One of the first promises made by U.S. Department of Health and Human Services (“DHHS”) Secretary Tommy Thompson after the publication of the Final Rule on the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) was that HHS would quickly follow up with guidance on the interpretation of the rule. The first guidance document (the “July 6 Guidance”) was published by the HHS Office of Civil Rights (“OCR”), the primary Privacy Rule enforcement office, on July 6, 2001.

The single most valuable contribution of the July 6 Guidance may be its communication of a realistic approach to interpretation which has been lacking in some of the policy and compliance discussions. There has been some concern expressed that HHS would require a dramatic, very expensive re-engineering of health care processes, procedures and facilities. Some of these expressions of concern may have been politically motivated, but there have also been many legitimate questions. The July 6 Guidance should serve to allay some of these concerns, as it suggests there will be amendments to the Privacy Rule which will accommodate a number of common situations in realistic ways which recognize the need to accommodate established practices. It also provides some interpretation of the ways the Privacy Rule will be officially interpreted in some situations, which may not result in amendments to the regulation but may be helpful in resolving ambiguities and filling gaps in the application of the rule.

Legal Status of Guidance.

While the July 6 Guidance is helpful, it must be remembered that it does not have the same binding effect as a statute or regulation. In the hierarchy of legal authority, statutes always trump regulations, and regulations always trump other regulatory documents, like the July 6 Guidance. What this means in practice is that if the July 6 Guidance is inconsistent with either the Privacy Rule or with HIPAA itself, the higher authority will control. Until the provisions of the July 6 Guidance are actually incorporated in a properly published amendment to the Privacy Rule, then, they should be considered advisory and useful in applying the Privacy Rule to specific situations, but should be analyzed with care in any situation where they appear to conflict with the Privacy Rule itself.

Of course, compliance with the Privacy Rule will not be required until April 14, 2003. Since HHS has the authority to amend the HIPAA rules on an annual basis, there will be a window of opportunity for the incorporation of provisions from the July 6 Guidance into the Privacy Rule, and other amendments, opening next Spring. Since enforcement of the Privacy Rule cannot officially happen before the compliance date – though there is at least one reported case in which a judge applied HIPAA “by analogy” – there should be time to amend the Privacy Rule itself to ensure that the useful amendments suggested by the July 6 Guidance are incorporated.

Generally, HIPAA compliance appears to be evolving into a regulatory regime like that applicable to health care fraud and abuse/anti-kickback enforcement. This is appropriate, since both HIPAA and the fraud and abuse laws are fundamentally criminal statutes stating general obligations, which must be fleshed out by specific regulations. The HHS Office of the Inspector General has published a substantial number of fraud and abuse compliance guidance documents, so the publication of the July 6 Guidance suggests a comparable approach may be emerging. In fact, the compliance guidance provided in the fraud and abuse field can be a useful template for HIPAA compliance.

Issues Covered  by the Guidance.

The July 6 Guidance discusses Privacy Rule issues concerning individual consents use and disclosure of information; the “minimum necessary” information use and disclosure standard; oral communications; business associates; parents and minors; health-related communications and marketing; research; restrictions on government access to information; and payment. These are not all of the areas of concern, but may be considered the “high points” of Privacy Rule criticism received by HHS.

Individual Consents to Use or Disclosure of Information.    

From a practical standpoint it is not clear why HHS chose to address consents as an issue. The July 6 Guidance confirms that these are executed documents health care providers in direct treatment relationships, but not plans, clearinghouses, business associates or providers in indirect treatment relationships, are required to obtain before using or disclosing protected health information for treatment, payment or health care operations. Most of the discussion re-states the terms of the Privacy Rule, though perhaps in a more accessible fashion.

There is substantial clarification of how consents work in the context of pharmacies and prescription pick-up, which may have been included due to Secretary Thompson’s publicly expressed concerns that the Privacy Rule would interfere with customary practices. The July 6 Guidance states that the Privacy Rule will be amended to permit a pharmacy to fill phoned-in prescriptions for new patients without first obtaining a consent (and consistently, that the rule will be amended to permit scheduling of procedures, etc., by other kinds of providers upon referral of a new patient).

The Privacy Rule is also interpreted – but will apparently not be amended – to permit family members picking up prescriptions based on the pharmacist’s “reasonable inference of the patient’s best interests.” The same kind of professional judgment standard is also interpreted to apply to determination whether emergency care should be given prior to attempting to get a consent.

Other useful interpretations include a clarification that providers are not required to review other covered entities’ own consent forms for consistency before releasing protected information, and that a covered entity need not verify a signature on a consent form if the individual is not present when it is signed. Electronic consents may be used so long as they are “signed,” but no guidance is given on the kind of electronic signature which may be used.

Minimum Necessary Standard.

The Privacy Rule requires that covered entities use or disclose only the “minimum necessary” protected information for any given purpose, except for treatment purposes among health care providers; to the individuals who are the subject of the information; pursuant to an authorization by the individual; for compliance with the HIPAA transactions standards; to HHS for HIPAA enforcement purposes; and when required by law. This particular requirement, while understandable, may be one of the more problematic provisions since efficient compliance will require development of coordinated, consistent policies and practices throughout the health care sector.

Generally, the July 6 Guidance re-states and clarifies Privacy Rule indications that compliance with this standard will require identification and classification of the persons within organizations who need access to protected information, and establishment of policies and procedures for use and disclosure of information for routine situations or transactions. Organizations will also need to establish procedures for making determinations in non-routine situations. The Guidance clarifies that a patient’s entire medical record can be released for treatment purposes, or for other purposes if there has been a reasoned determination that this is the minimum necessary data set.

Generally speaking HIPAA privacy compliance obligations are supposed to be “scaleable,” and consistently the July 6 Guidance clarifies that compliance with this requirement does not per se require extensive facility re-design. If it is reasonable to reconfigure systems or protocols for access control that should be done, and such basic modifications as providing locks for file cabinets or records rooms and passwords for computers are suggested as examples of appropriate changes. The July 6 Guidance indicated that there was no intent to per se prohibit such common practices as use of X-ray light boards, medical charts at patient bedside, and waiting room sign-in sheets, but that the Privacy Rule will be amended to clarify their proper management.

Oral Communications

One of the more controversial changes from the draft to the final Privacy Rule was the expansion of coverage to include protected health information in oral form. While medical professionals have always been held to an ethical duty not to speak publicly about confidential patient matters, the expansion of a regulatory compliance regime to this area caused considerable discussion.

The July 6 Guidance clarified that health care providers are free to discuss treatment-oriented matters with each other at nursing stations, on the phone when otherwise appropriate, in joint treatment areas, and during training rounds. It also indicated that calling out patient names in waiting rooms is also permitted, and that the Privacy Rule will be amended to cover these matters.

The July 6 Guidance specifically clarified that the Privacy Rule does not per se require private patient rooms, soundproofing, or encryption of phone systems or wireless transmissions. (Again, however, note that for some organizations under some conditions it might not be reasonable to permit unencrypted transmissions; as always, there must be a reasoned determination made.) Minor procedural adjustments consistent with customary practice are likely to be adequate in many settings, as in the use of screens or dividers and speaking in lowered voices in shared patient rooms. Oral communications need not be recorded and do not become part of the “official record,” unless they are used to make decisions about the individual. However, a record of some oral disclosures may need to be maintained and kept available to the individual.

         Business Associates.

The primary purpose of most of the discussion of business associates in the July 6 Guidance appears to be justification of their indirect regulation by contract. However, it does provide a potentially helpful clarification that the business associate contract does not simply “pass through” covered entity compliance obligations, but impose a narrower set of obligations as defined in the contract and not the regulation.

         Parents and Minors.

Parental rights to information about treatment provided their minor children is a politically sensitive issue. The July 6 Guidance clarifies that this is primarily guided by state, not federal law. It is worth noting a clarification that a provider need not provide parental access if the parent has agreed that the child should consult the provider without parental access, or if in the provider’s reasonable professional judgment the child has been or may be subjected to abuse or neglect, or disclosure to the parent could otherwise endanger the child.

         Health-related Communications and Marketing

 The scope of “marketing” under the Privacy Rule has been problematic. Covered entities have many legitimate reasons to communicate about products and services to their patients, which under a strict reading of the rule might be “marketing” communications they would be required to permit individuals to opt out of receiving. This is particularly risky because a failure to adequately track such elections which led to the sending of a marketing communication to an individual who had opted out could be grounds for HIPAA criminal charges with penalties up to ten years in prison and $250,000 in fines per violation.

The July 6 Guidance clarifies that “marketing” specifically does not include describing participating providers or plans in a network, or  services offered by a provider or benefits covered by a plan. Information about an individual may also be used to create communications which are intended to further treatment, as with the recommendation of specific pharmaceuticals by brand name, or when recommending a smoking-cessation program to a patient who smokes. In-person communications are acceptable, as is the provision of “products or services of a nominal value” (e.g. a toothbrush with the name of the dental care provider). There is also a useful clarification that the kind of “marketing” which can be based upon an “opt out” procedure must meet certain criteria, and that any communication not meeting these criteria must be based on a specific authorization.

         Research

Any covered entity undertaking research should undertake a thorough study of the Privacy Rule, the rules governing Institutional Review Boards used to approve federally-funded research, and any other laws (such as the Clinical Laboratory Improvements Amendments of 1988 or the Food and Drug Administration’s human subjects regulations) which may apply. The July 6 Guidance clarifies that the Privacy Rule is intended to permit research to go forward, but this is a heavily regulated area and needs to be approached on a prudent, informed basis.

         Government Access to Information

Government access to information under HIPAA has been one of the more politically controversial issues. Some uninformed privacy advocates attacked the draft privacy regulation for allegedly creating an obligation for physicians to send their patients’ records to a mythical centralized federal database, while some in Congress still express concern that law enforcement agencies may have inappropriate access to protected information under HIPAA.

The July 6 Guidance clarifies that the only specific requirement for government access to information under the Privacy Rule is to the OCR for enforcement purposes, and states that the information sought for such purposes will be carefully limited and protected. While the Privacy Rule does state minimum conditions for disclosures for law enforcement purposes, these will be superseded by any more restrictive state laws.

         Payment

The primary points made in the discussion of payment issues are that limited disclosures may be made to consumer credit reporting and debt collection agencies. The July 6 Guidance indicates that there should be no conflict between the Privacy Rule and the Fair Credit Reporting or Fair Debt Reporting Acts. A collection agency retained by a covered entity would, however, be considered a business associate.

Conclusion

The July 6 Guidance contains some useful items and indications of the probably direction of future regulations and enforcement. Generally, it may be most valuable for the “reality check” it should provide for some of the more extreme speculation and discussion about HHS’ intent and the consequences of the Privacy Rule. In the context of history we may well come to see HIPAA as an evolutionary, not revolutionary change, as the regulations are more clearly adapted to existing standards and customs, and those standards and customs in turn are adapted to meet the concerns expressed in the regulations. Over the short term, in which organizations and individuals must make practical decisions about compliance, this is a helpful publication, and it is to be hoped that HHS will follow this precedent and provide more guidance in the future.