Federal Government Proposes Modifications to Final Privacy Rules

By Michael Gaba & Tracy Cole Turner

The Department of Health and Human Services Secretary, Tommy Thompson, announced on March 21, 2002, several proposed common-sense revisions to the HIPAA privacy rules. The privacy rules affect a variety of entities, including health care providers, health insurance issuers and employers with self-funded health plans. Secretary Thompson stated, "The President believes strongly in the need for federal protections to ensure patient privacy, and the changes we are proposing today will allow us to deliver strong protections for personal medical information while improving access to care." HHS reviewed more than 52,000 public comments since proposing the federal privacy standards in 1999 and more than 11,000 more since March 2001 when Secretary Thompson requested additional public input on the rule. The proposed changes were published in the Federal Register on March 27, 2002, with a 30-day comment period, before issuing a final rule.

The proposed changes would accomplish the following:

• remove the consent requirements for treatment, payment and health care operations that could interfere with access to care, and allow patients to acknowledge the privacy notice and health care providers to treat patients even if they do not sign the acknowledgement form
• permit doctors to consult about a patient's treatment with other health care providers without fear that their conversations, if overheard, would be in violation of the privacy rules
• provide that state law governs parental access to their children's medical records, and where state law does not address disclosure to parents, the revisions allow a health care provider to use discretion to provide or deny parental access to the records as long as the decision is consistent with governing law
• allow a single, combined consent form to allow researchers to obtain informed consent for the research and give information regarding privacy rights
• provide a sample business associate contract provision and allow covered entities up to a year to change existing contracts to include required business associate language
• allow the use of a single-type authorization form to obtain a patient's permission for a specific use or disclosure not otherwise permitted under the privacy rule
• clarify that protected health information does not include employment records, and clarify that a group health plan does not have to amend its health plan documents in order to disclose enrollment or disenrollment information to a plan sponsor

Click here to obtain a detailed summary of the proposed changes and other important information on HIPAA.