By Kathleen G. Charters, PhD, RN
In Policy, Politics, & Nursing Practice, Vol. 4 No. 1, February 2003, 75-78
Abstract
The Health Insurance Portability and Accountability Act of 1996 final medical information privacy rule was published on August 14, 2002, in the Federal Register. This version modifies the rule issued under the Clinton administration, in 2000. Some key changes were made to the provisions for marketing, consent and notice, uses and disclosures regarding FDA-regulated products and activities, incidental use and disclosure of health information, authorization requirements, minimum necessary standards exemption, business associates contracts, research authorization to use protected health information, and a limited data set for use in research, public health, and health care operations. Privacy protection groups criticize the changes as a significant weakening of privacy standards, whereas health care business groups see the changes as making the rule more “workable.”
The Health Insurance Portability and Accountability Act of 1996 (HIP AA, also known as the Kassebaum-Kennedy Act) continues to generate significant and wide-ranging federal health care policy (Atchinson & Fox, 1997; see also U.S. Department of Health and Human Services [HHS], 2002a). In 1997, HHS made recommendations to Congress regarding the protection of medical privacy. HIPAA gave Congress a deadline of August 1999 to pass legislation protecting the privacy of health information. Since Congress failed to meet that deadline, the act specified HHS should issue appropriate regulations. The development of these regulations has been marked by controversy (Kulynych & Korn, 2002). The number of public comments (52,000 on the first version and 11,000 on the second) reflects the wide range of interests affected by the proposed rules (Marietti, 2002c). The first version of the privacy rule was issued in December 2000 under the Clinton administration (see Office for Civil Rights, 2002b ). Before the dates of compliance for the December 2000 version were reached, the Bush administration proposed modifications (“HHS privacy,” 2002). After reconciliation with the public comments, the latest version of the privacy rule “Standards for Privacy of Individually Identifiable Health Information” was published in the Federal Register in 2002.
According to the U.S. Department of HHS (2002b, overview paragraph 2),
The privacy rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. Most covered entities must comply with the Privacy rule by April 14, 2003. Small health plans have until April 14, 2004, to comply with the rule.
Privacy Rule modifications
Some of the key changes cited by HHS (2002b) are summarized in the Federal News (“HHS issues,” 2002). The areas modified in the final privacy rule follow.
Marketing
The definition of marketing distinguishes between types of communication, requiring a covered entity to obtain prior written authorization from an individual to use protected health information for marketing purposes, such as selling lists of enrollees to third parties. The rule exempts face-to-face encounters or communication offering a nominal value promotional gift. Covered entities may communicate with individuals in their practice and/ or plan about treatment options and health-related products and services offered by that entity.
Consent and Notice
Consent for a routine health care purpose is optional. However, covered entities must provide a notice of the covered entities’ privacy practices and the patients’ privacy rights. Direct treatment providers must make a good faith effort to obtain from patients written acknowledgment of the notice of privacy rights and practices. Note that the final rule does allow health care providers to disclose protected health information for fraud and abuse investigations without prior consent from patients, although the rule does not mandate such disclosures. Health care providers are required to disclose protected health information to patients requesting their own information or when oversight agencies request the data (“HHS privacy,” 2002).
Uses and Disclosures Regarding FDA-Regulated Products and Activities
To assure that information to protect public health and safety will continue to be available, the final rule permits covered entities to release protected health information to a person subject to the jurisdiction of the FDA, even 1f the patient has not provided written authorization to do so. This allows the continuing evaluation of quality, safety, or effectiveness of FDA-regulated products.
Incidental Use and Disclosure
Although uses or disclosures of protected health information that are incidental to an otherwise permitted use or disclosure may occur, such incidental uses or disclosures are not considered a violation of the privacy rule as long as the covered entity meets reasonable safeguards and minimum necessary requirements for use of protected health information.
Authorization
To streamline and consolidate notification requirements and core elements, the final rule eliminates separate authorization requirements for covered entities. However, for each type of non-routine use or disclosure, providers must get authorization in advance from patients.
Minimum Necessary Standards
Minimum necessary standards are in effect unless the covered entity has received a specific authorization from the patient to release more information. Covered entities and their business associates may not “use or disclose protected health information beyond what is reasonably necessary for the purposes of the use and disclosure” (“HHS privacy,” 2002, p. 1116).
Parents and Minors
State law covering parents and minors governs; but in general, the privacy rule grants parents new rights to control the health information of their minor children. Health care providers must deny or grant access to minors’ protected health information as consistent with state or other applicable laws.
Business Associates
To ease the burden of covered entities renegotiating contracts as required under the privacy rule, covered entities (except small health plans) have an additional year to change existing written contracts.
Research
The final rule streamlines authorization requirements for research, permitting a single form to obtain both informed consent and authorization to use protected health information. To prevent interruption of ongoing research, the transition provisions have been expanded. The privacy waiver criteria to be used by the Institutional Review Board or privacy board more closely follow the requirements of the “common rule,” which governs federally funded research.
Limited Data Set
To facilitate research, public health, and health care operations, the final rule permits the creation and dissemination of a limited data set. The data set does not include directly identifiable information. The final rule conditions disclosure of the limited data set on the recipient entering into a data use agreement with the covered entity. The recipient must ensure the security of the data. The recipient may not identify the information or use it to contact any individual.
Privacy Rule Implications
According to the Bush administration, the final privacy rule is designed “to ensure that protections for patient privacy are implemented in a manner that maximizes privacy while not compromising either the availability or the quality of medical care” (HHS, 2002b). According to HHS Secretary Thompson, the final privacy rule ensures “strong privacy protections while correcting unintended consequences that threatened patients’ access to quality health care” (Office for Civil Rights, 2002b, Introduction).
Health care business groups see the final rule as “workable” because they were successful in removing the requirement that health care providers obtain written consent to use protected health information. With this modification, all that is required is a good faith effort to obtain written acknowledgment the patient received a notice of privacy rights and practices (“HHS privacy,” 2002b ). Privacy protection groups see the modification as a serious setback for health information privacy. Privacy protection advocates criticize the removal of the prior consent requirement as a “significant weakening of the privacy standards” (“HHS privacy,” 2002, p. 1115b). The final rule changes are seen as undermining patient control of their use of their health information. The Health Privacy Project at Georgetown University predicts the changes will “further erode patient trust in the health care system” (“HHS privacy,” 2002, p. 1115).
Senator Kennedy (D-Mass.), chair of the Senate Health, Education, Labor, and Pensions Committee, is critical of the modifications, especially the marketing provisions. Because the marketing provisions expand the definition of marketing, the revised rule allows greater dissemination of protected health information for commercial purposes (“HHS privacy,” 2002b).
Kulynych and Korn (2002) expressed concern about the implications of the privacy rule for research. They argued that the additional regulations will create a burden of compliance so great the pace and volume of research will diminish. HHS estimates the cost of implementing research-waver provisions will be $450 million during a 10-year period. The privacy rule has rigid authorization and accounting requirements that may lead to covered entities withholding data from researchers to avoid the expense of compliance. Kulynych and Korn concluded, “The consequences for epidemiologic, health services and other public health research could be devastating, and in the end, the public may conclude that the new medical-privacy rights have too high a price” (p. 1135).
Another unintended consequence of the privacy rule is the implication for the legal aspect of health care. Enforcement of the rule falls to the Office of Civil Rights (2002a), which intends to take a “cooperative” approach in helping covered entities achieve compliance. However, the regulation also creates a new standard of care that will be cited in state health care negligence and breach-of-privacy lawsuits (“HHS privacy,” 2002a).
Overall, privacy protection groups see the changes as weakening the regulation, whereas health care businesses feel the final rule strikes a balance. The Health Insurance Association of America sees the privacy rule as unworkable as long as state law prevails because the states create varying state privacy requirements, the group predicts will eventually increase health care costs (“HHS privacy,” 2002a). The research community fears the additional regulations will impede or make certain types of research impossible. Marietti (2002b) summed up the compliance challenge as follows:
Privacy has been a difficult sell among all types of direct care providers. Not because they don’t think it’s important. They do. But open use of patients’ protected health information has been so pervasive and so ingrained among all health professionals that many are oblivious to the dangers. Securing privacy will require extreme effort.
Complying with HIPAA’s transaction and code sets rule will be a challenge – but a technical one. Complying with HIPAA’s privacy rule will require a cultural change. (p. 10)
The regulations for HIPAA are still evolving. The rules for transactions and code sets for large health plans (annual receipts in excess of $5 million) are effective as of October 2002, although a 1-year extension is available if requested from the Centers for Medicare and Medicaid. The rules for transactions and code sets for small health plans will be effective m October 2003. The final rule on security will be announced in fall 2002. The privacy rule goes into effect on April 2003 for large health plans and in April 2004 for small health plans. The unique employer identification number will go into effect on July 2004. Dates have yet to be set for enacting the rules for claims attachments, first reports of injury, provider identification numbers, and health plan identification numbers (Marietti, 2002a). The consequences of HIPAA will be felt for years to come.
References
Atchinson, B. K., & Fox, D. M. (1997). The politics of the Health Insurance Portability and Accountability Act. Health Affairs, 16, 146-150.
HHS issues final medical privacy rule; marketing, other provisions modified. (2002a). Federal News, 10, 1081 -1082
HHS privacy rule’s marketing provisions criticized by Kennedy as not strong enough. (2002b). Federal News, 10, 1115-1117.
Kulynych, J., & Korn, D. (2002). The new federal medical-privacy rule. The New England Journal of Medicine, 347, 1133-1134.
Marietti, C. (2002a). HIPAA deadlines: Extension automatic if filed by October 15. Healthcare Informatics, 19(9), 26.
Marietti, C. (2002b ). First down: HIPAA kicks off with little fanfare, the toughest challenges still to come. Healthcare Informatics, 19(9), 26.
Marietti, C. (2002c). HIPAA update: Privacy rule finally final. Healthcare Informatics, 19(10).
Office for Civil Rights. (2002a). HIPAA. Retrieved October 22, 2002 from http://www.hhs.gov/ocr/hipaa/
Office for Civil Rights. (2002b). News 2000. Retrieved October 22, 2002, from http://www.hhs.gov/ocr/hipaa/news2000.html
Standards for Privacy of Individually Identifiable Health Information, 67. (2002). Federal Register, 53, 181.
U.S. Department of Health and Human Services. (2002a). Administrative simplification under HIPAA: National standards for transactions, security and privacy. Retrieved October 22, 2002, from http://www.hhs.gov/news/press/2002pres/hippa.html
U.S. Department of Health and Human Services. (2002b). Modifications to the standards for privacy of individually identifiable health information: Final rule. Retrieved October 22, 2002, from http://www.hhs.gov/news/press/2002pres/20020809.html
Kathleen G. Charters, Ph.D., RN, received a BS in psychology and a BS in nursing from Washington State University, after which she joined the Public Health Service. She attended the University of California, San Francisco, where she studied medical information systems and cardiopulmonary neuro-renal-endocrine pathophysiology. She transferred from the Public Health Service to the Navy and continued to combine a wide variety of clinical nursing experiences with the study of information systems, graduating from the University of Southern California with an MS in systems management and from the University of Maryland in Baltimore with a Ph.D. in nursing informatics. During her 25 years of experience as a Navy nurse, she held several nursing informatics positions. She is currently an assistant professor in the nursing informatics track at the University of Maryland, Baltimore.