Washington Watch

Privacy of Medical Information: Regulatory Changes are on the Way

by James L. Thorne, Esq.

Introduction
Presidential administrations and lawmakers have struggled for years over how much control patients should have over their medical records and the ability of others to access these records in an increasingly electronic age. Finally, Congress recognized the need for national, patient record privacy standards in 1996 when it enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

According to the Department of Health and Human Services, HIPAA included provisions designed to save money for health care businesses by encouraging electronic transactions, but it also required new safeguards to protect the security and confidentiality of that information. HIPPA also gave Congress until August 21, 1999, to pass comprehensive health privacy legislation. However, when Congress did not enact such legislation, other HIPPA provisions required the Department of Health and Human Services (HHS) to enact privacy regulations.

When Congress did not act by August 21, 1999, the then Clinton Administration wrote the required privacy regulations and issued them in December 2000. Among others, the regulations required patients to give written permission before their records may be disclosed to doctors, hospitals, pharmacies and insurance companies. After President Bush was elected, his new administration (and industries opposed to the regulations issued by the Clinton administration) moved quickly to postpone the effective date of the Clinton regulations and to solicit additional public comments on them.

Recently (on March 21, 2002), the Bush Administration announced its proposed changes to the privacy regulations issued by the Clinton Administration in December 2000. In part, the proposed Bush Administration changes state that patients must be notified of their privacy rights at some point (but not necessarily before) by those who use their records.

Privacy advocates and the American Medical Association quickly criticized the proposed Bush changes. Insurance companies have, predictably, hailed the new changes while contending that President Bush should go further to ease regulatory costs.

The proposed changes will be published in the March 27, 2002 edition of the Federal Register. The publication will provide a 30-day public comment period before HHS issues its final rule. Most of the existing regulations took effect on April 14, 2001 and covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (electronic billing and funds transfers) electronically. Most covered entities must comply with the privacy rule by April 14, 2003 although small health plans have until April 14, 2004 to comply with the rule.

AAEM members should be aware of the following, proposed major changes.

The Bush Administration’s Proposed Medical Information Privacy Changes

• Consent and Notice
According to the Bush Administration, removal of the Clinton Administration’s prior consent requirements will “promote access to care” and eliminate interference with the delivery of certain health care. For example, pharmacists were, apparently, concerned that the prior consent requirement would interfere with their ability to fill prescriptions. In addition, according to the administration, prior consent would interfere with referrals to specialists and hospitals, the provision of treatment over the telephone, and emergency medical providers although the released information, at the time of this writing, does not indicate why this is true. It is important to point out that the Bush proposed change to consent only applies only to uses and disclosures for treatment, payment and health care operations (TPO) purposes. Patient authorizations, according to the released HHS Fact Sheet, are still required to use and disclose information for non-TPO purposes.

• Minimum Necessary and Oral Communications
The “minimum necessary” provisions in the current (Clinton) rules require “covered entities” to make reasonable efforts to limit the use, disclosure, and request for protected health information to the minimum necessary to accomplish the intended purpose. Again, “covered entities” are health plans, health care clearinghouses, and health care providers who utilize electronic billing and funds transfers.

The Bush proposal will retain the current oral communications and minimum necessary requirements but it will “make clear that a doctor could discuss a patients’ treatment with other doctors and professionals involved in the patient’s care without fear of violating the rule if they are overheard.” As long as a covered entity met the minimum necessary standards and took reasonable safeguards to protect personal health information, incidental disclosures—such as another patient overhearing the discussion—would not be subject to penalties. However, improper disclosures would still violate the rule.

• Business Associates
In today’s health care system, many health care providers and health plans rely on a variety of contractors and other businesses to assist them in carrying out their health care activities and functions. Further, the current privacy protection rules require covered entities to have contracts with their business associates to ensure the “business associates” protect the privacy of information.

The Bush proposal will include model business associate contract provisions to make it easier and less costly for covered entities to implement these requirements. The proposed changes will also give covered entities (except for small health plans) up to an additional year to change existing contracts, in order to ease the burden of renegotiating contracts all at once.

• Health-Related Marketing
Under the current privacy rules, “marketing” is “a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service.” Further, a covered entity is not “marketing, ” for example, when it:

1. Describes the participating providers or plans in a network. For example, a health plan is not marketing when it tells its enrollees about which doctors and hospitals are preferred providers or which are included in its network, or

2. Describes the services offered by a provider or the benefits covered by a health plan.

Yet, according to the administration, the current rule does not protect individuals’ privacy. Therefore, the Bush-proposed changes will require covered entities to first obtain the individuals specific authorization before sending them any marketing materials. At the same time, the Bush proposal will permit doctors and other covered entities to communicate freely with patients about treatment options and other health-related information, including disease-management programs.

• Parents and Minors
The current privacy rules address access to health information they do not address consent to treatment. A parent is generally a “personal representative” of his or her minor child and has the right to obtain access to health information about his or her minor child. Currently, there are two general exceptions in which a parent might not be the “personal representative” with respect to certain health information about a minor child:

1. When the parent agrees that the minor and the health care provider may have a confidential relationship, the provider is allowed to withhold information from the parent to the extent of that agreement, and

2. When the provider reasonably believes in his or her professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child, the provider is permitted not to treat the parent as the child’s personal representative with respect to health information.

According to the Bush Administration, the current rule may have unintentionally limited a parent’s access to their child’s medical records. The pending proposal will “clarify” that state law governs disclosures to parents. Further, in cases where state law is silent or unclear, the provisions will seek to preserve state law and professional practice by permitting a health care provider to use discretion to provide or deny a parent access to such records, as long as that decision is consistent with state or other law.

• The Uses and Disclosures of Medical Information for Research Purposes
The current privacy rules establish the conditions under which protected health information (PHI) may be used or disclosed by covered entities for research purposes. A covered entity may always use or disclose for research purposes health information which has been de-identified. To use or disclose PHI without authorization by the research participant, a covered entity must obtain:

1. Documentation that an alteration or waiver of the research participants’ authorization for use/disclosure of information about them for research purposes has been approved by an Institutional Review Board or a Privacy Board, or

2. Representations from the researcher, written or orally, that the use of disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any PHI from the covered entity, and representation that PHI for which access is sought is necessary for the research purpose, or

3. Representations from the researcher, written or orally, that the use or disclosure being sought is solely for research on the PHI of decedents, that the PHI being sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is being sought.

The Bush Administration’s proposal will eliminate the current need for researchers to use multiple consent forms—one for informed consent to the research and one or more related to information privacy rights. Instead, researchers could use a single combined form, according to available HHS information, to accomplish both purposes.

• HHS’ Request for Comments on an Alternative Approach to De-Identification
In addition, after the new Bush Administration extended the rule comment period in early 2001, it received comments from the research community on the need for an alternative approach to de-identification. The Administration continues to believe that identifiable information should continue to have strong protections. However, HHS is seeking comments on establishing a limited data set that does not include directly identifiable information but in which certain identifiers remain.

• Uses and Disclosures for which Authorization are Required
In limited circumstances, the existing final rule permits covered entities to continue certain existing disclosures of information without a patient’s individual authorization. These permitted disclosures include:
Emergency circumstances; identification of the body of a deceased person, or the cause of death; public health needs; research, generally limited to when a waiver of authorization is independently approved by a privacy board or Institutional Review Board; oversight of the health care system; judicial and administrative proceedings; limited law enforcement activities; and activities related to national defense and security.

The proposed Bush Administration changes would allow the use of a single type of authorization form to get a patient’s permission for a specific use or disclosure that otherwise would not be permitted. Patients would still need to grant permission in advance for each type of use or disclosure, but the proposal would eliminate the need for covered entities to use different types of forms to obtain that advanced permission.

Conclusion
There are, indeed, additional changes contained in the Bush Administration’s proposed changes to the Clinton privacy rules. However, the changes stated above are perceived to be the major changes and they have been greeted on Capitol Hill with varying reactions.

Senator Kennedy, for one, is fundamentally against the proposed changes and his voice counts more than others. As you may recall, Senator Kennedy is Chairman of the Senate Health, Education, Labor & Pensions Committee. Although not scheduled at the time of this writing, he will hold hearings on the proposed Bush Administration changes after the Senate reconvenes following the Congressional Easter holiday. The Bush Administration’s Medical Information Privacy changes are the next health care issue to be focused on in any great detail by the Congress. AAEM members can count on health care information privacy hearings to begin by mid-April 2002.

Congressional members may not be able to stop the proposed Bush Administration’s privacy rules changes but they will make their opposition known. As so often the case in Washington, the administration’s “price” to be paid for these changes may well be the “loss” of another program.

Again, the administration’s proposed changes are scheduled to appear in the March 27, 2002 Federal Register. We need to read the fine print and AAEM may choose to file comments before the 30-day comment period expires.