The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule/current rule) took effect April 14, 2001. The Privacy Rule creates national standards to protect individuals' personal health information and gives patients increased access to their medical records. To ensure that the provisions of the final rule provide strong privacy protection without hindering access to health care, the Department of Health and Human Services is proposing modifications to the Privacy Rule.

Proposed Modifications to the Final Rule

Consent and Notice -- The proposal would remove the consent requirements that would potentially interfere with the efficient delivery of health care, while strengthening requirements for providers to notify patients about their privacy rights and practices. Specifically, HHS is responding to concerns that the existing consent requirements in the current rule interfere with pharmacists filling prescriptions, referrals to specialists and hospitals, providing treatment over the telephone, and emergency medical providers. Under the proposed changes, patients would be asked to acknowledge receipt of the notice of privacy rights and practices. This change would give patients the opportunity to consider a provider's privacy policies before making health care decisions. This change to consent only applies to uses and disclosures for treatment, payment and health care operations (TPO) purposes. Patient authorizations are still required to use and disclosure information for non-TPO purposes.

Minimum Necessary and Oral Communications -- The "minimum necessary" provision is an essential element in the privacy protections for individual health information. This provision requires covered entities to make reasonable efforts to limit the use and disclosure of and request for protected health information to the minimum necessary to accomplish the intended purpose. The proposal would retain both the oral communication and "minimum necessary" requirements, but it would make clear that a doctor could discuss a patient's treatment with other doctors and professionals involved in the patient's care without fear of violating the rule if they are overheard. As long as a covered entity met the minimum necessary standards and took reasonable safeguards to protect personal health information, incidental disclosures -- such as another patient overhearing a fragment of conversation -- would not be an impermissible disclosure.

Business Associates -- The current rule requires covered entities - health plans, health care providers and clearinghouses -- to have contracts with their business associates to ensure the business associates protect the privacy of the information. The proposed includes model business associate contract provisions, to make it easier and less costly for covered entities to implement the requirements. The changes also would give covered entities (except for small health plans) up to an additional year to change existing contracts.

Marketing -- The proposed change would explicitly require covered entities to first obtain the individual's specific authorization before sending them any marketing materials. At the same time, the proposal would permit doctors and other covered entities to communicate freely with patients about treatment options and other health-related information, including disease-management programs.

Parents and Minors -- The proposed change clarifies that state law governs disclosures to parents. In cases where state law is silent or unclear, the revisions would preserve state law and professional practice by permitting a health care provider to use discretion to provide or deny a parent access to such records as long as that decision is consistent with state or other law.

Uses and Disclosures for Research Purposes -- The proposed change would eliminate the need for researchers to use multiple consent forms - one for informed consent to the research and one or more related to information privacy rights. Instead, researchers could use a single combined form to accomplish both purposes. The proposal would also simplify other provisions so that the existing rule more closely follows the requirements of the "Common Rule," which governs federally funded research. The provisions include privacy-specific criteria and apply equally to publicly and privately funded research.

Request for Comments on an Alternative Approach to De-Identification -- The department received comments from the research community on the need for an alternative approach to de-identification. HHS is seeking comments on establishing a limited data set that does not include directly identifiable information but in which certain identifiers remain. In addition, to further protect privacy, the department proposes to condition the disclosure of the limited data set on a covered entity's obtaining from the recipient a data use or similar agreement, in which the recipient would agree to limit the use of the data set for the purposes for which it was given, as well as not to re-identify the information or use it to contact any individual.

Uses and Disclosures for which Authorizations Are Required -- The proposed changes would allow the use of a single type of authorization form to get a patient's permission for a specific use or disclosure that otherwise would not be permitted under the Privacy Rule. Patients would still need to grant permission in advance for each type of use or disclosure, but the proposal would eliminate the need for covered entities to use different types of forms to obtain that advance permission.

Other Provisions

The department also proposes the following modifications:

Sale of Business -- The proposal would clarify that the rule permits disclosures in certain circumstances for the sale of a covered entity's business.

Group Health Plans -- The proposal would clarify that a group health plan or health insurance issuer can disclose enrollment or disenrollment information to a plan sponsor without amending plan documents.

Accounting of Disclosures of Protected Health Information -- The proposal would not require the covered entity to account for disclosures for which the individual provided written authorization.

Disclosures for Treatment, Payment, or Health Care Operations of Another Entity -- The proposal would clarify that covered entities can disclose protected health information for the treatment, payment and certain health care activities of another covered entity or health care provider. The proposal would carefully limit the expansion of sharing of information for health care operations to protect the privacy expectations of individuals.

Uses and Disclosures Regarding FDA-Regulated Products and Activities -- The proposal would assure that the rule permits covered entities to continue to disclose information to non- government entities subject to FDA jurisdiction about the quality, safety, and effectiveness of FDA-regulated products and activities -- such as reporting adverse events related to prescription drug use.

Hybrid Entity -- The proposal would permit any entity that performs covered and non-covered functions to elect to use the hybrid entity provisions and would provide the entity additional discretion in designating its health care component. The proposal would clarify that protected health information does not include employment records.

The proposed changes also include a list of technical corrections and additional clarifications related to various sections of the existing rule. Further information about the proposed rule is available on the Web at http://www.hhs.gov/ocr/hipaa/.

(click here to return to GovLink main page)