Guidance on HIPAA privacy rule

HHS releases new guidance on the privacy rule

On December 4, the Office for Civil Rights at HHS released "Standards for Privacy of Individually Identifiable Health Information" (the "Guidance"). The purpose of the document is to provide practical assistance in implementing the privacy regulations created under HIPAA (the "Privacy Rule").

The Guidance begins with a general overview that provides helpful general background on the Privacy Rule. The remainder of the document is divided into sections by key topics. These sections address Incidental Uses and Disclosures; Minimum Necessary; Personal Representatives; Business Associates; Uses and Disclosures for Treatment, Payment, and Health Care Operations; Marketing; Public Health; Research; Workers' Compensation Laws; Government Access; and Miscellaneous Frequently Asked Questions.

Each section introduces the topic with a brief background and description of how the Privacy Rule works with respect to the specific topic. The "Frequently Asked Questions" ("FAQs") that follow provide helpful insight regarding implementation of the Privacy Rule. Many of these FAQs address common concerns that physicians have raised. In addition, the Guidance provides specific answers to implementation issues such as who is a "business associate" and what is "marketing". See the Summary of the Guidance below for a brief description of those sections that are like to be particularly helpful for physicians.

HHS acknowledges that the Guidance does not address all aspects of the Privacy Rule, but HHS indicates they will add segments in the future. In addition, HHS states that it will update the FAQs on an ongoing basis as new questions arise.

This document will serve as a useful resource for physicians as they implement the Privacy Rule. The examples are helpful and specific. The FAQs target many of the practical concerns that physicians have had about implementation of HIPAA. The Guidance can be found on the HHS Web site where physicians and their office staff can easily print and keep a copy as a resource. (This link will take you off the AMA Web site. the AMA is not responsible for the content of other Web sites.)

General overview
This section provides a brief overview of the Privacy Rule. The FAQs address the basics of the Privacy Rule, such as why the Privacy Rule is needed, and who is a covered entity. This section also provides a helpful summary of the major modifications to the Privacy Rule adopted on August 14, 2002.

Incidental uses and disclosures
This section explains that traditional methods of using protected health information are not likely to be severely restricted as a result of the Incidental Use and Disclosure provision in the Privacy Rule. It describes the balance between the need for privacy and the need for protecting efficiency and access in delivering health care to patients. The FAQs provide examples of what reasonable and appropriate safeguards could include as required by the Privacy Rule. The FAQs also address how precautions to safeguard protected health information might work in emergency situations. In addition, the FAQs clarify common questions such as the use of faxes; placing patient charts in boxes outside of examination rooms; and other practices in the hospital setting where patients' names are typically displayed.

Minimum necessary
This section explains the application of the Minimum Necessary Standard. For example, this section explains how physicians are not required to completely restructure existing workflow systems in order to meet the standard. Instead, HHS highlights the necessity of making reasonable adjustments to space and office operations to limit and minimize access to protected health information. The FAQs illustrate other simple ways to comply, such as locking file cabinets and providing additional passwords. The FAQs also explore how physicians can shape their policies and procedures in training situations to meet the standard.

Business associates
This section clarifies some of the confusion surrounding business associates. It defines and provides examples of business associate relationships. It clarifies when a business associate contract is not required. The FAQs address concerns such as physicians' obligations with respect to protected health information held by their business associates. The FAQs provide guidance regarding physicians' potential for liability for the actions of their business associates.

Uses and disclosures for treatment, payment and health operations
This section explains the final modifications to the Privacy Rule regarding consent. It clarifies why physicians may voluntarily choose to obtain their patient's consent. In addition, this section explains the implications of the definition of treatment, payment and health care operations. The FAQs offer helpful guidance on the differences between consent to use and disclose protected health information and informed consent for treatment. The FAQs also discuss the implications of use and disclosure of protected health information, authorization, ambulance services, common pharmacists' practices, professional liability insurance, and the use of debt collection agencies.

Notice of privacy practices
This section provides a through overview of the Notice of Privacy Practices, explaining its content, and when it should be provided. Electronic notice requirements are also discussed. The FAQs provide specific guidance about the notice in relation to other forms required by the Privacy Rule. The FAQs also provide examples such as notification to patients of changes to the notice and timing as when to provide the notice.