Final Rule Modifications

Final Modifications To HIPAA Privacy Rule – August 14, 2002
Donald R. Moy 

The United States Department of Health and Human Services (HHS) issued the final modifications to the HIPAA Privacy regulation, published in the August 14, 2002 Federal Register.

A summary of some of the more important modifications follows:

1. Consent. The Final Rule makes the obtaining of consent to use and disclose protected health information (PHI) for treatment, payment or health care operations (TPO) optional. A health care provider that has a direct treatment relationship is not required under the Privacy Rule to obtain an individual’s consent prior to using and disclosing information about the individual for TPO purposes.

The vast majority of commenters (including MSSNY) supported elimination of the consent requirement. Commenters pointed out the practical problems that would result from the consent requirement. For example, physicians who do not provide treatment in person were concerned that they would have had difficulty obtaining prior written consent to use PHI at the first service delivery. The comments convinced HHS that the prior written consent requirement to use or disclose PHI for TPO purposes would result in unintended consequences that would impede the provision of health care in many critical circumstances, and agreed to make written consent optional.

2. Notice of Privacy Practices –Written Acknowledgment
The Privacy Rule requires covered entities to provide individuals with adequate notice of the uses and disclosures of PHI that may be made by the covered entity, and of the individual’s rights and the covered entity’s responsibilities with respect to PHI. This is referred to as the "Notice of Privacy Practices" for PHI.

In place of the Written Consent requirement, the April 2002 Final Modification to the Privacy Rule requires that a covered health care provider with a direct treatment relationship make a good faith effort to obtain an individual’s written acknowledgment of receipt of the provider’s Notice of Privacy Practices.

The health care provider is required to make a good faith effort to obtain the written acknowledgment no later than the first service delivery, including, where the first service delivery is by phone, electronically or is otherwise not face to face (e.g. telemedicine). If the health care provider is unable to obtain the individual’s written acknowledgment of receipt of the notice, the health care provider will be required to document the good faith efforts to obtain the acknowledgment and the reason why the acknowledgment was not obtained. In the case of emergency treatment situations, the health care provider must make a good faith effort to obtain the individual’s written acknowledgment when it is "reasonably practical" after the emergency.

The Privacy Rule requires that the acknowledgment be in writing but does not prescribe the form that the acknowledgment must take or the process for obtaining the acknowledgment. For example, the Rule does not require an individual’s signature to be on the notice. Instead, a covered health care provider is permitted, for example, to have the individual sign a separate sheet or list, or to simply initial a cover sheet of the notice to be retained by the health care provider.

Some commenters requested that the written acknowledgment requirement should not be implemented when the health care provider’s first service delivery is by phone, is through electronic means or is otherwise not face to face (e.g. telemedicine). The commenters stated that the requirement to provide the Notice of Privacy Practices and the good faith requirement to obtain a Written Acknowledgment should be triggered by the first face to face service delivery. DHHS decided however, that the requirements are triggered at the date of first service delivery even if the first service delivery is not face to face (except an emergency). DHHS clarified, however, that if the telephone contact is simply to schedule an appointment, the notice provision and acknowledgment requirements may be satisfied at the time of the scheduled appointment.

If the health care provider’s first treatment encounter with a patient is over the phone, the notice requirement can be satisfied by the health care provider by mailing the Notice of Privacy Practices to the individual no later than the day of that service delivery. To satisfy the requirement that the provider made a good faith effort to obtain the individual’s acknowledgment of the notice, the health care provider may include a tear-off sheet or other document with the notice that requests such acknowledgment be mailed back to the health care provider. If the Notice of Privacy Practices is delivered electronically, a health care provider should be capable of obtaining the individual’s acknowledgment of receipt electronically in response to that transmission.

HHS clarified that a health care provider is not required to obtain from individuals a new acknowledgment of receipt of the notice if the health care provider modifies or revises its privacy policy. Upon revision of the Notice of Privacy Practices, the Privacy Rule requires only that the direct treatment provider make the notice available upon request on or after the effective date of the revision, and if the provider maintains a physical service delivery site, to post the revised notice in a clear and prominent location in the facility.

3. Authorization
An authorization generally allows use and disclosure of PHI for purposes other than TPO. A covered entity must obtain an authorization to make uses and disclosures not otherwise permitted or required under the Privacy Rule. For certain specific circumstances, a covered entity may disclose PHI without authorization relating to health oversight activities by public health authorities or pursuant to other public health obligations; e.g., reporting communicable disease, public health investigations, reports of child abuse, law enforcement activities, etc. 

The December 2000 Final Rule required different forms of an authorization for different types of communication. The Final Modification requires only one form regardless of the type of disclosure.
The following are the core elements for a valid authorization:
    1. A description of the information to be used or disclosed;
    2. The identification of the person or class of persons authorized to make the use or disclosure of the PHI;
    3. The identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure;
    4. A description of each purpose of the use or disclosure;
    5. An expiration date or event;
    6. The individual’s signature and date; and
    7. If signed by a personal representative, a description of his or her authority to act for the individual.
Required Statements. In addition to the core elements, the authorization must contain the following statements:
  1. A statement regarding the individual’s right to revoke the authorization, and how the individual may revoke the authorization.
  2. A statement whether the health care provider may condition treatment on obtaining the authorization. Generally, the Privacy rule prohibits conditioning treatment on obtaining an authorization. The exceptions to this requirement include research related treatment, and health care solely for creating PHI for disclosure to a third party (e.g. physician examines patient for sole purpose of submitting report to employer).
  3. A statement concerning the possibility that the PHI may be redisclosed by the recipient.
4. Incidental Uses and Disclosures
The December 2000 Rule did not address incidental uses and disclosures of PHI. The Privacy Rule, generally, requires covered entities to make reasonable efforts to limit the use or disclosure of PHI to the "minimum necessary" to accomplish the intended purpose. Many commenters expressed concern to HHS that the Privacy Rule establishes such strict standards that it would not allow incidental or unintentional disclosures that occur as a by-product of engaging in health care communications and practices. For example, concern was expressed that health care providers could not engage in confidential conversations with patients or other health care providers if there is a possibility that they could be overheard. Others questioned whether they would be prohibited from using sign-in sheets in waiting rooms or maintaining patient charts at bedside, or whether they would need to isolate x-ray lightboards.
HHS clarifies in the April 2002 Final Modification that incidental disclosures that occur as a by-product of a permitted use or disclosure, so long as the facility has in place reasonable administrative, technical and physical safeguards to protect PHI. HHS reiterates that the Privacy Rule is not intended to impede common health care communications and practices that are essential in providing health care to the individual. The April 2002 Final Modification states that the new provision permitting incidental uses and disclosures is intended to increase confidence that such practices as sign-in sheets and calling out names in waiting rooms may continue even if incidental use or disclosure may occur. 

5. Sale, Transfer or Consolidation of Health Care Practices
The December 2000 Privacy Rule included in the definition of health care operations the disclosure of PHI for the purpose of "due diligence" with respect to the contemplated sale or transfer of all or part of a covered entity’s assets to a potential successor in interest who is a covered entity. However, the regulation itself did not expressly provide for the transfer of PHI upon the sale or transfer of assets to a successor in interest. This omission caused concern to many commenters. The Final Modifications to the Privacy Rule adds language to the definition of health care operations to clarify the intent of HHS to permit transfer of records to a covered entity upon a sale, transfer, merger or consolidation of health care practices.

6. Parental Access to Records of Minors
The Final Modification clarifies that state law governs with respect to parents’ access to records of minor children. The modification clarifies that State law governs not only when the State law explicitly addresses disclosure of PHI to a parent, but also when the State law provides discretion to the health care provider. The Final Modification assures that State law governs when the law explicitly requires, permits, or prohibits access to PHI about a minor to a parent. This includes deference to the State’s established case law as well as the State’s statutes or regulations.

7. Business Associate Agreement
HHS has adopted a transition period for certain business associate contracts. The transition period applies to covered entities who have an existing contract (or other written agreement) with a business associate prior to the effective date of this modification, provided that the contract is not renewed or modified prior to the April 14, 2003 compliance date of the Privacy Rule. Covered entities with such contracts are permitted to operate under those contracts with their business associates until April 14, 2004, or until the contract is renewed or modified whichever is sooner. During the transition period, such contracts are deemed to be compliant with the Privacy Rule.

The transition period applies to contracts that renew automatically, without any change in terms or other action by the parties (known as "evergreen contracts") that exist by the effective date of this modification.

An Appendix to the August 14 Final Modification includes "Sample Business Association Contract Provisions" (included elsewhere in MSSNY’s website).

8. Disclosures for TPO of Another Entity
The Privacy Rule permits a covered entity to use and disclose PHI for TPO. For treatment purposes, the Rule generally allows PHI to be shared without restriction. The definition of treatment incorporates the necessary interaction of more than one entity. In particular, the definition of "treatment" includes the coordination and management of health care among health care providers or by a health care provider with a third party, consultations between health care providers, and referrals of a patient for health care from one health care provider to another.

However, for payment and health care operations, as published in the December 2000 Privacy Rule, a covered entity, generally, could only use and disclose PHI for its own payment and health care operations. A covered entity was required to obtain an authorization to disclose PHI for the payment or health care operations of another entity.

Numerous commenters stated that these restrictions could impede the ability of certain entities to obtain reimbursement. For example ambulance service providers commented that they normally receive information they need to obtain payment for their services from the hospital emergency departments to which they transport their patients. Other commenters stated that the restriction could impede QA and QI activities.

The Final Modifications now permit covered entities to disclose PHI for TPO of another entity.
    1. A covered entity may use or disclose PHI for its own TPO operations.
    2. A covered entity may use or disclose PHI for the treatment activities of any health care provider.
    3. A covered entity may disclose PHI to another covered entity or any health care provider for the payment of the entity that receives the information.
    4. A covered entity may disclose PHI to another covered entity for the health care operation activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the information, the PHI pertains to such relationship, and the disclosure is:
      i. For purposes listed in paragraphs (1) or (2) of the definition of health care operations, which includes QA, QI activities, population based activities relating to improving health or reducing health care costs, case management and care coordination, conducting training programs, and accreditation, licensing or credentialing activities; or 

      ii. For the purpose of health care fraud and abuse detection or compliance.

    5. Clarifies that a covered entity that participates in an organized health care arrangement may disclose PHI about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.
9. Accounting for Disclosures
Under the Privacy Rule, individuals have a right to receive an accounting of disclosures of PHI made by a covered entity in the six years prior to the date on which the accounting is requested.
The December 2000 Final Rule contained the following exceptions to the accounting requirement, whereby the accounting need not include: 
  • Disclosures for TPO purposes;
  • Disclosures to the patient;
  • Disclosures to persons involved in the patient’s care or notices to family members or friends of the patient’s location, general condition and/or death, in accordance with 164.510;
  • Disclosures for national security and intelligence purposes, 164.512(k)(2);
  • To law enforcement institutions or law enforcement officials, if the practice, in good faith believes that the PHI constitutes evidence of criminal conduct that occurred on the premises of the covered entity;
  • Disclosures that occurred prior to the April 14, 2003 compliance date.


The Final Modification to the Final Rule now eliminates the requirement that a covered entity account for disclosures made pursuant to a patient’s authorization DHHS agreed with the comments that if the patient authorized the disclosure, then the patient should know about the disclosure and there should be no need to account for such disclosure.