Providers rework privacy plans for final HIPAA rule
Most excited’ to have process complete
Around half of the privacy policies Houston-based consulting firm Healthlink Inc. had helped health care providers develop will have to be modified as a result of changes in the final Health Insurance Portability and Accountability Act (HIPAA) privacy rule, says Mary Staley, MBA, PT, the firm’s vice president of HIPAA operations.
But the organizations were "excited overall" to have the final provisions in place, she adds. "They’ve been spending their time and resources in a holding pattern, and most are just happy to get the rule published and to make the changes."
Modifications will range from full revisions of plans to changes in definitions, she notes. Issues addressed will include when to disclose patient information and the identification of what is and what is not marketing, Staley says.
"A number of our clients had completed the writing of their policies and procedures — not the training — and we are having to go back and re-evaluate each document," she says.
Most health care organizations are opting out of the written consent requirement for patient information disclosure, as the final rule allows, Staley notes, and going with a more stringent privacy notice policy. In the original rule, providers simply had to give patients the information about their privacy rights, she explains, while in the final rule, "providers have to give it to them and have them sign that they received it."
The final rule allows providers to "either go with [the written] consent requirement for disclosure [of health care information] or [the more stringent] privacy practice," Staley says. The rule’s "good-faith" provision takes into account the fact that hospitals may not be able to get signatures when, for example, a patient is comatose when he or she arrives at the hospital, she notes.
Along the same line, the final rule acknowledges that incidental disclosure of protected information will continue to occur, regardless of compliance with the rule, and is permitted, Staley says.
Such incidental disclosures might occur, for example, when a person overhears an access employee talking about a patient on the phone with a nurse, she adds, or when bits of conversation with a patient drift over to the next registration booth. Hospitals must make "reasonable efforts" to prevent such occurrences, she says.
Hospitals have until April 14, 2003, to comply with the patient privacy rule. Here is a brief look at the various aspects of the final rule, drawn from an executive brief put together by Healthlink personnel and a statement from the Chicago-based American Hospital Association:
• Consent and notice.
Hospitals now are required to provide patients with notice of the patient’s privacy rights and privacy practices of the hospital and must make a "good-faith effort" to obtain the patient’s written acknowledgement of this notice. The acknowledgement must be in writing except in emergency situations, where the provider must document its efforts and the reason acknowledgement was not obtained. As expected, the final rule confirms that obtaining consent for treatment, payment, and health care operations now is optional.
• Disclosure for treatment, payment, and health care operations to another entity.
Hospitals can disclose personal health information for the treatment and payment activities of another health care provider without consent or authorization. Protected health information also may be disclosed to another covered entity for certain types of health care operations. Prior to the amendments, the regulations generally prohibited disclosure for use by the recipients for payment or other operational purposes.
• Authorization.
Patients must give specific authorization before a hospital or other entity covered by the regulation could use or disclose protected information in most nonroutine circumstances, such as releasing information to an employer or for marketing activities. Core provisions for authorizations are clarified to eliminate separate requirements for covered entities. One form may be used, but patients will have to grant permission in advance for each type of nonroutine use or disclosure.
• Minimum-necessary standard.
Any uses or disclosures pursuant to an authorization are exempted from the so-called "minimum-necessary" standard involving communications between medical providers regarding patient care. No changes were made to the fact that the minimum-necessary standard does not apply to treatment, but does apply to both payment and health care operations. Therefore, the intent to make covered entities evaluate their practices to limit unnecessary or inappropriate access to personal health information remains.
• Parents and minors.
In general, the final rule gives control of an unemancipated minor’s protected health information to the parent, guardian, or person acting in loco parentis as state law, or other applicable law, governs in the area of parents and minors. For example, state law governs where explicitly it has addressed disclosure of a minor’s health information to a parent, or access to a child’s medical record by a parent. In all cases, disclosure of a minor’s protected health information will be permitted or denied if necessary to avert serious or imminent threat to the health and safety of the minor.
[Editor’s note: More information about Healthlink is available at www.healthlinkinc.com or by calling (800) 223-8956.]
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.