The Department of Health and Human Services (”HHS”) issued comprehensible, no surprises guidance under the final HIPAA privacy rule that went into effect on April 14, 2001. From the perspective of all but the health care provider community, the guidance was pretty much a nonevent; HHS addresses issues that are primarily of relevance to providers. If there is a message that resonates with all covered entities under the rule, it is that the sky is not falling and a rule of reason will be the Government’s compliance mantra. On the other hand, covered entities (and others affected by the rule) should not hold out hope that the rule will still change in any significant way. Any implementation activities delayed on that basis should now move forward.
The absence of any real policy change in the guidance was widely expected. When HHS reopened the comment period earlier this year, there was initial widespread speculation (fueled to some degree by the new administration) that the Bush administration would delay the rule’s effective date and go back to the drawing board on some of the more controversial issues. The issues thought likely to be revisited included preemption of state laws, “minimum necessary” use and disclosure, the need for business associate contracts, and oral versus electronic transmission of data. This speculation was short lived. Although HHS Secretary Tommy Thompson simultaneously allowed the rule to go effective on April 14 and promised soon to issue guidelines and/or modifications, the most knowledgeable observers doubted he would support any modification without following the notice and comment requirements of the Administrative Procedure Act (”APA”). This collective wisdom was right. The July 6 guidance clarifies several controversial provisions and only portends modifications (that will be made in accordance with the APA) in at least four areas. These planned modifications are at the margin of the rule and will have no significant effects on implementation efforts.
Guideline Overview – Plenty for Providers but Only Snippets for the Rest of the Health Care Community
Much of the guidance addresses “common sense” interpretations of the privacy rule in the context of a debate that has, on occasion, focused on extreme views. Overall, there is little that is new. As anticipated, HHS does not address some of the more controversial provisions of the rule, such as a parent’s guaranteed access to a child’s health records and the perimeters of “minimum necessary,” both of which it now intends to address through rule modification. It is also silent on the preemption of state laws.
For health plans, the guidance is of much more limited relevance than for providers. But one key message should be heard by all covered entities, not just providers: the guidance stresses the reasonableness of compliance efforts by covered entities. In the minimum necessary discussion, for example, HHS states that covered entities have “substantial discretion” in implementing the minimum necessary standard and may rely on “standard protocols” for routine disclosures. Further, this standard “is intended to make covered entities evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to [protected health information]. It is intended to reflect and be consistent with, not override, professional judgments and standards.” Although the guidance focuses on “disclosure” versus “use” of protected health information, it implies that covered entities will be required to be reasonable in all their actions, not adhere to wooden absolutes. Thus, HHS is unlikely to nitpick a covered entity’s implementation of the rule or its day-to-day operation under the rule, where its actions are “reasonable” for a covered entity of its size and sophistication.
In terms of actual guidance for health plans, there are a few items of interest. First, the overlap between “treatment, payment and health care operations” (”TPO”) and “marketing,” is discussed with a clarification that certain marketing communications must receive an authorization (or at least an opt-out opportunity) even if they also fit within payment or health care operations. Thus, if an action constitutes both marketing and health care operations, the health plan must meet all HIPAA requirements concerning marketing communications.
Second, the guidance arguably “clarifies” that when a health plan must obtain protected health information from a provider to complete certain Coordination of Benefits (”COB”) or third-party payer transactions, the health plan must first receive the patient’s authorization. HHS explains that since “the provider’s disclosure is for the TPO purposes of the plan [and not the provider], it would not be covered by the provider’s consent” obtained from the same patient. Putting aside the question of how often this COB fact pattern actually arises, to many this clarification seems more like a misreading of the final rule. For example, some believe that the rule provides that if the consent given to the provider relates to TPO, it does not matter if it is for the purposes of the TPO of the provider or the TPO of the plan. However, the rule and preamble appear silent on this issue, leaving one to ask if HHS has inadvertently modified the rule. Clearly, the ramifications for other TPO issues are great. Read More Electronic Prescription