A Holiday Gift From Health And Human Services: Final HIPAA Privacy Regulation Contain Significant Changes

In a closely watched development, the Department of Health and Human Services ("DHHS") issued final privacy regulations for electronic health information on Wednesday, December 20, 2000. More than 100 pages in length and accompanied by more than 1400 pages in commentary, the regulations impose a massive and complex burden on providers, health plans and clearinghouses, as well as their business associates.

The regulations were issued pursuant to requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). DHHS had published a proposed privacy rule in November 1999 and in response received more than 50,000 comments. Based on those comments, DHHS made significant changes to the proposed privacy rule. The final regulations will go into effect in February, 2003, although small health plans will have an additional year to comply.

Highlights Of The Final Regulations

The most significant change is that the regulations now extend to all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. This includes purely paper records and oral communications. In contrast, the proposed rule only covered information that had at some point existed in electronic form. The difficulty of tracking electronic and non-electronic information had convinced many observers that the distinction made in the proposed rule was unworkable, but there are concerns that HIPAA may not authorize this expansion of the regulations' coverage.

Business partner agreements (now called business associate contracts) need no longer give patients direct rights over health care information in the hands of a covered entity's business associate. In addition, the final regulations also withdrew from the proposed rule a hotly debated requirement that business associate contracts declare patients to be "third-party beneficiaries" of the contract.

The final regulations clarify that covered entities are not required to actively monitor business associates for compliance with their contracts, although they must take action if they know of practices that violate the agreement. The regulations also clarify that physicians on hospital medical staffs are not, by virtue of their staff membership, business associates of the hospital.

The final regulations introduce the concept of an "organized health care arrangement," which is a clinically integrated setting in which patients receive care from more providers than one, or an organized system of health care, or a combination of group health plans or group health plans and insurers. Participants in an organized health care arrangement are permitted to use and disclose information for the health care operations of the arrangement, just as they are for their own health care operations. Participation in an organized health care arrangement does not, in and of itself, make the participants business associates of one another.

Subject to limited exceptions, providers and other covered entities will need to obtain a patient's "consent" to the entity's disclosure of the patient's health information for treatment, payment and the entity's own operations. This is a significant shift from the proposed rule, which would have permitted such use of information without the patient's authorization.

Providers will be pleased to know that the regulations permit them to use limited patient information, without patient authorization, in connection with their fundraising activities, including fundraising by related foundations.

The final regulations retain the "minimum necessary" standard first set forth in the proposed rule, under which a disclosure of protected health information, even where authorized by the regulations, must be limited to the "minimum necessary" to accomplish the purpose for which it is made. However, under the final regulations, this determination does not have to be made when responding to a request from another covered entity. Instead, the final rule states that a covered entity requesting protected health information from other covered entities must limit its request to what is reasonably necessary to accomplish the purpose for which the request is made.

The final...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT