Revisions Would Ensure Federal Privacy Protections While Removing Obstacles to Care

Thursday, March 21, 2002 (202) 690-6343

HHS Secretary Tommy G. Thompson today proposed changes to HHS' health privacy regulations to ensure strong privacy protections while correcting unintended consequences that threatened patients' access to quality health care.

"The President believes strongly in the need for federal protections to ensure patient privacy, and the changes we are proposing today will allow us to deliver strong protections for personal medical information while improving access to care," Secretary Thompson said.

The federal privacy regulations guarantee patients full access to their medical records, give them more control over how their personal information is used and disclosed, and provide a clear avenue of recourse if their medical privacy is compromised.

Secretary Thompson said today's proposed revisions are needed to fix problems with the previously published rule that otherwise could make it more difficult for patients to get quality care quickly and easily. The proposal also strengthens and clarifies the rule's marketing restrictions.

Today's proposal would make the following revisions:

* Strengthen notice provisions and remove consent requirements hindering access to care. As written, the privacy rule's general requirement that patients give prior consent on privacy practices before receiving treatment created serious unintended consequences that interfere with patients' access to health care. For example, patients could be required to visit a pharmacy in person to sign paperwork before a pharmacist could fill their prescriptions. Similar barriers could arise when a patient is referred to a specialist and in other situations. In addition, doctors could refuse to treat patients who refused to sign their privacy consent form. To fix these problems, the proposal would promote access to care by removing the consent requirements for treatment, payment, and health care operations that could interfere with efficient delivery of health care, while strengthening requirements for providers to notify patients about their privacy rights and practices. Patients would be asked to acknowledge the privacy notice, but doctors and other providers could treat them if they did not. This change would ensure that patients can consider a provider's privacy policies before making health care decisions, but would eliminate barriers to patients' access to care.

* Maintains the "minimum necessary" rule, while allowing treatment-related conversations. By covering oral communications and limiting the use of personal health information to the "minimum necessary," the privacy rule raised concerns that routine conversations between doctors and patients, nurses and others involved in a patient's care could violate the rule. This could stifle essential communication necessary to provide the highest quality care possible. Today's proposed changes would continue to cover oral communications and maintain the "minimum necessary" requirement, but would make clear that doctors could discuss a patient's treatment with other doctors and professionals involved in their care without fear that their conversations could lead to a violation. As long as a covered entity met the minimum necessary standards and took reasonable safeguards to protect personal health information, incidental disclosures - such as another patient hearing a snippet of conversation - would not be subject to penalties. Improper disclosures would still violate the rule.

* Assures appropriate parental access to their children's records. The current rule may have unintentionally limited a parent's access to their child's medical records. The proposal clarifies that state law governs disclosures to parents. In cases where state law is silent or unclear, the revisions would preserve state law and professional practice by permitting a health care provider to use discretion to provide or deny a parent access to such records as long as that decision is consistent with state or other law.

* Prohibits use of records for marketing, while allowing appropriate communications. Based on consumer concerns that the marketing provisions were ineffective to protect patient privacy, the proposal would explicitly require pharmacies, health plans and other covered entities to first obtain the individual's specific authorization before sending them any marketing materials. At the same time, the proposal would continue to permit doctors and other covered entities to communicate freely with patients about treatment options and other health-related information, including disease-management programs.

"These are common-sense revisions that eliminate serious obstacles to patients getting needed care and services quickly while continuing to protect patients' privacy," Secretary Thompson said. "For example, sick patients will not be forced to visit the pharmacy themselves to pick up prescriptions -- and could send a family member or friend instead. Doctors will be able to consult with nurses and others involved in a patient's care to ensure that they get the best care."

The proposal also would make other revisions to simplify the rule's paperwork requirements while preserving the rule's strong privacy protections. The changes reflect Secretary Thompson's commitment to making regulatory requirements simpler and easier to implement - without reducing their effectiveness. For example:

* Assure privacy, without impeding research. The proposal would eliminate the need for researchers to use multiple consent forms -- one for informed consent to the research and one or more related to information privacy rights. Instead, researchers could use a single combined form to accomplish both purposes. The proposal would also simplify other provisions so that the privacy rule more closely follows the format of the "Common Rule," which governs federally funded research. The provisions ensure privacy-specific criteria will apply equally to publicly and privately funded research.

* Provide model business associate provisions. The existing rule requires covered entities -- health plans, health care providers and clearinghouses -- to have contracts with their business associates to ensure that they follow the privacy rule's requirements. The proposal includes model business associate contract provisions, making it easier and less costly for covered entities to implement the requirements. The changes also would give covered entities up to an additional year to change existing contracts, easing the burden of renegotiating contracts all at once.

* Simplify authorizations. The changes would allow the use of a single type of authorization form to obtain a patient's permission for a specific use or disclosure that otherwise would not be permitted under the rule. Patients would still need to grant permission in advance for each type use or disclosure, but the proposal would eliminate the need to use different types of forms to obtain that advance permission.

Congress in 1996 recognized the need for national patient privacy standards and set a three-year deadline to enact such protections as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The law required HHS to adopt such protections via regulation if Congress did not address the issue.

HHS proposed federal privacy standards in 1999 and, after reviewing and considering more than 52,000 public comments on them, published final standards in December 2000. In March 2001, HHS received more than 11,000 comments after Secretary Thompson requested additional public input on the rule. Those comments and other public input was used to develop the proposed changes, which will be published in the Federal Register on March 27, 2002, with a 30-day comment period. HHS will consider public comments on the proposed changes before issuing a final rule.

Most covered entities have until April 14, 2003, to comply with the patient privacy rule; under the law, certain small health plans have until April 14, 2004 to comply. To help people prepare for and meet the rule's requirements, HHS' Office for Civil Rights will continue to conduct outreach and education for healthcare providers, consumers and others affected by the privacy regulation.

Additional information about the privacy rule is available on the Web at http://www.hhs.gov/ocr/hipaa.

Posted to HIPAAcomply 3/25/02