the following core elements:
- a description of the information to be used or disclosed
- the identification of the persons or class of persons authorized to make the use or disclosure of the protected health information
- the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure
- a description of each purpose of the use or disclosure
- an expiration date or event
- the individual’s signature and date, and
- if signed by a personal representative, a description of his or her authority to act for the individual
The Proposed Rules, and now the Final Rule require, at §164.508(c)(2), that authorizations contain the following notifications:
- a statement that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke and instructions on how to exercise such right or, to the extent this information is included in the covered entity’s notice, a reference to the notice
- a statement that treatment, payment, enrollment or eligibility for benefits may not be conditioned on obtaining the authorization if such conditioning is prohibited by the Privacy Rule, or, if conditioning is permitted by the Privacy Rule a statement about the consequences of refusing to sign the authorization, and
- a statement about the potential for the protected health information to be redisclosed by the recipient.
- Covered entities also will be required to obtain an authorization to use or disclose protected health information for marketing purposes, and to disclose in such authorizations any direct or indirect remuneration the covered entity would receive from a third party as a result of obtaining or disclosing the protected health information.
The Final Rule incorporates a new exception to the revocation provision at §164.508(b)(5)(ii) for authorizations obtained as a condition of obtaining insurance coverage when other law gives the insurer the right to contest the policy. Additionally, the Final Rule deletes the exception to permit conditioning payment of a claim on obtaining an authorization be deleted, since the proposed provision to permit the sharing of protected health information for the payment activities of another covered entity or a health care provider would eliminate the need for an authorization in such situations. Finally, the Final Rule incorporates a modification at §164.508(a)(2)(i)(A), (B) and (C), to clarify that the permission to share protected health information for the treatment, payment or health care operations of another entity would not apply to psychotherapy notes.
Research Authorizations. The modifications to the authorization requirements eliminated the additional authorization requirements for the use and disclosure of protected health information created for research that includes treatment of the individual. Consistent with this change, the Final Rule further modifies the requirements prohibiting the conditioning of authorizations at §164.508(b)(4)(i) to remove the reference to §164.508(f). In addition, the Privacy Rule permits an authorization for the use or disclosure of protected health information to be combined with any other legal permission related to the research study, including another authorization or consent to participate in the study. Finally, the Privacy Rule explicitly requires that the statement of the end of a research study or similar language be sufficient to meet the requirement for an expiration date in §164.508(c)(1)(v). Similarly, the Final Rule provides that the statement “none” or similar language is sufficient to meet this provision if the authorization is for a covered entity to use or disclose protected health information for the creation or maintenance of a research database or repository.
Marketing has consistently been one of the most confusing, hotly debated and newsworthy areas of the Final Rule. Despite the fact that the Bush Administration actually toughened the Clinton marketing regulation in certain respects, consumer organizations have still been distressed about some of the exemptions. For example, the Proposed Rules permitted covered entities to use PHI for marketing without a specific patient authorization in face-to-face encounters, for products and services of nominal value, and for health-related services in certain circumstances.
The Final Rule retains the first two exemptions from the need for authorization in order to use PHI for marketing in face-to-face encounters, and for promotional gifts of nominal value. The use of PHI for all other marketing activities requires patient authorization, with limited exceptions for treatment, payment, health care operations and health plan coverage. The final amendments clarify that what constitutes marketing is not determined by the author’s intent -- it is any communication about a product or service that, on its face, encourages the recipients of the communication to purchase or use a product or service. However, marketing does not include communications to an individual for treatment, case management or care coordination (which would include disease management, wellness initiatives and medication compliance reminders), or to direct or recommend alternative treatments, therapies, health care providers or care settings.
Thus, the Final Rule attempts to finesse the problem that has so bedeviled HHS and most state legislatures: how to permit legitimate uses of PHI for patient health promotion and care management activities that may still involve promoting a service, product or drug, while precluding companies from using PHI simply to sell a product. The most widely discussed example has been whether covered entities may disclose PHI to pharmacists, drug companies or pharmaceutical benefit managers (PBMs) for medication compliance reminders, health information mailers and other direct patient contacts. When is it marketing and when is it a true health care service? If an HMO discloses PHI to a PBM that then uses it to promote a switch to one cholesterol drug (perhaps one in which it has a financial interest) from another the patient is already taking, is that still marketing even if there is substantial evidence that the new drug is safer or more effective? What if the drug company is paying the HMO for the patient lists? HHS seems to answer some of these questions when it says in the preamble that a communication that merely promotes health in a “general manner” and does not promote a specific product or service from a particular provider does not meet the general definition of “marketing.” Such communications may include population-based activities to improve health or reduce health care costs as set forth in the definition of “health care operations.” Therefore, communications, such as mailings reminding women to get an annual mammogram, providing information about how to lower cholesterol, about new developments in health care (e.g., new diagnostic tools), health or “wellness” classes, about particular classes of drugs (e.g., when to use Cox-II drugs as opposed to ibuprofen, or SSRI antidepressants instead of tricyclics); support groups; disease management and predictive modeling programs; and health fairs are permitted, and are not considered marketing.
Most of the health care industry seems to agree with HHS’ approach in the Final Rules. HHS decided to amend the definition of “marketing” to close what commenters had called a “loophole” – in which covered entities, for remuneration, could disclose PHI to a third party that would then be able to market its own products and services directly to individuals. HHS cited the public’s consternation that a drug company could pay a provider for a list of patients with a particular condition or who are taking a particular medication and then use that list to market its own drug products directly to those patients. Thus, HHS has amended the Privacy Rule so that “marketing” is defined expressly to include “an arrangement . . . whereby the covered entity discloses PHI to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.” These communications are marketing and can only occur if the covered entity obtains the individual’s authorization. HHS believes that this provision will “make express the fundamental prohibition against covered entities selling lists of patients or enrollees to third parties, or from disclosing PHI to a third party for the marketing activities of the third party, without the written authorization of the individual.”
On the other hand, HHS did not agree that a payment irrevocably transforms a treatment communication into marketing for which an authorization is required. For example, health care providers should be able to, and may, send patients prescription refill reminders regardless of whether a third party pays for or subsidizes the communication. The covered entity also is able to engage a legitimate business associate to assist it in making these permissible communications. It is only in situations in which, under the guise of a business associate, an entity other than the covered entity is promoting its own products using PHI it has paid for and received from the covered entity, that the remuneration will place the activity within the definition of “marketing.” Unfortunately, HHS does not appear to answer the even more frequent scenario when there is no remuneration or when it is the health plan or insurer or employer that is paying the business associate to promote a service or drug or supply provided by the business associate. For example, what happens when a health plan provides PHI to a remote monitoring company so that the company may call patients who would benefit from using its products, and thereby reduce costs and improve quality for the health plan? Does the remote monitoring company use the PHI on behalf of the health plan, the patient, the doctor or itself? It is often impossible to distinguish whether a business associate is promoting the use of a certain drug, or device or service mainly to lower costs or improve quality for the health plan, improve outcomes for patients or simply to make more money. The Final Rule says that the intent of the discloser or user of PHI does not control, which is a wise choice. However, by vaguely excluding from marketing communications to an individual for treatment, case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers or care settings, HHS leaves many specific situations to be resolved by future Guidance. Whether such Guidance will be promulgated in time to forestall litigation or regulatory enforcement action is unclear.
HHS also determined that covered entities may use PHI to communicate with members about health insurance products offered by the covered entity that could enhance existing health plan coverage. Under this exemption, a health plan is not engaging in marketing when it advises its enrollees about other available health plan coverage that could enhance or substitute for existing health plan coverage. For example, if a child is about to age out of coverage under a family’s policy, this provision will allow the plan to send the family information about continuation coverage for the child.
A health plan is also not engaging in marketing when communicating about health-related products and services available only to plan enrollees or members that add value to, but are not part of, a plan of benefits. To qualify for this exclusion, a value-added item or service must meet two conditions. First, the value-added item or service must be health related. Second, it must add value to the plan’s membership alone, rather than being a pass through of a discount or item available to the public at large.
5. BUSINESS ASSOCIATES
Like the Proposed Rules, the Final Rule adopted a transition period for certain business associate contracts that permits covered entities, other than small health plans, to operate under such contracts for up to a year beyond the April 14, 2003, compliance date. However, this transition period is available only to covered entities that have written contracts or other written arrangements with business associates prior to the effective date of the Final Rule, and only if those contracts or arrangements are not renewed or modified prior to April 14, 2003. This transition period was intended to afford covered entities (especially large covered entities) sufficient time to reopen and renegotiate existing contracts. Nonetheless, it does not relieve covered entities of their responsibilities related to making information available to the Secretary of HHS or to individuals during the transition period.
Additionally, HHS identified when business associate agreements are not required under the rules. For example, a business associate contract is not required for a janitorial service or for other entities whose functions, activities or services do not involve PHI, and where any access to PHI by such entities would be de minimis.
Moreover, to alleviate the burdens on covered entities, the Final Rule sets forth sample business associate contract provisions and revisions to the language in the Proposed Rules. For example, HHS clarified that a business associate agreement must permit the Secretary of HHS, not the covered entity, to have access to the business associate’s practices, books and records. Although HHS did not include a complete model contract, there was specific guidance on many of the provisions, and HHS explained that the Privacy Rule does not prohibit other language, such as a provision that imposes monetary damages on a business associate for a violation of a covered entity’s privacy policies.
6. ACCOUNTING OF DISCLOSURES
Section 164.528 of the Privacy Rule affords individuals the right to obtain an accounting of disclosures of PHI made by the covered entity, with certain exceptions. The Final Rule expanded these exceptions to include not only disclosures by the covered entity for treatment, payment or health care operations and disclosures to individuals of PHI about them, but also any disclosure made pursuant to an authorization as provided in §164.508, disclosures that are part of a limited data set, and disclosures that are merely incidental to another permissible use or disclosure. These exceptions to the accounting requirement were adopted to alleviate the high costs and administrative burdens associated with the requirement, and because the requirement was intended as a means for the individual to discover non-routine disclosures as opposed to those disclosures the individual had previously authorized.
Furthermore, HHS simplified the accounting requirements for research disclosures in an attempt to affirm individuals’ rights to an accounting while ensuring that important research is not halted simply due to the large volume of records associated with many research projects. In sum, the simplified accounting for research disclosures is warranted if the disclosure involves at least 50 records.
In the Final Rule, HHS made several changes relating to the use and disclosure of PHI for research purposes. The Final Rule provides for a single set of authorization requirements for all uses and disclosures, including those for research purposes. It also allows the research-related authorization to be combined with any other legal permission related to the research study, including a consent to participate in the research. Authorizations for research projects will no longer have to include an expiration date. If there is no expiration date, however, this fact must be stated on the authorization form.
The Privacy Rule, as it was originally finalized in December of 2000, allowed certain uses and disclosures for research without a patient authorization if the covered entity first obtains either of the following:
- documentation of approval of a waiver of authorization from an Institutional Review Board (IRB) or a Privacy Board, including documentation that eight specific waiver criteria have been met, and
- when a review of PHI is conducted preparatory to research or when research is conducted solely on decedents’ information, certain representations from the researcher, including that the use or disclosure is sought solely for such a purpose and that the PHI is necessary for the purpose
In the March 2002 proposed revisions, HHS simplified some of the waiver criteria, and the Final Rule adopts the simplifications. HHS stated that IRBs and Privacy Boards may initially struggle to interpret the criteria, so HHS plans to issue Guidance in the future to address this concern.
HHS promulgated several other clarifications relating to research. In response to concerns that the safe harbor method for de-identifying PHI was too stringent, HHS adopted a clarification stating that a re-identification code that could be used to allow the covered entity to re-identify de-identified PHI would not be considered one of the enumerated identifiers that must be removed in order to obtain safe harbor protection. More significantly, HHS added a new provision allowing a “limited data set” that can be used for research, public health or health care operations purposes if the covered entity:
- uses or discloses only a “limited data set” as defined in §164.514(e)(2), and
- obtains from the recipient of the limited data set a “data use agreement” as defined in §164.514(e)(4).
In order to qualify as a “limited data set,” direct identifiers must be removed including:
- street address
- telephone and fax numbers
- e-mail addresses
- Social Security numbers
- certificate/license numbers
- vehicle identifiers and serial numbers
- URLs and IP addresses, and
- Full-face photos and comparable images.
- A covered entity may disclose PHI in a limited data set to a researcher who has entered into an appropriate data use agreement without having to obtain documentation from an IRB or a Privacy Board that individual authorization has been waived for the purposes of research. The covered entity may not disclose any direct identifiers, however, without an individual authorization or documentation of an IRB or Privacy Board waiver.
HHS adopted Privacy Rule modifications providing for transition requirements for research begun prior to April 14, 2003. Covered entities may use or disclose PHI created or received for a specific research study prior to the compliance date if the covered entity has obtained any one of the following:
- an authorization or other express legal permission from an individual to use or disclose PHI for the research study
- the informed consent of the individual to participate in the research study, or
- a waiver, by an IRB of informed consent for the research study in accordance with the Common Rule or FDA’s human subject protection regulations.
8. MINIMUM NECESSARY
In the Final Rule, HHS largely retains the modifications it had made, in earlier Guidance and Proposed Rules, to the Clinton-era concept of restricting uses and disclosures to the minimum PHI necessary to satisfy a request or effectively carry out a function of a covered entity. The Bush Administration’s view of the minimum necessary standard is still that the provision “is intended to be consistent with, and not override, professional judgment and standards, and that covered entities must implement policies and procedures based on their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and their workforce.”
However, the Final Rule did clarify other provisions. The Privacy Rule now exempts from the minimum necessary standards any uses or disclosures for which the covered entity has received an authorization. Although the Privacy Rule previously exempted only certain types of authorizations from the minimum necessary requirement, because the rule will now have only one type of authorization, the exemption is now applied to all authorizations. Minimum necessary requirements are still in effect to ensure an individual’s privacy for most other uses and disclosures.
Some of the other provisions that HHS adopted with respect to the minimum necessary standard include:
- With respect to disclosures to another covered entity, the Privacy Rule permits a covered entity reasonably to rely on another covered entity’s request for PHI as the minimum necessary for the intended disclosure. HHS did not thus agree that a blanket exception for such disclosures is justified. The covered entity that holds the information always retains discretion to make its own minimum necessary determination.
- Unless using or disclosing PHI on a routine and recurring basis, a covered entity must implement the minimum necessary standard by developing and implementing policies and procedures designed to limit its request for PHI to the minimum necessary to accomplish the intended purpose.
- The exception to the minimum necessary rule for disclosures to or requests by health care providers for treatment purposes is retained. HHS wanted to ensure that access to timely and high-quality treatment was not impeded.
- In certain cases, an entire medical record may be used or disclosed without running afoul of the minimum necessary test “for payment or health care operations purposes, including disease management purposes, . . . provided that the covered entity has documented the specific justification for the request or disclosure of the entire record.” This was a significant success for the disease management industry.
- The Final Rule explicitly permits a covered entity reasonably to rely on a researcher’s documentation or the representations of an IRB or Privacy Board that the information requested is the minimum necessary for the research purpose.
In an interesting specific example, HHS concluded that negotiation about the amount of PHI that constitutes the “minimum necessary” should be a routine aspect of compliance. For example, HHS recounts, if a pharmacist does not agree that the amount of information requested is reasonably necessary for a PBM to fulfill its obligations, “it is up to the pharmacist and PBM to negotiate a resolution of the dispute as to the amount of information needed by the PBM to carry out its obligations and that the pharmacist is willing to provide, recognizing that the PBM is not required to pay claims if it has not received the information it believes is necessary to process the claim in accordance with its procedures, including fraud prevention procedures.”
9. INCIDENTAL DISCLOSURES
To alleviate concerns that the Privacy Rule’s restrictions on uses and disclosures prohibit covered entities from engaging in certain common and essential health care communications and practices in use today and to quell fears that these restrictions would impede many of the activities and communications essential to the effective and timely treatment of patients, HHS modified the Privacy Rule to explicitly permit certain “incidental uses and disclosures” that occur as a result of a use or disclosure otherwise permitted by the Privacy Rule. An “incidental use or disclosure” is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature and that occurs as a by-product of an otherwise permitted use or disclosure. These types of disclosures are permissible only to the extent that the covered entity has applied reasonable safeguards required by §164.530 (c) and implemented the minimum necessary standard in §164.502 (b).
HHS’ reason for this change centered around the commonly held belief that prohibiting all incidental uses and disclosures would have a chilling effect on normal and important communications among providers and between providers and their patients, which would in turn negatively affect individuals’ access to quality health care. Again, the Privacy Rule is not intended to impede common health care communications and practices that are essential in providing health care to the individual. HHS also noted that incidental disclosures do not have to be included by covered entities in the accounting of disclosures required under the Privacy Rule.
10. DISCLOSURE FOR TREATMENT, PAYMENT OR HEALTH CARE OPERATIONS OF ANOTHER ENTITY
In this Final Rule, HHS retained the Proposed Rules’ important decision to allow covered entities to disclose PHI for the treatment, payment, and certain health care operations purposes of another entity. Specifically, the Final Rule provides that a covered entity may:
- Use or disclose PHI for its own treatment, payment, or health care operations.
- Use or disclose PHI for the treatment activities of any health care provider.
- Disclose PHI to another covered entity or any health care provider for the payment activities of the entity that receives the information.
- Disclose PHI to another covered entity for the health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the information, the PHI pertains to such relationship, and the disclosure is: (i) for a purpose listed in paragraphs (1) or (2) of the definition of “health care operations” which includes quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, case management and care coordination, conducting training programs, and accreditation, licensing, or credentialing activities; or (ii) for the purpose of health care fraud and abuse detection or compliance.
- If it participates in an organized health care arrangement, disclose PHI about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.
In response to commenters who were concerned that the precondition of a relationship with the patient would impede certain health care operations activities, HHS referenced the new limited data set provisions whose purpose is to provide a mechanism for disclosures of PHI for quality and other health care operations when the covered entity requesting the information does not have a relationship with the individual. Under those provisions, the final modifications permit a covered entity to disclose PHI, with direct identifiers removed, for any health care operations activities of the entity requesting the information, subject to a data use agreement.
One extremely significant request from the health care industry that was not approved promises to pose substantial compliance problems. The Final Rule affirms a proposed requirement that disclosures for health care operations may be made only to another covered entity. Because an individual’s health information will no longer be protected (e.g., by a consent requirement) when it is disclosed to a non-covered provider (e.g., a provider who does not perform standard transactions), HHS believed that a covered entity should be limited to disclosing a limited data set, with direct identifiers removed, to a non-covered provider for any of the provider’s health care operations purposes in the absence of individual authorization. Expanding the provision to allow disclosures to a third party for any of the third party’s business operations would severely weaken the Privacy Rule, according to HHS. This determination now raises the specter of unintended violations by covered entities that provide PHI to a business associate for the health care operations of the covered entity that could arguably also be used for the health care operations or other purposes of the business associate.
In a related area, HHS gives the example of whether an HMO is permitted to disclose PHI for payment and health care operations both to an ERISA plan and to the plan’s third-party administrator (TPA) or plan sponsor. HHS clarifies that
- if the Rule permits a covered entity to share PHI with another covered entity, the covered entity is permitted to disclose PHI to its business associate acting on behalf of that other covered entity. This is true with respect to all of the Rule’s provisions. Also, an HMO may disclose PHI to a group health plan, or a third-party administrator that is a business associate of the plan, because the relationship between the HMO and the group health plan is defined as an OHCA for purposes of the Rule. . . . The group health plan (or the HMO with respect to the group health plan) may disclose PHI to a plan sponsor in accordance.
However, HHS did not respond to the commenters who requested that it clarify when a business associate was using PHI for the covered entity and when for its own operations, and how that determination relates to marketing. For example, may a health insurer or ERISA-plan-covered entity disclose PHI to TPA that uses the PHI for enrollment purposes but also uses the PHI to publish de-identified statistics about its performance to other potential customers? May an HMO disclose PHI to a disease management company if that company uses it in part to publish de-identified outcomes data? HHS should consider providing clarifications in new Guidance as soon as possible.
11. HEALTH CARE OPERATIONS: CHANGES IN LEGAL OWNERSHIP
In the Final Rule, HHS added to the language of the definition of “health care operations” to clarify that not only is it considered a health care operation when a covered entity uses or discloses PHI to conduct due diligence in connection with a sale or transfer of assets to, or a consolidation or merger with, an entity that is or will be a covered entity upon completion of the transaction, but it is also considered a health care operation when a covered entity uses or discloses PHI as part of the sale, transfer consolidation or merger action itself. This change prevents the Privacy Rule from interfering with necessary treatment or payment activities upon the sale of a covered entity or its assets. However, this change does not affect a covered entity’s other legal or ethical obligation to notify individuals of a sale, transfer consolidation or merger.
12. LIMITED DATA SET
The concept of a limited data set was adopted due to various concerns by state hospital associations, researchers and others that the de-identification standard could curtail important research, public health and health care operations activities. Thus, the Final Rule explains that a limited data set for research, public health or health care operations can be used if the covered entity: (1) uses or discloses only a “limited data set,” and (2) obtains from the recipient of the limited data set a “data use agreement.”
Like the de-identification provisions, the Final Rule specifies that direct identifiers that apply to the individual or to relatives, employers or household members of the individual must be removed from data to qualify as a limited data set. The direct identifiers include: name, street address, telephone and fax numbers, e-mail address, Social Security numbers, certificate/license numbers, vehicle identifiers and serial numbers, URL and IP addresses, full-face photos and other comparable images, medical record numbers, health plan beneficiary numbers and biometric identifiers including finger and voice prints. Notably, HHS did not list dates related to the individual, such as birth dates, or five-digit zip codes or other geographic subdivisions, such as state, county or city, except for street addresses.
Additionally, the covered entity must enter into a data use agreement with the intended recipient, which: (1) establishes the permitted uses and disclosures of such information by the recipient, consistent with the purposes of research, public health, or health care operations; (2) limits who can use or receive the data; (3) requires the recipient to agree not to re-identify the data or contact the individuals; and (4) contains adequate assurances that the recipient use appropriate safeguards to prevent use or disclosure of the limited data set other than as permitted by the Privacy Rule and the data use agreement, or as required by law. HHS did not specify the form of the data use agreement, but did clarify that the minimum necessary requirements apply as well as the requirements related to non-compliance, such as taking reasonable steps to cure a recipient’s breach and, if applicable, reporting problems to the Secretary of HHS.
13. PARENTS AND MINORS
In this section, HHS has embraced three goals with respect to parents and minors provisions in the Privacy Rule:
- HHS wants to assure that parents have appropriate access to the health information about their minor children to make important health care decisions for them, while also making sure that the Privacy Rule does not interfere with a minor’s ability to consent to and obtain health care under state or other applicable law.
- HHS does not want to interfere with state or other applicable laws related to competency or parental rights, in general, or the role of parents in making health care decisions about their minor children, in particular.
- HHS does not want to interfere with the professional requirements of state medical boards or other ethical codes of health care providers with respect to confidentiality of health information or with the health care practices of such providers with respect to adolescent health care.
In order to meet these goals, HHS continues to defer to state and other applicable laws with respect to parents and minors. Where the state or other applicable law is unclear or silent, HHS has created standards and requirements that allow states the maneuverability to continue to define the rights of parents and minors regarding health information without interference from the Privacy Rule.
Therefore, HHS has modified two sections of the Privacy Rule to aid in the attainment of the above-mentioned goals. These changes are designed to prohibit activity that would be impermissible under state law. First, in order to assure that state and other applicable laws that address disclosure of health information about a minor to his or her parent govern in all cases, the language in the definition of “more stringent,” currently in §160.202, that addresses the disclosure of PHI about a minor to a parent has been moved to the standards regarding parents and minors. Note that the deference to state or other applicable law includes established case law.
Secondly, HHS has changed the provisions regarding access to PHI of minors. The Final Rule defers to state or other applicable law regarding a parent’s access to health information about a minor, but when the state or other applicable laws are silent or not explicit, the covered entity must analyze through a review of case law, attorney general opinions and legislative history to determine if such law permits, requires or prohibits providing a parent with access to minors’ records. However, if the parent is not the personal representative of the child as defined in the Privacy Rule, the covered entity involved may use the discretion of a licensed health care provider to determine whether or not a parent should have access.
14. USES AND DISCLOSURES REGARDING FOOD AND DRUG ADMINISTRATION (FDA)-REGULATED PRODUCTS AND ACTIVITIES
Since HHS had a number of concerns about the scope of the disclosures permitted for FDA-regulated products and activities and the failure of the Privacy Rule to reflect the breadth of the public health activities currently conducted by private sector entities subject to the jurisdiction of the FDA on a voluntary basis, HHS deleted the phrases “if the disclosure is made to a person required or directed to report such information to the Food and Drug Administration” and “to comply with requirements or at the direction of the Food and Drug Administration.” In lieu of this language, HHS added the language “a person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities relating to quality, safety, or effectiveness of such FDA-regulated product or activity.”
These changes enable entities other than those “…required or directed to report…” to report to the FDA potential problems or health or safety threats concerning products approved by the FDA. Note, however, that the Privacy Rule limits disclosure to those made for public health activities and purposes, and that the minimum necessary standard still applies to public health disclosures. The Privacy Rule is not intended to discourage or prevent adverse event reporting or otherwise disrupt the flow of essential information that the FDA and persons subject to the jurisdiction of the FDA need in order to carry out their important public health activities.
15. INSTITUTIONAL REVIEW BOARD (IRB) OR PRIVACY BOARD APPROVAL OF A WAIVER OF AUTHORIZATION
HHS replaced the waiver criteria in the Proposed Rule, found in §164.512(i)(2)(ii), with the following waiver criteria:
- “The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
a) An adequate plan to protect the identifiers from improper use and disclosure;
b) An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
c) Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by this subpart;
- The research could not practicably be conducted without the waiver or alteration; and
- The research could not practicably be conducted without access to and use of the PHI.”
These new criteria safeguard patient privacy, require attention to issues sometimes currently overlooked by IRBs, and are compatible with the Common Rule while also managing to ease the burdensome and duplicative provisions that were in the initial version of the waiver criteria. While IRBs and Privacy Boards may initially struggle to interpret the criteria, HHS intends to issue guideline documents to address this concern.
16. DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION
In order to address concerns that many entities were confused by potentially conflicting provisions within the de-identification standard, HHS added a provision to the safe harbor explicitly excepting the re-identification code or other means of record identification permitted by §164.514 (c) from the list of unique data elements that must be removed from PHI in order for the PHI to be considered de-identified. A re-identification code allows a covered entity to re-associate de-identified PHI with individual medical records.
For more information about Holland & Knight's HIPAA practice and HIPAA Team, please take this link to our HIPAA page.