Text of amendments in html format
Text of amendments in pdf format

On August 14, 2002 the Department of Health and Human Services released final modifications to the HIPAA privacy regulations. The modifications are substantially the same as the proposed modifications with a few changes and additions. A discussion of the modifications is set forth below.

Accountings. The final rules remove from the required disclosures to be included in an accounting all disclosures made pursuant to a signed patient or member authorization; all disclosed information in a limited data set, and incidental disclosures. It is not entirely clear what would constitute an incidental disclosure but it is something that relates to a legitimate disclosure; for instance, information is legitimately disclosed to a business associate whose janitorial service incidentally views the information while emptying the wastebaskets.

The rules also simplify somewhat the accounting for disclosures for research studies. The final rules allow that if, during the period covered by the accounting, the covered entity has made disclosures of protected health information for a particular research purpose of 50 or more individuals that may (or may not) have included the individual requesting the accounting, the accounting may provide: a) the name of the protocol or other research activity; b) a description of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records; c) a description of the type of protected health information that was disclosed; d) the date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period; and e) the name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed. (§ 164.528)

Authorizations. The final modifications eliminate the requirements to have separate and different authorization forms for uses or disclosures requested by the individual and for uses and disclosures requested by or from the covered entity, as well as for clinical research. The final rules mandate one form for all purposes and set forth the required elements that must be included in a valid authorization. The rules also make clear that an authorization form is required before any uses or disclosures are made for marketing (including to business associates) unless the marketing falls into either of the following two exceptions: a) a face-to-face communication made by a covered entity to an individual; or b) a promotional gift of nominal value provided by the covered entity. If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state such remuneration is involved. (§ 164.508)

Business Associates. The final changes allow covered entities to continue to operate under certain existing contracts with business associates for up to one year beyond the April 14, 2003 compliance date. The additional time applies to those existing written contracts or other written arrangements with a business associate which are in effect on October 15, 2002 and are not renewed or modified before April 14, 2004. Such contracts will be deemed to be in compliance until either the covered entity has renewed or modified the contract after October 15, 2002 or April 14, 2004, whichever is sooner. The HHS commentary also clarifies that where a contract simply renews automatically without any change in terms or other action by the parties, such contracts would be eligible for the extension and that deemed compliance would not terminate when these contracts roll over automatically. The extension, however, does not relieve the covered entity from including business associate disclosures in a requested accounting, notifying business associates of approved amendments, and providing access to information held by the business associate that is not also held by the covered entity. The final rule also includes a model business associate agreement. (§ 164.532)

Consent Eliminated. The original regulations required those health care providers with a direct treatment relationship with a patient to obtain a consent prior to any use or disclosure of the patient's protected health information for treatment, payment and health care operations. The consent requirement presented a host of problems, especially when the provider was receiving a referral, such as a nursing home, but had not yet seen the patient in order to obtain his/her consent. In addition, the consent was not really a "consent" because the provider was permitted, in most cases, to refuse to treat the patient if the consent was not provided. This consent requirement has been eliminated in the final rules, which make it voluntary for health care providers to use the privacy consent. (§ 164.506(b))

Disclosures for Treatment, Payment or Health Care Operations of Another Entity. The final rules make an important change by allowing a covered entity to disclose protected health information for the payment activities of another covered entity or a noncovered health care provider. This resolves a recognized problem of the inability, under the original rules, of sharing protected health information with, for instance, ambulance companies which needed the information for their own billing. Under the original regulations, a covered entity could only disclose protected health information for its own payment purposes. In addition, the final rules permit a covered entity to disclose protected health information to another covered entity for certain health care operations. The activities for which the information may be disclosed include quality assurance and improvement activities, population-based activities relating to improving health or reducing health care costs, case management, conducting training programs, and accreditation, certification, licensing, or credentialing activities. The disclosure among covered entities is limited to those situations in which both covered entities have, or have had, a relationship with the individual whose information is being disclosed. In summary, the following uses and disclosures are permitted without authorization:

• Use for the covered entity's own treatment purposes, payment purposes and health care operations;

• Disclosure to a health care provider (whether a covered entity or not) for treatment purposes;

• Disclosure to another covered entity or health care provider for the other covered entity's or health care provider's payment purposes;

• Disclosure to another covered entity for the health care operations of the other covered entity when both covered entities have or have had a relationship with the individual whose information is disclosed. This type of disclosure is limited to certain situations, including: quality assurance and improvement activities, population-based activities relating to improving health or reducing health care costs, case management, conducting training programs, and accreditation, certification, licensing, or credentialing activities.

(§ 164.506(c))

FDA-Regulated Products and Activities. The final modifications loosen the standards for uses and disclosures regarding FDA-regulated products and activities and include lookback activities which are necessary for tracking blood and plasma products as permissible uses and disclosures without authorization. (§ 164.512(b))

Group Health Plan Disclosures of Enrollment and Disenrollment Information to Plan Sponsors. The final rule clarifies that group health plans are permitted to share enrollment and disenrollment information with plan sponsors without amending plan documents. (§ 164.504(f))

Health Care Operations. The final rules adopt the proposed language to expand the definition of health care operations to include the transfer of records during certain sale or merger transaction. Thus, "health care operations" now includes the sale, transfer, merger, or consolidation of all or part of the covered entity to or with another covered entity, or an entity that will become a covered entity as a result of the transaction, as well as the due diligence activities in connection with such transaction. This ability to use and disclose applies whether the transaction is ultimately consummated or not. (§ 164.501)

Hybrid Entities. The final modifications remove the requirement that a hybrid entity be a single legal entity whose primary function is not a covered function. A hybrid under the proposal will still be a single legal entity, but covered functions may be its primary functions. (§ 164.504(a))

Incidental Uses and Disclosures. The final modifications codify language in the July 6, 2002 HIPAA privacy guidance and expressly permit certain incidental uses and disclosures that occur as a result of an otherwise permitted use or disclosure. An incidental use or disclosure would be a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a by-product of an otherwise permitted use or disclosure. These incidental uses and disclosures are permissible only to the extent that the covered entity has applied reasonable safeguards and implemented a minimum necessary standard. The HHS commentary to the rules notes, however, that an incidental use or disclosure that occurs as a result of a failure to apply reasonable safeguards or the minimum necessary standard, where required, is not a permissible use or disclosure and, therefore, would be a violation of the privacy regulations. For example, a hospital that permits an employee to have unimpeded access to patients' medical records, where such access is not necessary for the employee to do his/her job, is not applying the minimum necessary standard and, therefore, any incidental use or disclosure that results from this practice would be an unlawful use or disclosure under the privacy regulations. (§ 164.502(a))

Limited Data Set. The limited data set provisions were not contained in the original rules and were not proposed officially in the modification proposal. Under the final revisions, a "limited data set" is defined as protected health information that excludes all of the direct identifiers of the individual or of relatives, employers, or household members of the individual that are required to de-identify information with the following exceptions: a) admission, discharge, and service dates; b) date of death; age (including age 90 or over); and c) five-digit zip code. Thus, a limited data set will be de-identitied except for the permissible identifiers and can be used and disclosed without authorizations, subject to the other requirements for limited data sets as follows. Limited data sets can only be used and disclosed for three purposes: a) research by the covered entity or a outside organization; b) public health operations; and c) the health care operations of another covered entity. In order to disclose a limited data set outside of the covered entity, there must be a data use agreement between the covered entity and the limited data set recipient which is similar to a business associate agreement. Likewise, if a member of the workforce of the covered entity uses or creates a limited data set, the workforce member must enter into a confidentiality agreement with the covered entity.

A limited data set can be used to provide information, for instance, to a state hospital association for data analysis and aggregation; to another hospital or other covered entity in a system for comparative quality and other data studies; to disease registries maintained by private organizations or universities or other types of studies undertaken by the private sector or non-profit organizations for public health purposes; or for internal or external research purposes where the IRB or privacy board waiver of authorization is not sought. (§ 164.514(e))

Marketing. The final modifications eliminate the opt-out standard for marketing materials and will require authorizations prior to any communication which constitutes "marketing" (with limited exceptions). Authorizations will also be required before protected health information can be disclosed to business associates for marketing purposes. Marketing is defined as making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service and/or an arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. Expressly excluded from the definition of marketing are communications made to an individual:

• To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits;

• For the treatment of that individual; or

• For case management or care coordination for that individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to that individual.

Authorizations are also not required if the communication is in the form of a face-to-face communication made by a covered entity to an individual or a promotional gift of nominal value provided by the covered entity.

Essentially all of this means that you must first decide whether the communication to be made is exempt from the definition of marketing and, if so, no authorization is required. If the communication is within the definition of marketing, an authorization will be required even if the release is to a marketing business associate, unless the communication is a face-to-face communication with the individual or is a nominal gift. The rule does not permit covered entities to provide patient or member lists to third parties for marketing, including business associates, without an authorization, and covered entities should not use their own mailing lists to market third-party products without an authorization.

Minimum Necessary Standard. The final modifications exempt from the minimum necessary standard all uses and disclosures made pursuant to a signed authorization. (§ 164.502(b))

Notice of Privacy Practices. The final rules require covered health care providers with a direct treatment relationship with the patient to make a good faith effort to obtain a patient's written acknowledgment of receipt of the Notice of Privacy Practices, except in emergency situations. This good faith effort must be made at the time of the first delivery of the Notice. This change does not affect the requirement to provide the Notice of Privacy Practices and the failure to obtain the acknowledgment does not restrict the provider's ability to provide services or otherwise use and disclose the information for treatment, payment and health care operation. Documentation of the acknowledgment or the efforts made to obtain it must be maintained. (§ 164.520)

Parents and Minors. The proposed changes clarify that state and other applicable laws will control not only when a state explicitly addresses disclosure of protected health information to a parent but also when such law provides discretion to a provider. Specifically, the modifications clarify that state and other applicable law, including case law, governs when such law explicitly requires, permits, or prohibits disclosure of protected health information to a parent or guardian. Thus, a covered entity may make the disclosure if the state law permits or requires a disclosure to the parent or guardian. Conversely, the covered entity may not make the disclosure if the state law prohibits such disclosure to the parent or guardian.

As to the right of access of protected health information, the modifications clarify that state law governs when the law explicitly requires, permits, or prohibits access to protected health information about a minor by a parent or guardian.

Where, however, the parent is not the personal representative of the minor and there is no applicable access provision under state law, a covered entity may provide or deny access to a parent, provided the decision is made by a licensed health care professional, in the exercise of professional judgment. (§ 164.502(g))

Protected Health Information. The final regulations clarify that protected health information does not include employment records held by a covered entity in its role as an employer. Note, however, that employees who are also patients or enrollees of the covered entity are treated as any other patient or enrollee with respect to their protected health information. (§ 164.501)

Research. The final rules change the criteria required for an IRB or privacy board to waive authorizations for non-clinical research. The final modifications require only three findings by the IRB or privacy board, rather the original seven. The three criteria are (1) the use or disclosure of protected health information involves no more than a minimal risk to the privacy of the individuals; (2) the research could not practicably be conducted without the waiver; and (3) the research could be not practicably be conducted without access to and use of the protected health information. The proposal also eliminates the requirement for a separate authorization form for use in clinical research. The final rules allow covered entities to use the same authorization form for research, for requests by the covered entity and for requests by the individual. See further discussion under Authorizations. The transitional clause is also modified as it relates to information for research. Under the modified transition clause, a covered entity is permitted to use or disclose for a specific research study protected health information that is created or received either before or after the compliance date, if the covered entity has obtained, prior to the compliance date, an authorization or other express legal permission from an individual to use or disclose protected health information for the research study. The proposal would also grandfather in research in which the individual has signed an informed consent to participate in the research study, or an IRB has waived informed consent for the research study. (§ 164.512(i) and § 164.532)