Page 2: Privacy rule guidance on guardians, research, marketing, and the long arm of the law

In general, since parents control the healthcare of their children, the privacy rule considers that the parents control access to their PHI.

Yet there are several exceptions, Guilfoy said, such as when state law allows a minor to obtain healthcare without parental consent, a court orders healthcare control to be removed from the parent, the parent agrees to a confidential relationship, or the healthcare professional determines that the child is or could be abused as a result of information disclosure to the parent.

However, if a provider believes the child may be endangered, yet the state requires disclosure to the parent, then disclosure is allowed, she said.

The guidance document clarifies the definition of marketing, and the purposes for which PHI may be used without authorization. While prior authorization is generally required for marketing services to patients based on PHI, the rule cuts a wide swath of exceptions, she said.

For example, descriptions of network providers, plans, services, and benefits are not considered marketing. Covered entities may use PHI to outline treatment, recommend medications, send reminders of appointments, and recommend health promotion activities. Likewise, services recommended in in-person meetings with patients do not require authorization. And except in Texas, a firm may conduct a single marketing effort without patient authorization, as long as the patient can "opt out" of further contact, she said.

Expressly prohibited are the sale of PHI to third parties, and the disclosure of PHI for independent marketing efforts.

According to the guidance document, patient authorization is not needed for research if the researcher has received a waiver from an institutional review board or privacy board, or if the researcher states that PHI will not be removed from the covered entity, and that the information is necessary for the research.

Special rules apply to research on decedents: The researcher must state that the PHI of the subjects is being used solely for research, that it is necessary for the research, and that the researcher will provide documentation of death if requested, she said.

In addition, the right to individual access to health records is suspended while the clinical trial is in progress, Guilfoy said.

"When you think about it, blind studies would not be possible if participants were allowed to see their records during the study; that's why this exception is there."

The only new authority granted to the government is the right to examine PHI in an effort to find disclosure violations, Guilfoy said. Except when state law requires disclosure, the privacy rules requires covered entities to use their "professional judgment" to decide what to disclose.

Disclosures to consumer reporting agencies are limited to name, date of birth, Social Security number and account numbers, payment history, names and addresses. The disclosures must be governed with a business associate agreement, consent if necessary, and the "minimum necessary" requirement applies, she said.

Police departments have close working relationships with emergency rooms, and the privacy rule tries not to interfere with those ties, Guilfoy said. However, victims of suspected domestic violence have special rights, and patient authorization must be obtained before such information can be disclosed even to the police, she said.

A few items remain unanswered in the guidance document. Future clarifications are expected regarding:

• Whether a pharmacist may fill a prescription without a consent on file.
• Whether a direct treatment provider can use PHI to make appointments before seeing a patient for the first time and obtaining a consent.
• The application of the minimum necessary standard in treatment settings.
• Whether sign-in sheets are permissible.
• Whether calling out patients' names in waiting rooms, as well as other oral communications, are permissible, Guilfoy said.