By Deborah Robinson, Esq.
There are few medical practices which have not been barraged with information and alarms concerning implementation of the new HIPAA regulations. It is the intent of this article to identify basic first steps for practices as they plan for meeting the privacy rule deadlines scheduled to go into effect April 14, 2003.
Some background information will put certain issues in perspective as practices move toward implementation. The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996 and made certain changes to the health care system, including setting guidelines for the electronic transmission and disclosure of health information. The portion of the Act dealing with electronic transmission and privacy is generally referred to as “Administrative Simplification.” Although there was general consensus regarding the need for uniformity in the transmission of health information for insurance and payment purposes, there was general political concern regarding the implementation of such a program in reference to privacy considerations and the fact that all 50 states have different laws and interpretations of privacy and disclosure requirements. There are essentially three components to the implementation of the Administrative Simplification Act: (1) record sets and code transactions, (2) security regulations, and (3) privacy regulations.
It is essentially the privacy regulations, which are final at this time, which will require practices to quickly assess their operations and to implement policies and procedures in order to conform with these regulations. The focus of this article is on the consent form and its interplay with the Privacy Notice. Use of information outside of the consent form requires a separate authorization and these various uses and expectations are outside the scope of this article. It is interesting to note that the security regulations are not final at this time and it is anticipated, and hoped, that they will be consistent with the privacy regulations.
Although the law and regulations are fraught with complex definitions, this article assumes that physician practices will be subject to the privacy regulations as “Covered Entities.” This is because most physician practices at least engage in the trigger event of an electronic submission involving health information. Even one electronic submission of health care information for payment purposes makes the entire practice subject to the Act. Once the entity is subject to the Act, all health information (including oral communications) is subject to the privacy regulations.
Any health care entity which is a “Covered Entity” is required to develop certain policies and procedures, consent forms and authorization forms for the disclosure of “Private Health Information” (PHI) which includes “individually identifiable health information” (IIHI). This is information, including demographic information, collected from an individual, relating to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual and (1) which identifies the individual; or (2) with respect to which there is a reasonable basis to believe the information could be used to identify the individual.
Once this information is identified, the practice must assure that it obtains a consent from the patient in order to disclose this information for purposes of “treatment, payment or health care operations.” The components of a consent form are as follows:
The consent must be in plain language and:
• Inform the individual that protected health information may be used and disclosed to carry out treatment, payment or health care operations.
• Must refer the individual to a Privacy Notice required by the law for a more complete description of such uses and disclosures, and state that the individual has a right to review the notice prior to signing the consent; (the development of a Privacy Notice is a separate and distinct responsibility).
• If the Covered Entity reserves the right to change its privacy practices, the form must state that the terms of its notice may change and describe how an individual may obtain a revised notice.
• Must also state that: (1) the individual has the right to request that the Covered Entity restrict how protected health information is used or disclosed to carry out treatment, payment or health care operations; (2) the Covered Entity is not required to agree to requested restrictions; and (3) if the Covered Entity agrees to a requested restriction, the restriction is binding on the Covered Entity.
• Indicate that the individual has the right to revoke their consent in writing except to the extent that the Covered Entity has taken action in reliance.
• Must be signed by the individual and dated.
The consent form must be kept for a minimum of six years and the provider can continue to rely on that consent during the entire physician patient relationship.
What becomes critical in terms of the day-to-day operational setting of medical practices is that they understand what activities the terms “treatment, payment or health care operations” include. Although the Privacy Notice need only give examples of each of these areas, it is important for the individuals in the practice to understand exactly what is encompassed by these terms.
In recognition of the complexity involved in the interpretation of law, the Office of Civil Rights (OCR), the agency responsible for enforcing this Act, has created a list of frequently asked questions which includes the agency’s answers. The website is at www.hhs.gov/ocr/hipaa. What is interesting about this question-and-answer publication is not only that it identifies and explains what is covered by these categories, but it also identifies certain practices which are in question under the privacy rule and which the Department of Health and Human Services intends to clarify.
Examples of issues and standards in the privacy rule for which there will be proposed changes are: (1) phoned in prescriptions; (2) referral appointments; (3) allowable communications, particularly in the routine oral communications with family members and coordination with staff; and (4) a further definition or restriction in the definition of “minimum necessary.” It is important to understand, however, that HHS must comply with the Administrative Procedure Acts by publishing its rule changes in the Federal Register through a notice of proposed rulemaking. At the time of this article, no such notice has been published.
Even given the lack of clarity in some of these open issues, it is clear that the terminology of “treatment, payment and health care operations” is fairly broad and does encompass a variety of common practices. For example, “Treatment” means the provision, coordination or management of health care and related services by one or more health care providers, including both consultation between health care providers and the referral of a patient from one health care provider to another.
“Payment” is a very broad category and includes the determination of eligibility, billing, claims management, utilization review and collection activity. The OCR has specifically stated that there is no conflict with HIPAA and the Fair Credit Reporting Act.
Finally, “Health Care Operations” includes conducting quality assessment and improvement activities, peer review, legal and auditing functions and general business planning and development. The term can also include typical due diligence activities as they relate to the potential sale of a practice. These are examples of all three categories of permissive uses with a valid consent and demonstrate how broad the uses can be.
Interplay with Privacy Notice
In order to actually implement the consent form, the practice must develop a Privacy Notice which is a roadmap for the privacy policies for the entire practice. Interestingly, the OCR publication indicates that many patients may not even want to review the Privacy Notice and may sign the consent without reviewing it. However, the Privacy Notice must be available for those individuals who do want to review it.
Although the intrusion of HIPAA into the provider setting may require modification of practice activities, the development of new policies and procedures, and the retention of additional records, these issues should be seen as being in the general purview of continuing compliance standards being imposed by the government and which providers have come to accept. Adoption of a consent policy and Privacy Notice should give the practice great latitude in continuing operations in the normal course of business.
Providers have always respected patient privacy rights, and the institutionalization of some of these policies and procedures should not interfere with the day-to-day operations of a medical practice. What remains to be seen, however, is whether the government follows through with the recognition that the privacy regulations as drafted create a possible impediment to patient communication in obtaining health care services.
Deborah J. Robinson, Esq., is a Director in the law firm of Houston Harbaugh, P.C.