HHS amends HIPAA privacy rule

Erik L. Ridley
Aug 12, 2002

The U.S. Department of Health and Human Services (HHS) has announced final changes to the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations. For the most part, the changes follow proposed amendments announced by Bush administration officials in March, including relaxing of the much-criticized consent-and-notice provision.

Consent and notice

In modifying this provision, HHS said it has strengthened the notice requirement and made consent optional for routine healthcare delivery purposes -- treatment, payment, and healthcare operations. The rule requires covered entities to provide patients with notice of their privacy rights and the privacy practices of the covered entity, and make a good-faith effort to obtain written acknowledgement from patients.

HHS said it removed previous mandatory consent requirements because they would inhibit patient access to healthcare. Entities retain the option of developing a consent process that works for the entity, and may continue consent requirements already in place, according to the rule.

Of import to radiology, this change eliminates the need to obtain written consent from patients prior to sending their images via teleradiology, said Herman Oosterwijk, president of healthcare technology consulting group OTech.

Marketing

In changes related to marketing, the final rule requires covered entities to obtain written authorization to use an individual's health information for marketing purposes, except for a face-to-face encounter or a communication involving a promotional gift of nominal value.

A covered entity is prohibited from selling patient lists and enrollees without individual authorization to third parties for the marketing activities of the third party. The rule also clarifies that doctors and other covered entities communicating with patients about treatment options or the entity's own health-related products and services are not considered marketing.

Incidental use and disclosure

In this final rule, HHS has acknowledged that uses or disclosure incidental to an otherwise permitted use or disclosure may occur. Such incidental uses and disclosures are not a violation, provided that the covered entity has met reasonable safeguards and minimum necessary requirements, according to the rule.

For example, doctors' offices may use waiting room sign-in sheets and hospitals may keep patient charts at bedside. In other examples, doctors could talk to patients in semi-private rooms, and doctors can confer at nurses' stations without fear of violating the rule if overheard by a passerby.

Authorization

HHS has clarified authorization requirements by, among other things, eliminating separate authorization requirements for covered entities. While patients will have to grant permission in advance for each type of nonroutine use or disclosure, providers will not have to use different types of forms. HHS said it also consolidated and streamlined core elements and notification requirements.

Minimum necessary

The final rule exempts from the minimum necessary standards any uses or disclosures for which the covered entity has received an authorization. Previously, the rule had exempted only certain types of authorizations from this requirement.

Uses and disclosure regarding FDA-regulated products and activities

This rule permits covered entities to disclose protected health information, without authorization, to a person subject to the jurisdiction of the Food and Drug Administration. These disclosures could be made for public-health purposes related to the quality, safety, or effectiveness of FDA-regulated products or activities, such as collecting or reporting adverse events, dangerous products, and defects or problems with FDA-regulated products, according to the rule.

Parents and minors

The final rule clarifies that state law, or other applicable law, governs in the area of parents and minors. Generally, the privacy rule provides parents with new rights to control the health information about their minor children, with limited exceptions based on state or other applicable law and professional practice, according to the rule.

In special cases in which minors control their own health information by law and that law does not define the parent's ability to access the child's health information, a licensed healthcare provider continues to be able to exercise discretion to grant or deny such access, as long as that decision is consistent with state or other applicable law, according to HHS.

Business associates

HHS is giving covered entities, except for small health plans, up to an additional year to change existing written contracts to comply with the business-associate requirements. The department said the additional time will ease the burden of renegotiating contracts all at once. HHS has also provided sample business-associate contract provisions.

Research

In this final rule, HHS has facilitated researchers' use of a single combined form to obtain informed consent for research and authorization to use or disclose protected health information for such research.

In addition, the final rule clarifies the requirements relating to researchers obtaining an Institutional Review Board (IRB) or Privacy Board waiver of authorization. Transition provisions have been expanded to prevent needless interruptions of ongoing research, according to HHS.

Limited data set

A limited data set that does not include directly identifiable information can now be created and disseminated for research, public health, and healthcare operations. Disclosure of the limited data set is conditioned on a covered entity and recipient entering into a data-use agreement. In this agreement, the recipient would agree to limit the use of the data set for the purposes it was given, ensure the security of the data, and agree not to identify the information or use it to contact any individual, according to the rule.

Other new provisions deal with:

  • Hybrid entities.

  • Healthcare operations -- changes in legal ownership.

  • Group health plan disclosures of enrollment and disenrollment information.

  • Accounting of disclosures.

  • Disclosure for treatment, payment, or healthcare operations of another entity.

  • Protected health information: exclusion for employment records.

The final regulations will be published in the Federal Register on August 14. Most covered entities must comply with the Privacy Rule by April 14, 2003, although small health plans have until April 14, 2004 to comply. For more information, visit the HHS Office of Civil Rights Web site at http://www.hhs.gov/ocr/hipaa.

By Erik L. Ridley
AuntMinnie.com staff writer
August 13, 2002

Related Reading

HIPAA final privacy rule drives security implementation, June 7, 2002

CMS issues model for extending transaction code compliance, April 1, 2002

HIPAA to make challenging, costly demands on radiology, March 18, 2002

HIPAA, compliance programs fit like gloves, February 1, 2002

A roadmap for implementing HIPAA in radiology, July 26, 2001

Copyright © 2002 AuntMinnie.com

Latest in Practice Management
Washington Dc Capitol Social
ACR responds to Congressional query on AI reimbursement
May 9, 2024
Journey to the Cloud: A Snapshot of Market Progress - May 22 @ 1pm EDT
Sponsored
Journey to the Cloud: A Snapshot of Market Progress - May 22 @ 1pm EDT
May 8, 2024
Pluvicto Treatment 2024 Radiopharmaceutical
ARRS: How to manage the side effects of radiopharmaceuticals
May 8, 2024
Entrance To Emergency Room At Hospital
Study finds high percentage of inappropriate imaging orders in the ED
April 29, 2024
Related Stories
Pdf Icon
Practice Management
Addendum B -- Payment status by HCPCS code and related information calendar year 2003
2001 11 16 10 13 24 706
Practice Management
Coding changes on tap for October 1, 2002
2002 07 07 12 44 47 706
Administration
Online Surveys
IMV’s Oncology in Diagnostic Imaging Market Outlook Report
Sponsor Content
IMV’s Oncology in Diagnostic Imaging Market Outlook Report
More in Practice Management
ACR responds to Congressional query on AI reimbursement
By Liz Carey
ACR CEO William Thorwarth Jr., MD, issued a nine-page letter to Congress on how to solve the reimbursement problem for AI in healthcare.
May 9, 2024
Washington Dc Capitol Social
ARRS: Consistent disparities found in radiology residency match
By Erik L. Ridley
A new study found consistent disparities by gender and race for the risk of not matching into diagnostic radiology residency programs.
May 8, 2024
Doctors Residents Student Education
ARRS: How to manage the side effects of radiopharmaceuticals
By Liz Carey
Three clinical issues that may arise with theranostics treatments will require special provisions, according to a talk at ARRS 2024.
May 8, 2024
Pluvicto Treatment 2024 Radiopharmaceutical
Study finds high percentage of inappropriate imaging orders in the ED
By Erik L. Ridley
A significant percentage of imaging exams ordered in emergency departments (EDs) may be inappropriate, according to new research.
April 29, 2024
Entrance To Emergency Room At Hospital
State of the RT profession more palpable than ever
By Liz Carey
As the ASRT prepares to announce changes to its professional-entry pathways and practice standards at its June meeting in Orlando, FL, Board President Brandon Smith said the state of the field is "more palpable than ever."
April 24, 2024
Asrt Be Seen Campaign 2024
Radiologists can take steps toward environmental sustainability
By Amerigo Allegretto
Radiology departments can take proactive steps to promote environmental sustainability.
April 23, 2024
Screenshot (1150)
Mobile health screening model lowers costs, promotes sustainability
By Amerigo Allegretto
A new cancer screening service model can reduce costs and improve environmental sustainability for breast cancer screening and other screening exams.
April 22, 2024
Breast Screening Van 400
What's brewing in RT and RRA legislation, policy, and standards?
By Liz Carey
A range of federal and state legislation and other developments in the works could have a significant impact on radiologic technologists (RTs) and registered radiology assistants (RRAs).
April 22, 2024
Asrt Be Seen Campaign 2024
Pisano speaks with AuntMinnie.com on new ARPA-H leadership role
By Amerigo Allegretto
Etta Pisano, MD, spoke with AuntMinnie.com on leading the Advancing Clinical Trials Readiness initiative, part of ARPA-H.
April 18, 2024
Screenshot (1143)
AdvaMed urges Congress prioritize R&D tax credit
By AuntMinnie.com staff writers
Medical technology trade association Advanced Medical Technology Association (AdvaMed) is urging Congress to pass a tax provision to change how small businesses deduct their research and development expenses.
April 17, 2024
Us Flag
ACR lays off 11% of workforce
By Kate Madden Yee
The American College of Radiology (ACR) has reduced its workforce by 11%, according to a statement released by the organization.
April 16, 2024
Acr Logo 2023 400
MICI Q2 2024: Radiology administrators remain optimistic about growth
By Kate Madden Yee
Radiology administrators are confident that diagnostic and interventional radiology will continue to grow as a profit center, according to The MarkeTech Group's Medical Imaging Confidence Index (MICI) report for the second quarter of 2024.
April 15, 2024
Graph Arrow Up
Page 1 of 1166
Next Page