HHS Publishes Final Modifications to HIPAA Medical Privacy Rule (8/02)

On August 14, 2002, in response to approximately 11,400 comments, the Department of Health and Human Services (“HHS”) published modifications1 to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)2 Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”).3 This action finalized the Privacy Rule to ensure that it protects the privacy of individually identifiable health information while clarifying certain of the Privacy Rule provisions, addresses the unintended negative effects of the Privacy Rule on health care quality and on access to health care and relieves unintended administrative burdens created by the Privacy Rule. The Privacy Rule is the first-ever comprehensive federal regulation that gives patients sweeping protections over the privacy of their medical records. Most covered entities subject to the Privacy Rule must comply by April 14, 2003, and certain small health plans will have until April 14, 2004 to comply. “Covered entities” is defined as health care providers, health plans, and health care clearinghouses and, indirectly to entities who perform work on behalf of these covered entities. The Privacy Rule also applies to entities who are not in the health care field in certain circumstances.4

This update discusses six significant areas where HHS modified the Privacy Rule: (1) consent and notice; (2) marketing; (3) research, including a new provision regarding a “limited data set” for research and other purposes; (4) hybrid entities; (5) disclosure for treatment, payment or health care operations of another entity; and (6) authorization. Other areas where changes were made include: (a) changes to incidental uses and disclosures; (b) changes in definition of certain terms; (c) changes to minimum necessary standards; (d) changes to provisions relating to business associates; (e) changes in group health plan disclosures of enrollment and disenrollment information; and (f) changes to parents as personal representatives of unemancipated minors.

History of the Privacy Rule

The Privacy Rule is part of the broader administrative simplification effort under HIPAA to shift to electronic records in the medical system while protecting security and privacy. In 1996, Congress recognized the need for national patient privacy standards and HHS proposed federal privacy standards in 1999. After reviewing and considering more than 52,000 public comments on the proposed federal privacy standards, HHS published final standards in December 2000. In March 2001, HHS requested additional comments from the public which helped to shape the modifications proposed in March 2002.5 The final Privacy Rule published on August 14, 2002, reflects many of the modifications proposed in March 2002 and it will take effect on October 15, 2002

The full text of the Privacy Rule, as well as ongoing guidance from HHS’s Office of Civil Rights, is available on their website.

Final Modifications

Consent and Notice

Consent. The December 2000 rule generally provided covered entities with permission to use and disclose protected health information as necessary for treatment, payment and health care operations, but required certain health care providers with a “direct relationship” with an individual (e.g., physicians, hospitals or pharmacies) to obtain such individual’s written consent prior to use or disclosure of protected health information. In response to public comments that this requirement created significant practical problems with respect to routine and often essential activities by physicians, hospitals, pharmacies and other providers, the final Privacy Rule adopts the changes to § 164.506(a) proposed in March 2002 which made the obtaining of consent to use and disclose protected health information for treatment, payment or health care operations optional on the part of all covered entities, including those with direct treatment relationships.

Pursuant to § 164.506(a), covered entities are not required to obtain, but have the option of obtaining, an individual’s consent prior to using or disclosing his or her protected health information for treatment, payment and health care operations. This rule applies to all protected health information held by a covered entity, whether this information was created or received before or after the compliance date of the final Privacy Rule. Please note, however, that the removal of the consent requirement only applies to an individual’s consent for treatment, payment and health care operations, and does not alter the final Privacy Rule’s requirement to obtain authorization for uses and disclosures of protected health information not otherwise permitted by the final Privacy Rule (in fact, HHS states that it intends to “enforce strictly” the requirement for obtaining an individual’s authorization for such uses). If a covered entity decides to obtain consent under certain or all circumstances, the covered entity has complete discretion to fashion a consent mechanism and process that conforms to the industry practice in its industry and/or practice that works best for that particular entity, subject to applicable state law requirements..

Notice of privacy practices for protected health information. To offset the elimination of the consent requirements for treatment, payment, and health care operations, the final Privacy Rule strengthens the requirement that certain covered entities notify patients about their privacy rights and practices. The final Privacy Rule adopts the changes proposed to § 164.520(c) in March 2002. Specifically, § 164.520(c)(2) requires, except in emergency treatment situations, that a covered entity with a direct treatment relationship with an individual make a good faith effort, at the time of first service delivery, to obtain such individual’s written acknowledgement of receipt of the provider’s notice of privacy practices. Thus, although covered entities will not be required to obtain an individual’s consent, any uses or disclosures of protected health information for treatment, payment, or health care operations will still need to be consistent with the covered entity’s notice of privacy practices.

With respect to the form of acknowledgement and patient notice, HHS once again affirmed that it would not specify a single correct format in light of the wide variety of settings to which HIPAA would apply. HHS did, however, specifically respond to comments we filed on behalf of Privacy Council. Those comments supported a “layered,” or a two-part, notice that contains: (1) a short notice that briefly describes, for example, the entity’s principal uses and disclosures of an individual’s health information, as well as the individual’s rights with respect to that information, and (2) a longer notice, layered beneath the short notice, that contains all of the elements required by the Privacy Rule. A goal of the layered notices is to focus the patient’s attention on information that is available in a clear, concise, and easy to understand manner. HHS stated that covered entities are “encouraged to use a layered notice,” although they are not required to do so.

Marketing

Some of the greatest controversy in connection with the final Privacy Rule has arisen in the area of “marketing,” with the industry criticizing the December 2000 rule for being overly complex and privacy advocates criticizing it for being too lax. The final Privacy Rule largely follows the modifications proposed in March 2002 in simplifying the marketing provisions in §§ 164.501 and 164.508(a)(3). Under the final Privacy Rule, transfers of protected health information for the marketing purposes of third parties will require an authorization. Communications by covered entities to their own patients, however, will not be regulated except in relatively narrow circumstances.

Transfer of patient lists requires authorization. The final Privacy Rule makes clear that an opt-in patient authorization is required before protected health information can be transferred to a third party for the latter’s marketing purposes. Public comments had been divided about whether the previous versions of the rule had created a loophole. HHS specifically addressed the possibility that a pharmaceutical company, for instance, could act as a business associate of a covered entity for the purpose of recommending an alternative treatment or therapy to the individual. HHS agreed with public comments that any loophole permitting manipulation of business associate relationships in this fashion should be closed. Thus in the final Privacy Rule, HHS modifies the definition of “marketing” in § 164.501 to include “an arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.” The final Privacy Rule, however, continues to permit a covered entity to engage a business associate to develop and send marketing communications, so long as the business associate does so for the products or services of the covered entity itself.

“Marketing” definition applies only to communications that are not related to health care. The final Privacy Rule largely conforms with the changes to the definition of “marketing” proposed in March 2002. The December 2000 rule had defined “marketing” somewhat broadly to include “any communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service.” This definition was understood to apply to products or services of either the covered entity or a third party. The definition no longer applies to communications by a covered entity about “a health-related product or service (or payment for such product or service).” The definition of “marketing” now covers only communications by a covered entity about a non-health-related product or service. HHS clarifies that “health-related” includes communications about: (1) the entities participating in a health care provider network or health plan network; (2) replacement of, or enhancements to, a health plan; and (3) health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.

HHS clarified two other exclusions from the definition of “marketing.” First, communications “for the treatment of the individual” are excluded. This simple statement replaces a more complicated definition of “treatment” in the December 2000 rule. Second, the exclusion for case management was revised somewhat, and now applies “for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.” Under the final Privacy Rule, HHS retained the December 2000 rule’s exclusion from “marketing” for face-to-face communication made by a covered entity to an individual. In addition, the final Privacy Rule slightly revises another exclusion, which now covers “a promotional gift of nominal value provided by the covered entity.”

Disclosures required about remuneration or origin of marketing communication. As proposed in March 2002, the final Privacy Rule removes two kinds of disclosures that had been required under the December 2000 rule. Covered entities no longer need to disclose whether they have received remuneration for making a communication to their patients for purposes of encouraging purchase of a product or service. HHS specifically states that health care providers should be able to, and can, send patients prescription refill reminders regardless of whether a third party pays for, or subsidizes, the communication. In addition, the December 2000 rule had required a covered entity to identify itself as the source of marketing communications to patients. This requirement is deleted in the final Privacy Rule. The final Privacy Rule does provide, however, that if an authorization to carry out marketing involves direct or indirect remuneration, then the authorization must disclose that information.

Research

The final Privacy Rule contains important provisions in the area of research. They are: (1) easing requirements related to research authorizations; (2) permitting the use of a “limited data set” for research purposes without patient authorization or institutional review board (“IRB”) approval; (3) clarifying the status of re-identification codes; (4) eliminating accounting for authorized disclosures and relaxing the accounting requirement for research disclosures; (5) “grandfathering in” existing research data; and (6) expanding the allowance of reporting to entities subject to certain Food and Drug Administration (“FDA”) requirements.

Research-related authorizations. The final Privacy Rule generally eliminates the special format for research authorizations, as compared to other types of authorizations. Instead, it adopts a single authorization format for all authorizations, so that all authorizations essentially include the same elements. The one exception to this general rule is that authorizations for research purposes need not contain an expiration date.

“Limited Data Set”: Establishes a new standard and implementation specification. In response to concerns that the de-identification standard could curtail important research, public health, and health care operations activities, the final Privacy Rule adds at § 164.514(e) a new standard and implementation specification that would permit uses and disclosures of a “limited data set” for such purposes subject to certain requirements. Under the final Privacy Rule, the limited data set is protected health information that excludes certain direct identifiers but in which certain potentially identifying information remains. Section 164.514(e)(2) enumerates direct identifiers which include name, street address, Social Security number, e-mail address, photos, and certain other identifiers. Importantly, the limited data set may include potentially identifying information such as dates related to the individual, including birth dates, and geographic subdivisions, such as 5-digit zip code, state, county, city, precinct and their equivalent geocodes, but not street address.

The final Privacy Rule states that a limited data set may be shared for research, public health, and health care operations activities, provided that the covered entity obtains from the recipient a “data use agreement.” Such agreement must contain, among other things, the permitted uses and disclosures of such information by the recipient, consistent with the purposes of research, public health, or health care operations; limits on who can use or receive the data; and the recipient’s agreement not to re-identify the data or contact the individuals. In addition, the data use agreement must contain adequate assurances that the recipient uses appropriate safeguards to prevent use or disclosure of the limited data set other than as permitted by the final Privacy Rule and the data use agreement, or as required by law.

If a covered entity wants to create and use a limited data set for its own research purposes, the requirements of the data use agreement can be met by having affected employees sign an agreement with the covered entity, similar to confidentiality agreements that employees handling sensitive information often sign. HHS also clarifies that the data use agreement requirements apply to disclosures of the limited data set to agents and subcontractors of the original limited data set recipient.

Clarification of allowable use of re-identification code. The final Privacy Rule adopts the changes proposed in March 2002. Sections 164.514(a) - (c) permit a covered entity to de-identify protected health information so that such information may be used and disclosed freely without being subject to the Privacy Rule’s protections. Health information is considered de-identified, or not individually identifiable, if it does not identify an individual and if the covered entity has no reasonable basis to believe that the information can be used to identify an individual.

One method of de-identifying data under the Privacy Rule is called the “safe harbor” method, in which a specified list of data is removed, including any unique, identifying numbers or codes. The final Privacy Rule clarifies a formerly ambiguous point regarding the status of codes placed on patient charts that can be used by a covered entity to re-identify a de-identified set of data. Under the final Privacy Rule, such a “re-identification code” need not be removed from patient charts to meet the de-identification standard under the safe-harbor method.

Eliminating accounting for authorized disclosures and relaxing accounting requirements for research disclosures. The final Privacy Rule adopts the changes proposed to § 164.528 in March 2002 to eliminate the accounting requirements for any disclosures authorized by the individual in accordance with § 164.508. Disclosures made pursuant to an authorization are already known by the individual because the individual was required to sign the forms authorizing the disclosures, and therefore, covered entities are no longer required to account for any disclosures authorized by the individual.

HHS further relaxes the accounting requirements for research disclosures in two important ways. First, disclosures of data in a “limited data set” described above as well as incidental disclosures (please see section on Changes in Incidental Uses and Disclosures below) are exempt from the accounting requirement. Second, disclosures of identifiable data that includes direct identifiers pursuant to an IRB or Privacy Board waiver of individual authorization need not be tracked on a disclosure-by-disclosure basis. Instead, a simplified accounting may be used in cases where a covered entity discloses protected health information pursuant to an IRB or Privacy Board waiver; for purposes preparatory to research; or for research using records of deceased individuals, and where such cases involve 50 or more individuals. The simplified accounting allows the provision to the individual of a list of research protocols in which the individual’s information may have been used. That list must, among other things, provide: (1) the name of the protocol or other research activity; (2) a description of the purpose of the study and the type of protected health information disclosed, and (3) the timeframe during which such disclosures occurred. In addition, when requested by the individual, the covered entity must provide assistance in contacting those researchers to whom it is likely that the individual’s protected health information was actually disclosed. HHS intends to monitor the simplified accounting procedures for certain research disclosures and may make adjustments to the accounting procedures for research in the future.

Research transition: Grandfathering existing research data. The final Privacy Rule adopts the modifications proposed to § 164.532 in March 2002 to “grandfather in” existing research data. A covered entity may use or disclose, for research, protected health information created or received either before or after the compliance date of the final Privacy Rule, provided that there is no agreed-to restriction in accordance with § 164.522(a), and the covered entity has obtained, prior to the compliance date of the final Privacy Rule: (1) an authorization or other express legal permission from an individual to use or disclose protected health information for the research; (2) the informed consent of the individual to participate in the research study; or (3) a waiver, by an IRB, of informed consent for the research, in accordance with the Common Rule or the FDA’s human subject protection regulations. However, if an informed consent is sought from an individual participating in the research after the compliance date of the final Privacy Rule of the covered entity, an authorization (or an IRB or Privacy Board waiver) would be required.

Reporting to FDA-regulated entities. The final Privacy Rule also expands the allowable situations of public-health-related reporting to FDA-regulated entities. In particular, it permits covered entities to disclose protected health information without authorization to a person subject to FDA jurisdiction regarding an FDA-regulated product or activity for which the person has responsibility for the purpose of activities related to the quality, safety, or effectiveness of such FDA-regulated product or activity. HHS provides illustrative (non-exhaustive) examples that meet this requirement, including: reporting adverse events or product defects; tracking FDA-regulated products; enabling product recalls, repairs, or replacements; and conducting post-marketing surveillance.

Hybrid Entity

Under the December 2000 rule, the hybrid entity provisions permitted entities that were not primarily covered entities whose primary functions were not “covered functions” (i.e., health care functions) to carve out some of their components from compliance with the requirements of the Privacy Rule. The final Privacy Rule adopts the approach proposed in March 2002 to provide all covered entities the discretion to decide whether to be a hybrid entity. The key change here is the deletion of the term “primary” from the definition of “hybrid entity.” Thus any covered entity that otherwise qualifies (i.e., is a single legal entity that performs both covered and non-covered functions) and that designates health care component(s) in accordance with the final Privacy Rule is a hybrid entity. The health care components of the hybrid entity are still required to adhere to the full range of requirements that pertain to “covered entities” under the final Privacy Rule. In addition, the transfer of protected health information held by the health care component to other components of the hybrid entity continues to be a disclosure under the final Privacy Rule and is allowed only to the same extent such a disclosure is permitted to a separate entity. Finally, a hybrid entity remains obligated to create all necessary mechanisms to protect the health care component’s protected health information from being used by non-health care components in ways that violate the final Privacy Rule. Of course, all components (health care or otherwise) of a covered entity that choose not to designate health care component(s) are subject to the requirements of the final Privacy Rule.

Disclosures for Treatment, Payment, or Health Care Operations of Another Entity

Under the December 2000 rule, a covered entity could, with patient consent, use and disclose protected health information for treatment, payment or health care operations, subject to certain limitations. The December 2000 rule allowed a covered entity, with patient consent, to disclose protected health information for any treatment purposes, but only for payment and health care operations purposes of that covered entity. Therefore, under the December 2000 rule, if an ambulance company transported a patient to Hospital X, the ambulance company itself was required to obtain the patient’s consent to use health information to get paid – the patient consent given to Hospital X would not suffice because it only permitted uses and disclosures of protected health information for Hospital X’s payment and health care operations purposes. Due to this scenario and other similar scenarios, comments to the December 2000 rule raised specific concerns that such restrictions on the uses and disclosures of protected health information for payment and health care operations would impede the ability of certain entities to obtain reimbursement for health care, to conduct certain quality assurance or improvement activities or to monitor fraud and abuse.

The final Privacy Rule generally adopts the March 2002 proposal. The final Privacy Rule at § 164.506(c) permits a covered entity to disclose protected health information to another covered entity or any health care provider for the payment activities of the entity that receives the information. This section also permits a covered entity to disclose protected health information to another covered entity for the health care operations activities of the entity that receives the information, if: (a) each entity either has or had a relationship with the individual who is the subject of the information, (b) the protected health information pertains to such relationship, and (c) the disclosure is for certain health care operations generally related to quality assurance and preventing fraud and abuse.6 Further, the final Privacy Rule also permits a covered entity to disclose protected health information, with direct identifiers removed, for any health care operations activities of the entity requesting the information, subject to a data use agreement. Moreover, § 164.506(c) of the final Privacy Rule clarifies that (i) a covered entity may use or disclose protected health information for its own treatment, payment or health care operations and for the treatment activities of any health care provider, and (ii) a covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement. HHS believes that the above provisions strike the appropriate balance between meeting an individual’s privacy expectations and meeting a covered entity’s need for information for reimbursement and quality purposes.

Restructuring Authorizations
(Please see section on Research above for research-related authorizations.)

The December 2000 rule contained numerous provisions that required covered entities to obtain an individual’s authorization for uses and disclosures of his or her protected health information for purposes that were not otherwise permitted or required under the Privacy Rule. In response to many comments that these authorization requirements were too complex and confusing, the final Privacy Rule adopts the changes proposed in March 2002 which simplifies the authorization provisions by consolidating the implementation specifications into a single set of criteria under § 164.508(c) so that covered entities may use one authorization form for all purposes. The final Privacy Rule also sets forth a new exception to the revocation provision at § 164.508(b)(5)(ii) so that an individual may not revoke an authorization if it was obtained as a condition of obtaining insurance coverage when another law provides the insurer with the right to contest the policy. HHS also makes minor changes to § 164.508(a)(2) to clarify that a covered entity may not use or disclose psychotherapy notes for the purpose of another covered entities’ treatment, payment or health care operations without an individual’s authorization.

Section 164.508(a) sets forth the general requirement that covered entities obtain authorization for uses and disclosures of protected health information. In addition, §§ 164.508(c)(1) and (c)(2) set forth the specific “core elements and notification statements” and other statements that each authorization form must include to be valid (note that one authorization form may be used for all purposes).7 Further, § 164.508(c)(3) requires that authorization forms be written in plain language so that individuals can understand the information contained therein, and § 164.508(c)(4) requires covered entities to provide an individual a copy of any authorization form the person has signed. HHS believes that these requirements will ensure that individuals are fully informed of their rights with respect to authorizations, and understand the consequences of authorizing the use or disclosure of their protected health information.

Section 164.508(b)(3) of the final Privacy Rule provides that a covered entity may not combine an authorization with any other type of document (e.g., a notice of privacy practices or a written voluntary consent). There are certain exceptions, however, for research-related authorizations (please see section on Research above). Notwithstanding the foregoing, the final Privacy Rule clarifies that covered entities may use one authorization form for their use or disclosure of protected health information (e.g., psychotherapy notes) for two or more purposes (e.g., for marketing purposes and other purposes). With respect to a covered entity’s marketing activities, § 164.508(a)(3) clarifies that, with few exceptions, a covered entity must obtain an authorization to use or disclose protected health information for marketing purposes, and such authorization must disclose whether the covered entity is receiving direct or indirect remuneration from a third party for such marketing (please see section on Marketing above for a broader discussion).

Finally, § 164.508(b)(6) requires covered entities to document and retain authorizations for at least six (6) years.

Changes in Incidental Uses and Disclosures

Many public comments remarked that the December 2000 rule’s strict restrictions on uses and disclosures of protected health information would not allow for incidental or unintentional disclosures of such information that routinely occur as a by-product of engaging in reasonable health care communications and practices. For example, some public comments questioned whether the Privacy Rule would eliminate certain long-standing practices such as sign-in sheets in patient waiting rooms, keeping patients’ charts at their bedsides, and medical professionals conferring at nurses’ stations (or other semi-confidential areas), as such practices might lead to incidental or unintentional disclosures of protected health information. To address these concerns, the final Privacy Rule adopts the changes proposed in March 2002.

The final Privacy Rule defines an “incidental use or disclosure” as a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a by-product of an otherwise permitted use or disclosure. The final Privacy Rule also includes at § 164.530(c)(2)(ii) a new provision that requires covered entities to reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. HHS clarifies that this includes, subject to reasonable safeguards and the minimum necessary standard, incidental uses or disclosures made to any person and not just those resulting from treatment communications or only to communications among health care providers or other medical staff.

Changes in Definition

In addition to changes in the definition of “marketing” (please see section on Marketing above), HHS has modified the definitions of “protected health information” and “health care operations” in the final Privacy Rule at § 164.501.

Change in definition of “protected health information.” To avoid any confusion by covered entities with respect to employee records they maintain as employers, HHS proposed in March 2002 to modify the definition of “protected health information” in § 164.501 to exclude employment records held by a covered entity in its role as an employer. The final Privacy Rule adopts the language proposed in March 2002 but it did not add a definition of the term “employment records.” Individually identifiable health information created, received, or maintained by a covered entity in its health care capacity, including in administering a health plan, is protected health information and remains as such under the final Privacy Rule.

Change in definition of “health care operations.” A number of entities expressed concerns about the discrepancy between HHS’s intent to include in the definition of “health care operations” the actual transfer of protected health information to a successor in interest upon a sale or transfer of assets as expressed in the preamble to the December 2000 rule and the actual language of rule. To address these concerns, the final Privacy Rule adopts the modification proposed in March 2002 to clarify its intent to permit the transfer of records to a covered entity upon a sale, transfer, merger, or consolidation. Thus under the final Privacy Rule, a covered entity may use or disclose protected health information in connection with a sale or transfer of assets to, or a consolidation or merger with, an entity that is or will be a covered entity upon the completion of the transaction; and to conduct due diligence in connection with such transaction. The final Privacy Rule clarifies that it is also a health care operation to transfer records containing protected health information as part of the transaction.

Minimum Necessary

Maintains the “minimum necessary” rule, while exempting uses or disclosures pursuant to authorizations. The December 2000 rule at § 164.502(b) generally provides that a covered entity is required to develop and implement policies and procedures appropriate to the entity’s business practices and work force that reasonably minimize the amount of protected health information used, disclosed, and requested, and limit those who have access to use such information.8 The final Privacy Rule adopts the changes proposed in March 2002 to clarify HHS’s intent or otherwise conform the provisions relating to minimum necessary to other modifications. The final Privacy Rule adopts the proposed policy to exempt from the minimum necessary standard any uses or disclosures for which the covered entity has received an authorization that meets the requirements of § 164.508.9 The final Privacy Rule also adds a provision to § 164.514(d)(4) to require that, for requests not made on a routine and recurring basis, a covered entity must implement the minimum necessary standard by developing and implementing criteria designed to limit its request for protected health information to the minimum necessary to accomplish the intended purpose.

Workers’ compensation. In the preamble to the final Privacy Rule, HHS clarifies the extent to which the minimum necessary standard applies to exchanges of protected health information between a covered entity and a workers’ compensation carrier, state agency, or employer. HHS emphasizes that disclosures required by state workers’ compensation laws are not subject to the minimum necessary standard. Further, where disclosures under state workers’ compensation law are permitted rather than required, HHS notes that although the minimum necessary standard will be applicable, a covered entity may disclose protected health information to a workers’ compensation carrier, state agency, or employer to the full extent permitted by that law. Finally, HHS reiterates that a disclosure of protected health information to a workers’ compensation carrier, state agency, or employer pursuant to a written authorization is not subject to the minimum necessary standard.

Business Associates

The final Privacy Rule adopts the modifications to business associates proposed in March 2002, with several modifications and additional provisions, to relieve some of the burden on covered entities in complying with the business associate provisions. The final Privacy Rule adds a transition provision to grandfather certain existing contracts for a specified period of time and publishes sample contract language.

The final Privacy Rule at § 164.532 permits covered entities, other than small health plans, to continue to operate under certain existing contracts with business associates for up to one year beyond the April 14, 2003 compliance date of the final Privacy Rule. The transition period is available to covered entities who have an existing contract with a business associate prior to the October 15, 2002 effective date of the final Privacy Rule, provided that the contract is not renewed or modified prior to the April 14, 2003 compliance date of the final Privacy Rule for most covered entities. Contracts that renew automatically without any change in terms or other action by the parties and that exist by the effective date of the final Privacy Rule are eligible for the transition period. The transition provisions do not apply to small health plans and such small health plans remain obligated to have contracts compliant with the final Privacy Rule on or before April 14, 2004. In addition, although not provided for in the March 2002 proposed modifications, the final Privacy Rule explicitly provides that, with respect to those business associate contracts that qualify for the transition period, a covered entity is not relieved of its obligation to mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information by its business associate in violation of the covered entity’s policies and procedures or the requirements of § 164.530 of the final Privacy Rule.

With respect to the sample contract language, the final Privacy Rule adopts the proposed language with several modifications. The modifications include, among others, a change in the name from “model” to “sample” language, a clarification that the parties can negotiate appropriate terms regarding the time and manner of providing access to protected health information, providing information to account for disclosures of protected health information and for making amendments to protected health information and a clarification that the business associate contract must permit the Secretary of HHS, and not the covered entity, to have access to certain records, including protected health information, for purposes of determining the covered entity’s compliance with the final Privacy Rule.

Group Health Plan Disclosure of Enrollment and Disenrollment Information

Adopting the approach set forth in the modifications proposed to § 164.504 in March 2002, the final Privacy Rule expressly provides that group health plans (as well as health insurance issuers and health maintenance organizations) are permitted to share plan enrollment and disenrollment information with plan sponsors. As revised, the final Privacy Rule treats disclosures of plan enrollment and disenrollment information in the same manner that disclosures of summary health information are treated. Plan amendments continue to be required to allow broader disclosures.

Parents as Personal Representatives of Unemancipated Minors

The final Privacy Rule adopts the changes proposed to § 164.502(g)(3) in March 2002 and clarifies that nothing should prohibit disclosure of protected health information by providers to the parents of a minor if, and to the extent that, state or other laws permit or require such disclosure. By contrast, if state or other laws prohibit disclosure of a minor’s protected health information to his or her parents, a provider must comply with such state or other laws without regard to the final Privacy Rule. In cases where state law gives a provider discretion (i.e., is silent or is unclear with respect to disclosure of a minor’s protected health information to his or her parents), the final Privacy Rule preserves state law and professional practices and permits a provider to use its discretion to provide or deny parents access to such information as long as that decision is consistent with the relevant state or other law. With regard to parental access to a minor’s protected health information, the final Privacy Rule provides that if there is an explicit state or other law which requires, prohibits or permits parental access to a minor’s protected health information, such law shall apply. Finally, the final Privacy Rule clarifies that the deference to state or other applicable law includes deference to established case law as well as explicit provisions in statutes or regulations.


1: 67 Fed. Reg. 53,182 - 53,273 (August 14, 2002).

2: Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 26 U.S.C., 29 U.S.C., and 42 U.S.C.).

3: 65 Fed. Reg. 82,798 - 82,829 (December 28, 2000).

4: For a discussion of the applicability of HIPAA to non-health care entities, please go to Morrison & Foerster LLP’s update HIPAA and Non-Health Care Industries: The Far Reach of the HIPAA Privacy Rules, September 2001.

5: For overview of changes proposed in March 2002, please go to Morrison & Foerster LLP’s HIPAA client update HHS Announces Changes to HIPAA Medical Privacy Rule, April 2002.

6: These certain health care operations refer to those purposes listed in paragraphs (1) or (2) of the definition of “health care operations” in § 164.501 of the final Privacy Rule, which purposes include quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, case management and care coordination, conducting training programs, and accreditation, licensing or credentialing activities, and for the purpose of health care fraud and abuse detection or compliance.

7: A covered entity’s authorization form should contain: (1) a description of the information to be used or disclosed, (2) the identification of the persons or class of persons authorized to make the use or disclosure of the protected health information, (3) the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure, (4) a description of each purpose of the use or disclosure, (5) an expiration date or event, (6) the individual’s signature and date, (7) if signed by a personal representative, a description of his or her authority to act for the individual, (8) a statement that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke, and instructions on how to exercise such right or, to the extent this information is included in the covered entity’s notice, a reference to the notice, (9) a statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization if the imposition of the condition is prohibited by the final Privacy Rule, or, if the imposition of conditioning is permitted, a statement of the consequences of refusing to sign the authorization, and (10) a statement about the potential for the protected health information to be re-disclosed by the recipient.

8: The minimum necessary standard does not apply to: disclosures to or requests by a health care provider for treatment; uses or disclosures made to the individual or pursuant to an authorization initiated by the individual; and uses or discloses that are required by law.

9: HHS expands the exception for authorizations to apply to any authorization executed pursuant to § 164.508, thereby eliminating the special authorizations required by the December 2000 rule at § 164.508 (d), (e), and (f) relating respectively to authorizations requested by a covered entity for its own uses and purposes; authorizations requested by a covered entity for disclosure by others; and authorizations for uses and disclosures of protected health information created for research that includes treatment of the individual.