BY MALCOLM H. MORRISON, PhD The April 14 deadline is approaching for complying with the HIPAA privacy rules. The privacy rules safe-guard the use and disclosure of individually identifiable health information, and place certain requirements on "covered entities" that use or disclose "protected health information" (PHI). Now is a good time to make sure that you are clear about HIPAA's terminology and the requirements of providers.
HIPAA covered entities are defined as health plans and healthcare providers involved in certain electronic transactions and healthcare clearinghouses. The general HIPAA Privacy Rule states that covered entities may not use or disclose PHI except as authorized by the individual described by the information or as explicitly required or permitted by regulation. When the use or disclosure of PHI is permitted, usually only the minimum necessary PHI needed to accomplish the intended purpose may be provided.
Individually identifiable health information is information created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school, university, or healthcare clearinghouse that relates to the past, present, or future physical or mental health or condition of an individual, the healthcare provided to that individual, or past, present, or future reimbursement for that healthcare. Specific identifiers, pertaining not only to the individual but to relatives, employers, or household members, include: name, address, any date identifiable to the individual (e.g., birth date, treatment date, discharge date), Social Security number, medical record number, health plan benefit number, telephone or fax number, account number, vehicle identification or license plate number, e-mail address, and any other individually identifying number, characteristic, or code.
As alluded to earlier, some disclosure is permitted. Health plans may use or disclose PHI for treatment, reimbursement, or healthcare operations without the individual's consent or authorization. These exceptions are broadly defined but, as with all the material in this article, the provider should check with a HIPAA-conversant attorney about the full meaning of these terms.
Individuals have certain rights under the privacy rules with regard to their own PHI. An individual can request access to and obtain copies of his or her PHI, request that the provider amend his or her PHI, request an accounting of disclosures of his or her PHI or, within limits, restrict the use and disclosure of his or her PHI. In addition, the provider must adopt and document policies and procedures with respect to individual rights under the HIPAA privacy rules.
The final Privacy Rule issued late last year (2002) made several important modifications to the original-it specifically:
- eliminates the requirement that providers obtain con-sent for treatment, payment, or healthcare operations; rather, providers will need to make a good-faith effort to obtain a patient's written acknowledgment of receipt of the provider's notice of privacy practices (assuming, of course, that the provider has created such a notice). If an acknowledgment cannot be obtained, the provider must document its good-faith efforts to obtain the acknowledgment and the reasons it was not obtained. The rule does not prescribe the form of the written acknowledgment, and the preamble to the rule suggests that the requirement may be satisfied by requiring a patient to initial the notice, sign a list, or complete a separate document. The preamble also suggests that covered entities may use a "layered notice" comprised of a short summary of the individual's rights with a longer notice underneath that contains all the elements required by the Privacy Rule. Legal assistance is recommended;
- permits incidental uses and disclosures of PHI subject to certain conditions (check with your attorney);
- requires a signed authorization before using a patient's PHI in a "marketing communication" (and the definition of "marketing" includes significant exceptions);
- streamlines the authorization requirements;
- simplifies the requirements for a waiver of authorization to use PHI for research and makes them more consistent with the "Common Rule" that applies to many federally funded research programs; and
- allows use and disclosure of limited data sets for research, public health, or healthcare operations without patient authorization if certain requirements are met.
Under the rule, covered entities will still be required to obtain an individual's authorization for uses and disclosures of PHI. The rule requires this authorization to include the following core elements:
- a description of the PHI to be used or disclosed;
- an identification of the persons or class of persons authorized to request the disclosure;
- a description of each purpose of the requested use or disclosure;
- an expiration date or event related to the disclosure;
- the signature of the individual or the individual's authorized personal representative, and date; and
- if signed by a personal representative, a description of the representative's authority to act for the individual.
In addition to these core elements, the authorization must contain the following notification statements and must be written in plain language: