Groups pleased that final privacy rule lacks a written consent requirement
Some details still confuse pharmacists
The privacy rule is final at last — and its elimination of the written consent requirement pleases pharmacy groups. The medical privacy regulation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was published in the Federal Register on Aug. 14. The prior written consent requirement that had been in the original final rule was "problematic in providing appropriate health care," says Gary C. Stein, PhD, director of federal regulatory affairs for the American Society of Health-System Pharmacists (ASHP) in Bethesda, MD.
Many health care groups seem happy with the final rule overall.
"Hospitals want patients to know and fully understand their medical privacy rights," says a statement released by the American Hospital Association in Chicago. "But no regulation should interfere with a patient’s ability to get timely, effective care. The final rule strikes the right balance."
Some confusion still exists, though. An ASHP member asked Stein if hospital pharmacies are expected to discard used, labeled medication containers in a secure landfill, as they could be considered protected health information under HIPAA.
"The new final rule [p. 53,193] indicates that this would be one of the unintentional disclosures that could occur as a by-product of engaging in health care communications and practices.’ It would seem that such an incidental use or disclosure would be permissible as long as the covered entity has applied reasonable safeguards," he said, adding that he’s unsure what constitutes reasonable safeguards.
The American Pharmaceutical Association in Washington, DC, has summarized the final changes to the privacy regulation. According to the summary, the final rule:
- Eliminates the prior written consent requirement. Providers have "regulatory permission" to use or disclose health information for treatment, payment, and health care operations activities. Providers that choose to obtain consent have complete discretion in the process.
- Requires that providers make a "good-faith effort" to distribute their Notice of Privacy Practice to patients and obtain written acknowledgment that they received it. Providers should distribute the notice no later than the date of the first service delivery. The acknowledgement must be in writing, and pharmacists are allowed to have patients sign or initial an acknowledgement in a logbook. However, the patient must be informed on the logbook of what they are acknowledging, and the acknowledgement cannot also be used as a waiver for something else, such as a waiver to consultation with a pharmacist.
If a provider cannot obtain written acknowledgement (such as in an emergency or when a patient refuses), the provider must document efforts to obtain it. The regulation also encourages providers to use a "layered" notice, which means a short notice briefly summarizing the patient’s rights that is attached to the full notice containing all of the elements required by the rule.
- Requires providers to obtain authorization for use and disclosure for marketing activities. Marketing involves making a "communication about a product or service that encourages the recipients of the communication to purchase or use the product or service." For example, it would be considered marketing for a pharmaceutical manufacturer to offer a pharmacy payment for a list of patients with a particular condition so it can make a communication to them about its drug product. This kind of activity would require the patient’s authorization.
Marketing does not include face-to-face encounters, communications involving a promotional gift of nominal value, or communications with patients involving treatment, the services of the provider, or case management or care coordination for the patient. Refill reminders, even if subsidized by a third party, are not considered marketing. Providers also may make communications about general health issues as long as they do not promote a specific product or service.
- Creates an additional exemption for any uses or disclosures for which the provider has obtained an authorization.
- Allows providers to disclose health information for treatment, payment, and certain health care operation purposes of another entity.
- Acknowledges that incidental uses or disclosures may occur in conjunction with lawful use or disclosure of health information. Incidental uses and disclosures are not considered a violation of the regulation as long as the provider has applied reasonable safeguards and implemented the "minimum necessary" standard. For example, providers must take reasonable efforts not to be overheard discussing patient health information, but they do not need to build a soundproof counseling area.
Authorization formats standardized
- Requires providers to obtain authorization for use and disclosure outside of treatment, payment, and health care operations. Providers, however, are no longer required to use different types of authorization forms. The core requirements for authorization forms are standardized into one format.
- Clarifies that providers may disclose health information without an authorization to a person subject to FDA jurisdiction for the purpose of: collecting or reporting adverse events, tracking FDA-regulated products, enabling product recalls, or conducting post-marketing surveillance.
- Requires providers, upon request, to provide a record of uses and disclosures not related to treatment, payment, or health care operations or not covered by a patient authorization. The regulation provides exceptions for incidental disclosures and disclosures made as part of a limited data set.
- Gives providers an additional year to revise existing contracts with business associates (until April 14, 2004). This extension only applies to existing business contracts. New business associate contracts, as well as existing contracts that must be renewed prior to April 14, 2003, must comply with the original deadline of April 14, 2003. The regulation includes sample business associate contract provisions. It also clarifies that covered providers are not required to monitor the actions of their business associates. However, if a covered provider is aware of a violation of the business associate contract, the provider must take steps to end the violation.
- Eliminates the need for researchers to use multiple consent forms; they may use one form to secure consent for research activities and authorization to use or disclose health information. This provision more closely follows requirements found in the "common rule" that governs federally funded research. The transition provisions have also been expanded to prevent needless interruption of ongoing research.
Most hospitals have until April 14, 2003, to comply with the patient privacy rule; certain small health plans have until April 14, 2004, to comply.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.