United States: DHHS Issues First Guidance on HIPAA Patient Privacy Provisions

In the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Congress enacted sweeping changes in order to facilitate the submission of medical claims and the utilization of medical records in electronic formats while increasing protections for the privacy of medical records. Covered entities under HIPAA include health plans, health care clearing houses, and health care providers which conduct financial and administrative transactions electronically. Electronic transactions covered by HIPAA include the submission of health care claims or the transfer or storage of health care records in an electronic format. Under HIPAA, Congress envisioned enacting comprehensive privacy legislation within a self-imposed three year deadline. When Congress failed to enact any such legislation within the three year window, the Department of Health and Human Services ("DHHS") went forward with its own rules in order to implement HIPAA. The draft HIPAA rules filed in November of 1999 received in excess of 52,000 comments from the public. In December of 2000, DHHS issued a final rule. Under the Bush administration, Tommy Thompson, DHHS Secretary, reopened the rule for an additional 30 day comment period, and an additional 11,000 comments were received. Subsequent to the additional comment period, President Bush and Secretary Thompson allowed the rule to take effect on April 14, 2001, without any changes, with the understanding that appropriate changes would be made over the next year in order to clarify HIPAA requirements and to correct potential problems that could threaten access or quality of care¹ . On July 6, 2001, DHHS issued its first set of guidance regarding HIPAA to providers in an attempt to answer commonly asked questions and to clarify confusion about the final rules. Physicians and other health care providers must comply with these new standards on or before April 14, 2003, in order to minimize liability for violation of HIPAA. This deadline is rapidly approaching for physicians and other providers who have not been diligent in the implementation process. Many of the policies and procedures which must be adopted in order to come into compliance with the HIPAA requirements require considerable planning and guidance. The focus of this article is to outline the importance of this recent guidance as it relates to physicians’ HIPAA compliance plans.

First, DHHS indicates that physicians in a small office practice may appoint the office manager as the privacy official (even though the office manager typically has many other duties in a small private physician practice). In contrast, the privacy official in a large hospital may need to be dedicated strictly to such privacy concerns.

Second, even though physicians need to develop comprehensive policies and procedures regarding private health information in order to demonstrate compliance with HIPAA, DHHS has clarified that the policies and procedures required of small providers may be more limited than those of large hospitals or health plans (in consideration of the smaller volume of health information maintained and the decreased number of interactions with other providers).

Third, if the privacy official/officer manager trains existing staff on the HIPAA privacy policies and provides each new member of the work force with a copy of these policies, this will likely be seen as sufficient compliance for a small physician practice. The privacy official should maintain documentation in the HIPAA compliance plan that each existing and new member is provided with a copy of these policies. In addition, physicians would be well advised to encourage employees to attend outside training programs and to obtain internal videotape presentations for its staff in order to further educate existing and new staff regarding HIPAA compliance. All such training should be documented in the HIPAA compliance plan.

Fourth, physicians should inquire among other business partners as to their policies regarding compliance with HIPAA and obtain a copy of each business partners privacy policy for its files.

Fifth, physicians are advised to have competent legal counsel familiar with HIPAA review existing contracts in order to assure that suitable provisions are included regarding HIPAA compliance. It also makes sense to have counsel review the notice HIPAA privacy policy the physician intends to send and the consent forms to be used by patients. In particular, consent forms must be specific in allowing disclosure of protected health information for treatment, payment or health care operations except under certain specific exceptions.

Exceptions to the requirement of consent before disclosing this information include emergency situations, situations in which a provider is required by law to treat a patient, or where substantial barriers to communication with the patient interfere with obtaining such consent.

Physicians that have indirect treatment relationships with patients may disclose private health information for the purpose of treatment, payment or health care operations without obtaining consent. However, the best practice is to obtain consent if possible. Physicians referring cases to other physicians may not need to obtain a consent form provided that the consultation is within the treatment parameters and the physician being consulted does not establish a direct treatment relationship with the client. Therefore, consultations with other physicians about a patient’s case does not require the consulted physician to obtain a separate consent form. However, upon a referral to the physician for direct treatment care, the consulting physician should obtain such a consent form from the patient directly. If patients refuse to provide consent to such disclosure, HIPAA allows the physician to refuse to treat the patient.

An important clarification provided in the DHHS guidance is that a health care provider such as a physician, is not liable for privacy violations of business associates provided that the health care provider must have a contract that obligates the business associate to notify it when privacy violations occur and take reasonable steps to cure the breach or end the violation, and in the absence of such cure or cessation of violations, the provider must terminate the contract. Failure to terminate contracts for business associates that clearly violate HIPAA results in the provider also being considered to be out of compliance with the HIPAA requirements. Therefore, it is imperative to carefully review existing contracts with other business associates in order to assure an appropriate that a HIPAA compliance provision is included within the contract consistent with this guidance. Otherwise, physicians that contract with other providers and other business associates may become be responsible for their HIPAA violations simply because they failed to take reasonable precautions in their contractual arrangements.

Sixth, for situations involving disclosure of medical records in electronic format beyond the parameters of treatment, payment or health care operations, physicians must obtain a broader authorization form in order to disclose such information.

Physicians are well advised to have counsel carefully review existing forms involving notice of privacy policies, consent forms, authorizations, and existing contracts in order to assure compliance with HIPAA. Once these policies and procedure are in place, physicians can then properly train staff and employees regarding implementation of HIPAA policies and procedures, including specific training as to when a consent form is required, when an authorization is required, and what exceptions are available under the HIPAA rules.

Finally, DHHS has proposed certain changes to the final rule in order to clarify concerns raised by physicians and other health care providers:

• Telephone in prescriptions - DHHS proposes to make a change which will permit pharmacists to fill prescriptions phoned in by a patient’s doctor before obtaining the patient’s written consent;
• Referral appointments - A proposed change will permit direct treatment providers receiving a first time referral to schedule appointments, surgery, or other procedures before obtaining the patient’s signed consent (this change is intended to allow limited disclosure on an as needed basis only prior to obtaining written consent, but does not eliminate the need for consent);
• Allowable oral communications - This proposed change is intended to allow for the quick interchange of oral communications with family members, treatment discussions with staff and other limited oral communications such as announcing a patient’s name in the waiting area. This change is intended to be of limited scope, but is intended to facilitate ordinary exchanges of private health information that are not likely to unduly invade the patient’s privacy;
• Minimum necessary scope - This proposed change will allow the use of sign-up sheets, x-ray light boards, chalk boards that contain patient names, bed side medical charts and other minimum necessary use of protected health information without constituting a violation of HIPAA.

While these proposed changes provide common sense interpretations of how the HIPAA rules will likely be implemented in physician offices, hospitals and other venues, physicians should alert their particular privacy official to stay abreast of the final implementation of these proposed changes to the rules.

Access to the full text of this guidance can be obtained from DHHS on its website for the office for civil rights (designated to enforce the HIPAA rule).