On December 20, 2000 the Clinton Administration released final regulations toprotect the privacy of individually identifiable health information. Theregulations are intended to broadly protect personal health information createdor maintained by "covered entities" -- an insured or self-insuredhealth plan, provider, or health care clearinghouse -- including electronicrecords, paper records that have never existed in electronic form, and oralcommunications. The regulations also apply to public health plans.
Covered entities generally may not disclose protected health informationwithout the individual’s permission, unless the regulations specify thatindividual permission is not required. Stricter state laws will not be preemptedunless they conflict with a provision of the regulations.
On March 27, the Department of Health and Human Services (HHS) publishedproposed regulations to modify the standards for the privacy of individuallyidentifiable health information. The proposed regulations would clarify andchange certain provisions in the 2000 final regulations. For example, theproposal suggests removing a requirement that certain health care providers geta go-ahead from patients when releasing some private information about thepatients.
Under the proposed changes, health care providers with direct relationshipswith individuals do not have to obtain an individual’s consent before using ordisclosing protected health information for payment, treatment, and health careoperations. (The 2000 final privacy regulations applied a consent requirement toproviders, but not to health plans and health care clearinghouses.) Under theproposed changes, a covered entity may still elect to obtain an individual'sconsent to use protected health information for payment, treatment, and healthcare operations.
The proposed regulations provide sample contract language to meet the newrequirement for covered entities to establish contracts with business associates(e.g., third-party administrators, consulting firms, external revieworganizations) concerning the creation, use, or disclosure of protected healthinformation.
HHS published final privacy regulations in December 2000, and publishedadditional guidance in July 2001. However, in response to comments from healthcare and employer groups, and others, the agency said that it would publishproposed modifications to the final rules in 2002 – these are what are spelledout above.
HHS has requested submission of comments on the proposed changes to theprivacy regulations (issued on March 27) by April 26, 2002. Most coveredentities have until April 14, 2003 to comply with the privacy rules. (Smallhealth plans have an additional year to comply.) The new proposed regulations donot change these compliance dates.
For employers' group health plans, whether self-insured or fully insured,many administrative changes may need to be made by the 2003 compliance date.Among the most burdensome requirements, health plans must maintain a record ofall uses and disclosures, allow participants access to and copies of theirmedical records, train all employees who need access to protected healthinformation, and create standards for routine and non-routine disclosures.
The plan would then need to determine what information is the minimum amountnecessary to achieve the purposes of any disclosures. Employers and health plansmay want to familiarize themselves with the original regulations and proposedmodifications to the regulations. They may also want to begin assessing how theyuse protected health information in order to determine what kinds of changeswill be required to comply with the regulations.
To Learn More
- Link to HHS fact sheets on the proposed modifications
- HHS press release on the proposed modifications
- HHS press release on the 2000 regulation
- HHS fact sheet on the 2000 regulation
- 2000 privacyrule, HHS Guidance, White House statement, and otherinformation
SOURCE: Hewitt Associates LLC