Health care providers are expected to meet the April 14 Privacy Rule deadline.

 A significant compliance date for health care providers has passed already and another one quickly is approaching. Many health care providers took advantage of the compliance extension that the 107th Congress provided last year for implementing the electronic transactions regulations, but no such extension should be expected for the upcoming April 14, 2003, Privacy Rule compliance date. That means that health care providers have approximately 3 months until full Privacy Rule compliance is due. Is your practice ready?

Following US Department of Health and Human Services (HHS) Secretary Tommy Thompson’s March 2002 call for additional public comment to ensure that compliance with the Privacy Rule would not have the unintended effect of adversely affecting patient access to quality health care, a modified Privacy Rule was published in August 2002 that significantly lowered the administrative burdens health care providers face. This article briefly discusses some of these modifications that are particularly relevant to health care providers, especially in light of the December 3, 2002, guidance document published by the HHS Office of Civil Rights (OCR), the government entity charged with Privacy Rule enforcement. This article also offers practical suggestions on how to prepare for the upcoming April 14 compliance date.

Perhaps the single change most relevant to health care providers is the elimination of the consent requirement. HHS OCR acknowledged in its guidance document that the pre-August 2002 Privacy Rule would have had the “unintended effect of preventing health care providers from providing timely, quality health care to individuals in a variety of circumstances,” such as in the areas of prescription fulfillment and preadmission scheduling, and preparation.

Although obtaining consent is now optional for covered entities under the Privacy Rule, state law may still require consent and these laws typically apply to health care providers. As such, health care providers also need to be aware of state privacy requirements that may affect their practice.

To counterbalance the removal of the mandatory consent requirement, the Privacy Rule contains a strengthened notice requirement that affords individuals “the opportunity to engage in important discussions” about how their protected health information (PHI) is used and disclosed. Certain health care providers are required to inform individuals about how PHI is used and disclosed, the manner in which individuals may exercise their privacy rights, and what legal obligations the health care provider must satisfy with respect to such PHI.

Health care providers with a direct treatment relationship must provide notice no later than the date of first service delivery and make a good faith effort to obtain an individual’s written acknowledgment of receipt of the notice. Even if an individual refuses to provide the acknowledgment, a health care provider may still use or disclose the individual’s PHI for purposes of treatment, payment, and health care operations without risk of being sanctioned, so long as the health care provider documents his or efforts to obtain the acknowledgment and the reason why it was not obtained.

Both the notice distribution and acknowledgment requirements are flexible for the particular needs of the health care provider. For example, an electronic or paper-based system may be utilized to satisfy the notice and acknowledgment requirements. Timing of the provision of notice is also flexible. For example, in emergency situations a health care provider is not required to provide notice and attempt to obtain an individual’s acknowledgment on the date of first service delivery, but rather must do so as soon as reasonably practicable after the emergency. Additionally, health care providers that collect information prior to a patient’s visit are not required to provide notice and attempt to obtain an individual’s acknowledgment at the time when such information is collected, so long as such measures are taken when the patient receives service.

In response to concerns from health care providers that many customary practices in the health care industry technically violated the pre-August 2002 Privacy Rule, HHS modified the Privacy Rule to permit certain incidental uses and disclosures of PHI, provided that covered entities apply reasonable safeguards and implement the minimum necessary standard to limit incidental uses and disclosures to that which is minimally necessary for the intended purpose of such use or disclosure.

As a practical matter, this means that although the Privacy Rule “does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards,” certain reasonable protections and limitations must be implemented. For example, OCR believes that major facility redesigns, such as soundproofing walls, generally are not required, but that reasonable safeguards “will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business.”

Furthermore, customary practices such as calling a patient’s home to confirm an appointment, using sign-in sheets, and maintaining medical charts outside an examination room are permissible so long as the covered entity observes the minimum necessary standard. This may include limiting telephone messages to the physician’s name and call-back number, including only the patient name on sign-in sheets (as opposed to including medical condition or reason for visit), and turning a medical chart to face the door so that passersby do not inadvertently review an individual’s PHI.

With the compliance date quickly approaching, many health care providers already have significant compliance efforts under way. For those providers that have not begun to assess their compliance needs, and for those that have started but are not yet ready to comply, the following steps should be taken as soon as possible in order to minimize the risk of noncompliance. First, a health care provider must determine whether it is a covered entity and therefore required to comply with the Privacy Rule. If a health care provider conducts certain electronic health care transactions, then it is likely that the provider is a “covered entity” for purposes of Privacy Rule compliance.

Next, the health care provider must understand what type of information constitutes PHI. Generally, PHI is the combination of an individual identifier with some aspect of that individual’s health care, but the actual definition is set forth in the Privacy Rule. For example, an individual’s social security number, without more, does not constitute PHI. However, tying that individual’s social security number with a health care claims transaction would create PHI. And it is this latter type of information that the Privacy Rule protects.

The next step is to map the flow of PHI, both within and outside the health care provider’s practice. For each use and disclosure of PHI that is identified, the purpose of each use and disclosure should be assessed to determine whether it satisfies the Privacy Rule’s requirements. When PHI is transmitted outside the health care provider’s practice in order for the recipient entity to perform some business function on the provider’s behalf, such as a disclosure of PHI to a billing or collection company for purposes of the provider’s reimbursement, an appropriate business associate contract should be executed between the parties to ensure that the PHI transmitted will be adequately protected. HHS published Sample Business Associate Contract Provisions in the appendix to the August 2002 modification, which health care providers may modify to their own particular needs in order to satisfy this obligation.

After mapping the flow of PHI, a health care provider should conduct a gap analysis to understand where it is in terms of its current state of HIPAA compliance relative to where it needs to be by the compliance date.

Finally, the organization can begin developing policies and procedures to address the Privacy Rule’s substantive requirements.

Although HIPAA compliance is a significant undertaking, the August 2002 modifications to the Privacy Rule and the recent OCR guidance document demonstrate that HHS considers operational feasibility a legitimate concern for health care providers. That noted, however, protection of individual privacy rights carries substantially greater weight than operational feasibility, so health care providers should not anticipate a compliance extension from the 108th Congress, primarily because the current administration has already responded to many concerns in the health care industry by modifying what previously was deemed the “final” Privacy Rule. Moreover, health care providers should be prepared to comply with the Privacy Rule by April 14 of this year because there are both civil and criminal penalties for noncompliance.

Steven D. Morgan is an attorney in the Health Law Department of McDermott, Will & Emery’s Washington, DC, office. Morgan can be reached at (202) 756-8205 or [email protected].