Special Report

The HIPAA rules change once more

The new regulations try to enhance patient protection while minimizing physician hassle. Brace yourself for even more changes.

By Wayne J. Guglielmo, Senior Editor

Privacy is once again in the news. In December, former President Clinton announced his administration's long-awaited rules governing medical privacy. The new rules, scheduled to take effect for doctors, hospitals, and larger HMOs in February 2003, differ significantly from the ones the Department of Health and Human Services proposed in October 1999.*

The biggest shift is that the final regulations apply to all of a patient's health information, including purely paper records and oral communications. The proposed rules covered only electronic data or data that had once been in electronic form but had been converted to a paper record.

Reaction to the final rules was mixed. Many consumer groups applauded HHS for extending the scope of the rules, as well as for creating other patient protections. But critics like the American Association of Health Plans said the protections would burden insurers and doctors. "Even routine communications may be subject to patients' written authorization," the AAHP complained. Some critics have taken their concerns to the new Bush administration, which has decided to delay the Feb. 26 effective date of the new regulations to allow for another round of public comments.

For doctors, two questions are important: Which of the final rules are most crucial for you to know? And, if the "final" rules turn out to be less than final, where are the biggest changes likely to come?

Big changes catch some groups off guard

Among HHS' proposed rules that drew the most fire was the one restricting protections to electronic data only. Critics argued that this approach would severely hinder the rules' effectiveness. The final rules more than fill that gap by extending coverage to all communication.

That caught some off guard. "Throwing in oral communications was especially surprising," says Kristin Stewart of AAHP. "There's the practical issue of how that would work." AAHP has suggested that under the newly expanded rules physicians may find it harder to conduct routine consultations with colleagues.

HHS could offer additional guidance when it spells out how the privacy rules should be implemented. For example, what reasonable measures would a doctor be expected to adopt in consulting with a colleague over a cell phone?

Extending protections beyond electronically transmitted data isn't necessarily bad news for physicians. "It probably wasn't realistic for medical groups to set up separate standards for paper and electronic data anyway," says Reece Hirsch, a partner in the San Francisco law office of Davis Wright Tremaine and co-chair of the firm's E-Health Law Practice Group.

Another big change in the final rules—one applauded by consumer groups—requires physicians and others to obtain patients' written consent before disclosing protected data for the purposes of treatment, payment, or, in the case of HMOs, general administrative operations. In the proposed regulations, no consent was required for these so-called routine uses.

Physicians will be able to obtain a one-time consent to their written privacy policies and practices—which must be spelled out in clear, everyday language—prior to treatment. Nothing in the final rules prevents physicians from making the signing of such a consent a condition of treatment.

It's this last provision that troubles patients' rights groups. Patients should have the right to revoke their blanket consent without loss of treatment if a physician has violated his own policies, says Betsy Mahoney of the National Coalition for Patient Rights, based in Andover, MA.

As before, physicians must obtain separate authorizations for nonroutine disclosures of patient data, such as the release of health information to a financial institution—a mortgage bank, for instance. Generally, authorizations for nonroutine disclosure of patient data cannot be made a condition of treatment. Patients also have the right to restrict how their protected data can be used.

Revised language means fewer hassles for doctors

Other changes in the HHS privacy rules will directly affect doctors and their practices.

The proposed rules required a physician sharing data with another doctor or a health plan to disclose as little information as possible. That fuzzy standard invited error, declared the leading associations of medical groups, among others. The final rules drop the standard, but only for the purpose of treatment, such as referring a patient to a colleague.

Also missing from the new rules are two other provisions that doctor-related groups had criticized.

One is the proposed rule that would have punished physicians who failed to monitor their contracted business partners—a billing company, for example—for HIPAA compliance. Under the final rules, only doctors who are aware of violations of their privacy policies by a "business associate" and do nothing to fix or report those violations run the risk of prosecution.

The final rules also dispense with a required "third-party-beneficiary clause" in contracts between business partners. This clause would have given patients whose privacy had been violated the right to sue either or both parties to the contract. Consumer and patients' rights groups have objected to the rescision, but it's unlikely the Bush administration will tamper with this provision.

*See "Get ready for the new privacy rules," Dec. 18, 2000.

Easy steps practices can still take now

What should doctors do now to get ready for the new privacy rules? Much of what we advised in our previous report ("Get ready for the new privacy rules," Dec. 18, 2000) still applies:

• Designate a security officer.

• Evaluate existing safeguards.

• Begin employee training.

• Confirm the security of your server.

Also, it wouldn't hurt to check out vendor security, even though the new rules relax the monitoring requirement of business associates. If the associate is another physician, for instance, you'll be required to comply with that doctor's privacy policies as well as with your own.

Taking these easy compliance steps now, says health attorney Reece Hirsch, makes sense for most physician practices for a couple of reasons. First, large health plans that face their own formidable privacy-rule challenges may threaten to drop non-HIPAA-compliant doctors from their networks. Second, says Hirsch, protecting the privacy of proliferating medical data is simply a good "risk management strategy" that every medical group should adopt.

 

Wayne Guglielmo. The HIPAA rules change once more. Medical Economics 2001;6:37.