The Health Insurance Portability and Accountability Act (HIPAA) contains administrative simplification provisions that are designed to encourage health care providers and health plans to process health claims and payments (and to perform other administrative functions) electronically, using standard transactions and uniform code sets. The theory is that uniformity and electronic processing will reduce the administrative costs associated with health care, and the savings can be used for health care services, rather than administration. The administrative simplification provisions call for the use of unique health identifiers for employers, health plans, and health care providers; adoption of transaction standards and uniform code sets; and improved privacy and security protection for health information. Over the next year, TOPICS will include a regular column on HIPAA administrative simplification to help providers and health plans prepare for compliance.
A. Proposed Revisions to Privacy Standards
The HIPAA Administrative Simplification privacy standards were published in December 2000, and compliance is required by April 14, 2003 (except for health plans with $5 million or less in annual receipts, which have an additional year).
However, as soon as the privacy regulations were issued, there were complaints. Many health care providers, health plans and clearinghouses (referred to collectively as Covered Entities) considered the privacy standards too burdensome. On the other hand, many privacy advocates considered the privacy standards too narrow, and objected to the many provisions that allow use or disclosure of health information without a patient’s consent or authorization.
In an effort to respond to some of the complaints, the Department of Health and Human Services (HHS) recently issued a proposal to revise the privacy standards. The proposed revisions would affect health care providers significantly, but would have relatively little effect on health plans and clearinghouses.
B. Patient Consent
One of the major changes proposed would do away with the requirement that providers obtain a patient’s signed consent before using or disclosing information for treatment, payment or health care operations. The proposed change is intended to respond to the concerns of some providers that they could not obtained a signed consent before using or disclosing health information without significant inconvenience to patients or possible delays in the delivery of health care.
For example, pharmacists complained that the consent requirement would mean that a physician’s office could not phone in a prescription if the pharmacy did not have a signed consent from the patient already on file. Similarly, specialists and hospitals complained that they could not set up appointments for new referral patients or for pre-admission procedures before obtaining a signed consent.
Under the proposed change, a provider would not have to obtain the patient’s consent to use or disclose health information for treatment, payment or health care operations. Instead, the provider would have to give the patient the provider’s Notice of Privacy Practices when it first renders service (which the existing standards already require), and the provider would be required to make a good faith effort to obtain the patient’s signed acknowledgement of receipt of the Notice. If the provider could not obtain a signed acknowledgement, the provider would be required to document its efforts to obtain it, and the reason why it could not be obtained.
The proposed change would allow a pharmacist to receive health care information from a physician to fill a prescription, and would allow a specialist or hospital to schedule appointments, so long as the provider made a good faith effort to obtain the patient’s signed acknowledgement of receipt of the Notice of Privacy Practices when the patient picked up the prescription or appeared for the appointment.
C. Disclosure of the Minimum Necessary
In another important proposed change, HHS has attempted to clarify and ease the requirement that a Covered Entity disclose only the minimum information necessary to fulfill the purpose for which the disclosure is made.
Many providers complained that the “minimum necessary” requirement would bar the use of sign-in sheets, the placement of x-ray light boxes or computer monitors in areas that are not entirely enclosed, and the maintenance of patient charts at bedside. Providers also complained that the minimum necessary requirement might prevent oral communication between providers or between provider and patient, if there were a chance of being overheard.
Under the proposed change, a disclosure that is incidental to an otherwise permitted disclosure would not violate the minimum necessary requirement so long as the Covered Entity takes reasonable steps to safeguard health information and to limit incidental disclosures.
In the introduction to the proposed changes, HHS defined an “incidental” disclosure as one that cannot reasonably be prevented, is limited in nature, and occurs as a by-product of an otherwise permitted disclosure. HHS uses the example of a sign-in sheet in a waiting room, which apparently would not violate the minimum necessary requirement, but a sign-in sheet that asks for a patient’s health history would not be permissible.
D. Business Associate Agreements
The existing privacy standards require Covered Entities to enter into “business associate agreements” with entities that perform services to enter into “business associate agreements” with entities that perform services for them, if health information is disclosed to the business associates. The standards also list a number of elements that must be included in business associate agreements. To make the process of drafting such agreements easier, the notice of the proposed changes includes a model business associate agreement, which could be customized for specific needs.
In addition, under the proposed changes, the requirement that all business associate agreements be in place by April 14, 2003 would be eliminated. Instead, a Covered Entity could put off entering into such agreements until April 14, 2004, so long as the existing agreement between the Covered Entity and the business associate is not otherwise modified or renewed before then.
E. Next Steps
HHS has promised quick action on the proposed changes, but some of the proposals have been the subject of a new round of complaints and objections.
While awaiting the final word on the proposed changes, Covered Entities should remember that the proposed changes affect very few of the privacy standards, and the Bush administration has repeatedly emphasized that it has no intention of extending the privacy compliance date. Any Covered Entity that has not yet started down the long road to HIPAA Administrative Simplification compliance should not assume that it will be able to achieve compliance quickly, and should not use the proposed changes as an excuse for further delay.