Privacy Rule Update - Changes Proposed

April 16, 2004

Privacy Rule Update - Changes Proposed

A fact sheet was released March 21 by the Office of Civil Rights on the modifications to the Privacy Rule. The modifications are scheduled to be published as a proposed rule in the Federal Register by March 27, 2002.

March 21, 2002

Standards for Privacy of Individually Identifiable Health Information - Proposed Rule Modification


The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule/current rule) took effect on April 14, 2001. As required by the Health Insurance Portability and Accountability Act (HIPAA), the Privacy Rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. Most covered entities must comply with the Privacy Rule by April 14, 2003. Small health plans have until April 14, 2004 to comply with the Rule. The Privacy Rule creates national standards to protect individuals' personal health information and gives patients increased access to their medical records. The Bush Administration is committed to strong patient privacy protections and continues to take steps to protect personal health information while maintaining access to quality health care. To ensure that the provisions of the final rule provide strong privacy protection without hindering access to health care, the Department of Health and Human Services is proposing modifications to the Privacy Rule.

Proposed Modifications

Consent and Notice - The proposal would promote access to care by removing the consent requirements that would potentially interfere with the efficient delivery of health care, while strengthening requirements for providers to notify patients about their privacy rights and practices. Specifically, the Department received comments that the consent requirements in the current rule interferes with pharmacists filling prescriptions, referrals to specialists and hospitals, providing treatment over the telephone, and emergency medical providers. Under, the proposal, patients would be asked to acknowledge receipt of the notice of privacy rights and practices. This change would give patients the opportunity to consider a provider's privacy policies before making health care decisions, while eliminating barriers that could delay or block patients' access to care. This change to consent only applies to uses and disclosures for treatment, payment and health care operations (TPO) purposes. Patient authorizations are still required to use and disclosure information for non-TPO purposes.

Minimum Necessary and Oral Communications - The "minimum necessary" provision is an essential element in the privacy protections for individual health information. This provision requires covered entities to make reasonable efforts to limit the use and disclosure of and request for, protected health information to the minimum necessary to accomplish the intended purpose. The proposal would retain both the oral communication and "minimum necessary" requirements, but it would make clear that a doctor could discuss a patient's treatment with other doctors and professionals involved in the patient's care without fear of violating the rule if they are overheard. As long as a covered entity met the minimum necessary standards and took reasonable safeguards to protect personal health information, incidental disclosures - such as another patient overhearing a fragment of conversation - would not be an impermissible disclosure.

Business Associates - The current rule requires covered entities - health plans, health care providers and clearinghouses - to have contracts with their business associates to ensure the business associates protect the privacy of the information. The proposal includes model business associate contract provisions, to make it easier and less costly for covered entities to implement the requirements. The changes also would give covered entities (except for small health plans) up to an additional year to change existing contracts, easing the burden of renegotiating contracts all at once.

Marketing - Based on consumer concerns that the marketing provisions in the current rule does not protect individuals' privacy, the proposal would explicitly require covered entities to first obtain the individual's specific authorization before sending them any marketing materials. At the same time, the proposal would permit doctors and other covered entities to communicate freely with patients about treatment options and other health-related information, including disease-management programs.

Parents and Minors - The current rule may have unintentionally limited a parent's access to their child's medical records. The proposal clarifies that state law governs disclosures to parents. In cases where state law is silent or unclear, the revisions would preserve state law and professional practice by permitting a health care provider to use discretion to provide or deny a parent access to such records as long as that decision is consistent with state or other law.

Uses and Disclosures for Research Purposes - The proposal would eliminate the need for researchers to use multiple consent forms - one for informed consent to the research and one or more related to information privacy rights. Instead, researchers could use a single combined form to accomplish both purposes. The proposal would also simplify other provisions so that the existing rule more closely follows the requirements of the "Common Rule," which governs federally-funded research. The provisions include privacy-specific criteria and apply equally to publicly and privately funded research.

Request for Comments on an Alternative Approach to De-Identification - The Department received comments from the research community on the need for an alternative approach to de-identification. HHS shares these concerns but still believes identifiable information should have strong protections. Therefore, HHS is seeking comments on establishing a limited data set that does not include directly identifiable information but in which certain identifiers remain. In addition, to further protect privacy, the Department proposes to condition the disclosure of the limited data set on a covered entity's obtaining from the recipient a data use or similar agreement, in which the recipient would agree to limit the use of the data set for the purposes for which it was given as well as not to re-identify the information or use it to contact any individual.

Uses and Disclosures for which Authorizations Are Required - The proposal would allow the use of a single type of authorization form to get a patient's permission for a specific use or disclosure that otherwise would not be permitted under the Privacy Rule. Patients would still need to grant permission in advance for each type of use or disclosure, but the proposal would eliminate the need for covered entities to use different types of forms to obtain that advance permission.

Other Provisions

The Department also proposes the following modifications:

  • Sale of Business - The proposal would clarify that the rule permits disclosures in certain circumstances for the sale of a covered entity's business.
  • Group Health Plans - The proposal would clarify that a group health plan or health insurance issuer can disclose enrollment or disenrollment information to a plan sponsor without amending plan documents.
  • Accounting of Disclosures of Protected Health Information - The proposal would not require the covered entity to account for disclosures for which the individual provided written authorization.
  • Disclosures for Treatment, Payment, or Health Care Operations of Another Entity - The proposal would clarify that covered entities can disclose protected health information for the treatment, payment and certain health care activities of another covered entity or health care provider. The proposal would carefully limit the expansion of sharing of information for health care operations to protect the privacy expectations of individuals.
  • Uses and Disclosures Regarding FDA-Regulated Products and Activities - The proposal would assure that the rule permits covered entities to continue to disclose information to non-government entities subject to FDA jurisdiction about the quality, safety, and effectiveness of FDA-regulated products and activities - such as reporting adverse events related to prescription drug use.
  • Hybrid Entity - The proposal would permit any entity that performs covered and non-covered functions to elect to use the hybrid entity provisions and would provide the entity additional discretion in designating its health care component. The proposal would clarify that protected health information does not include employment records.

The proposal also includes a list of technical corrections and additional clarifications related to various sections of the existing rule. The proposed modifications collectively are designed to ensure that protections for patient privacy are implemented in a manner that maximizes privacy while not compromising either the availability or the quality of medical care. Further information about the proposed rule is available on the Web.