| |
< back
HIPAA Privacy Rule
Fact Sheet
Marketing -- The final Rule requires a
covered entity to obtain an individual's prior written
authorization to use his or her protected health
information for marketing purposes except for a
face-to-face encounter or a communication involving a
promotional gift of nominal value. The Department
defines marketing to distinguish between the types of
communications that are and are not marketing, and
makes clear that a covered entity is prohibited from
selling lists of patients and enrollees to third
parties or from disclosing protected health information
to a third party for the marketing activities of the
third party, without the individual's authorization.
The Rule clarifies that doctors and other covered
entities communicating with patients about treatment
options or the covered entity's own health-related
products and services are not considered marketing. For
example, health care plans can inform patients of
additional health plan coverage and value-added items
and services, such as discounts for prescription drugs
or eyeglasses.
Consent and Notice -- The Department makes
changes to protect privacy while eliminating barriers
to treatment by strengthening the notice requirement
and making consent for routine health care delivery
purposes (known as treatment, payment, and health care
operations) optional. The Rule requires covered
entities to provide patients with notice of the
patient's privacy rights and the privacy practices of
the covered entity. The strengthened notice requires
direct treatment providers to make a good faith effort
to obtain patient's written acknowledgement of the
notice of privacy rights and practices. The final Rule
promotes access to care by removing mandatory consent
requirements that would inhibit patient access to
health care while providing covered entities with the
option of developing a consent process that works for
that entity. The Rule also allows consent requirements
already in place to continue.
Uses and Disclosures Regarding Food and Drug
Administration (FDA)-Regulated Products and Activities
-- The final Rule permits covered entities to disclose
protected health information, without authorization, to
a person subject to the jurisdiction of the FDA for
public health purposes related to the quality, safety
or effectiveness of FDA-regulated products or
activities such as collecting or reporting adverse
events, dangerous products, and defects or problems
with FDA-regulated products. This assures that
information will continue to be available to protect
public health and safety, as it is today.
Incidental Use and Disclosure -- The final
Rule acknowledges that uses or disclosures that are
incidental to an otherwise permitted use or disclosure
may occur. Such incidental uses or disclosures are not
considered a violation of the Rule provided that the
covered entity has met the reasonable safeguards and
minimum necessary requirements. For example, if these
requirements are met, doctors' offices may use waiting
room sign-in sheets, hospitals may keep patient charts
at bedside, doctors can talk to patients in
semi-private rooms, and doctors can confer at nurse's
stations without fear of violating the rule if
overheard by a passerby.
Authorization -- The final Rule clarifies the
authorization requirements to the Privacy Rule to,
among other things, eliminate separate authorization
requirements for covered entities. Patients will have
to grant permission in advance for each type of
non-routine use or disclosure, but providers will not
have to use different types of forms. These
modifications also consolidate and streamline core
elements and notification requirements.
Minimum Necessary -- The final Rule exempts
from the minimum necessary standards any uses or
disclosures for which the covered entity has received
an authorization. The Rule previously exempted only
certain types of authorizations from the minimum
necessary requirement, but since the rule will only
have one type of authorization, the exemption is now
applied to all authorizations. Minimum necessary
requirements are still in effect to ensure an
individual's privacy for most other uses and
disclosures.
The Department clarifies in the preamble that the
minimum necessary standard is not intended to impede
disclosures necessary for workers' compensation
programs. The Department will actively monitor to
ensure that worker's compensation programs are not
unduly affected by the Rule.
Parents and Minors -- The final Rule
clarifies that state law, or other applicable law,
governs in the area of parents and minors. Generally,
the Privacy Rule provides parents with new rights to
control the health information about their minor
children, with limited exceptions that are based on
state or other applicable law and professional
practice. For example, where a state has explicitly
addressed disclosure of a minor's health information to
a parent, or access to a child's medical record by a
parent, the final Rule clarifies that state law
governs. In addition, the final Rule clarifies that, in
the special cases in which the minor controls his or
her own health information under such law and that law
does not define the parents' ability to access the
child's health information a licensed health care
provider continues to be able to exercise discretion to
grant or deny such access as long as that decision is
consistent with the state or other applicable law.
Business Associates -- The final Rule gives
covered entities (except small health plans) up to an
additional year to change existing written contracts to
come into compliance with the business associate
requirements. The additional time will ease the burden
of covered entities renegotiating contracts all at
once. The Department has also provided sample business
associate contract provisions.
Research -- The final Rule facilitates
researchers' use of a single combined form to obtain
informed consent for the research and authorization to
use or disclose protected health information for such
research. The final Rule also clarifies the
requirements relating to a researcher obtaining an IRB
or Privacy Board waiver of authorization by
streamlining the privacy waiver criteria to more
closely follow the requirement of the "Common Rule,"
which governs federally funded research. The transition
provisions have been expanded to prevent needless
interruption of ongoing research.
Limited Data Set -- The final Rule permits
the creation and dissemination of a limited data set
(that does not include directly identifiable
information) for research, public health, and health
care operations. In addition, to further protect
privacy, the final Rule conditions disclosure of the
limited data set on a covered entity and the recipient
entering into a data use agreement, in which the
recipient would agree to limit the use of the data set
for the purposes for which it was given, and to ensure
the security of the data, as well as not to identify
the information or use it to contact any individual.
Other provisions:
- Hybrid Entities -- The final Rule
permits any entity that performs covered and
non-covered functions to elect to use the hybrid
entity provisions and provides the entity
additional discretion in designating its health
care components.
- Health Care Operations: Changes in Legal
Ownership -- The final Rule clarifies the
definition of "health care operations" to allow a
covered entity who sells or transfers assets to,
or consolidates or merges with, an entity who is,
or will be, a covered entity upon completion of
the transaction, to use and disclose protected
health information in connection with such
transaction, which include due diligence and
transferring records containing protected health
information as part of the transaction.
- Group Health Plan Disclosures of Enrollment
and Disenrollment Information -- The final
Rule allows a group health plan, a health
insurance issuer, or HMO acting for a group health
plan to disclose to a plan sponsor, such as an
employer, information on whether the individual is
enrolled in or has disenrolled from a plan offered
by the sponsor without amending the plan
documents.
- Accounting of Disclosures -- The final
Rule exempts disclosures made pursuant to an
authorization from the accounting requirements.
The authorization process itself adequately
protects individual privacy by assuring that the
individual's permission is given both knowingly
and voluntarily. The final Rule also exempts from
the accounting requirements incidental
disclosures, and disclosures that are part of a
limited data set. The Rule provides a simplified
alternative approach for accounting for multiple
research disclosures that includes providing a
description of the research for which an
individual's protected health information may have
been disclosed and the researcher's contact
information.
- Disclosure for Treatment, Payment, or
Health Care Operations of Another Entity- The
final Rule clarifies that covered entities can
disclose protected health information for the
treatment and payment activities of another
covered entity or a health care provider, and for
certain health care operations of another covered
entity.
- Protected Health Information: Exclusion for
Employment Records - The final Rule clarifies
that employment records maintained by a covered
entity in its capacity as an employer are excluded
from the definition of protected health
information. The modifications do not change the
fact that individually identifiable health
information created, received, or maintained by a
covered entity in its health care capacity is
protected health information.
|
|
