Modifications To HIPAA Privacy Rule Become Final

By Jay B. Silverman and Keshia B. Thompson

On August 14, 2002, the United States Department of Health and Human Services (HHS) published final modifications to the Health Insurance Portability and Accountability Act Standards for Privacy of Individually Identifiable Health Information (the HIPAA Privacy Rule). The HIPAA Privacy Rule creates national standards to protect individuals’ personal health information and gives patients increased access to their medical records. The HIPAA Privacy Rule affects health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. Covered entities must comply with the Privacy Rule by April 14, 2003. The following is an overview of the final modifications.

Information Used for Marketing — The final HIPAA Privacy Rule requires covered entities to obtain an individual’s prior written authorization to use his or her protected health information for marketing purposes except for a face-to-face encounter or a communication involving a promotional gift of nominal value. It defines marketing to distinguish between the types of communications that are and are not marketing. It makes clear that a covered entity is prohibited from selling lists of patients and enrollees to third parties or from disclosing protected health information to a third party for the marketing activities of the third party without the individual’s authorization. The HIPAA Privacy Rule clarifies that marketing does not include a doctor’s (or other covered entity’s) communication with patient about treatment options or the covered entity’s own health-related products and services.

Consent and Notice — The final HIPAA Privacy Rule incorporates changes to protect privacy while eliminating barriers to treatment by strengthening the notice requirement and making consent for routine health care delivery purposes (known as treatment, payment, and health care operations) optional. It requires covered entities to provide patients with notice of the patients’ privacy rights and the privacy practices of the covered entity. The strengthened notice requires direct treatment providers to make a good faith effort to obtain patient’s written acknowledgement of the notice of privacy rights and practices. The Rule promotes access to care by removing mandatory consent requirements that would inhibit patient access to health care while providing covered entities with the option of developing a consent process that works for that entity.

Uses and Disclosures Regarding Food and Drug Administration (FDA)-Regulated Products and Activities — The final HIPAA Privacy Rule permits covered entities to disclose protected health information, without authorization, to a person subject to the jurisdiction of the FDA for public health purposes related to the quality, safety or effectiveness of FDA-regulated products or activities such as collecting or reporting adverse events, dangerous products, and defects or problems with FDA-regulated products. This assures that information will continue to be available to protect public health and safety.

Incidental Use and Disclosure — The final HIPAA Privacy Rule acknowledges that uses or disclosures that are incidental to an otherwise permitted use or disclosure may occur and that they are not considered a violation provided that the covered entity has met the reasonable safeguards and minimum necessary requirements. For example, if these requirements are met, doctors’ offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at nurse’s stations without fear of violating the rule if overheard by a passerby.

Authorization — The final HIPAA Privacy Rule eliminates the requirements to have separate and different authorization forms for uses or disclosures requested by the individual and for uses and disclosures requested by or from the covered entity, as well as for clinical research. The Rule mandates one form for all purposes and sets forth the required elements that must be included in a valid authorization.

Minimum Necessary — The final HIPAA Privacy Rule exempts from the minimum necessary standards any uses or disclosures for which the covered entity has received an authorization. Minimum necessary requirements are still in effect to ensure an individual’s privacy for most other uses and disclosures.

Parents and Minors — The final HIPAA Privacy Rule clarifies that state law, or other applicable law, governs in the area of parents and minors. Generally, the Rule provides parents with new rights to control the health information about their minor children, with limited exceptions that are based on state or other applicable law and professional practice. For example, where a state has explicitly addressed disclosure of a minor’s health information to a parent, or access to a child’s medical record by a parent, the final HIPAA Privacy Rule clarifies that state law governs. In addition, in the special cases in which the minor controls his or her own health information under such law and that law does not define the parents’ ability to access the child’s health information, a licensed health care provider continues to be able to exercise discretion to grant or deny such access as long as that decision is consistent with the state or other applicable law.

Business Associates –- The HIPAA Privacy Rule requires that covered entities have contracts with third parties with whom they share information. These third parties are known as “business associates”. The final HIPAA Privacy Rule gives covered entities up to an additional year (until April 14, 2004) to change existing written contracts to come into compliance with the business associate requirements. The additional time will ease the burden of covered entities renegotiating contracts all at once.

Health Care Operations: Changes in Legal Ownership — The final HIPAA Privacy Rule clarifies the definition of “health care operations” to allow a covered entity that sells or transfers assets to, or consolidates or merges with, an entity that is, or will be, a covered entity upon completion of the transaction, to use and disclose protected health information in connection with such transaction. Consequently, protected health information may be exchanged for the purpose of due diligence review conducted as part of the transaction.

Accounting of Disclosures — The final HIPAA Privacy Rule exempts disclosures made pursuant to an authorization from the accounting requirements. The authorization process adequately protects individual privacy by assuring that the individual’s permission is given both knowingly and voluntarily.

Disclosure for Treatment, Payment or Health Care Operations of Another Entity — The final HIPAA Privacy Rule clarifies that covered entities can disclose without an authorization protected health information for the treatment and payment activities of another covered entity or a health care provider, and for certain health care operations of another covered entity.

Protected Health Information: Exclusion for Employment Records — The final HIPAA Privacy Rule clarifies that employment records maintained by a covered entity in its capacity as an employer are excluded from the definition of protected health information. The final modifications do not change the fact that individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information.

Jay Silverman, formerly the Assistant General Counsel for the Medical Society of the State of New York, is an attorney and member of the Health Law Department of Ruskin Moscou Faltischek, P.C. where he chairs the firm’s HIPAA Compliance Group. Jay can be reached at (516) 663-6606 or

Keshia Thompson is an Associate in Ruskin Moscou Faltischek’s Health Law and Seniors’ Housing Departments as well as a member of its HIPAA Compliance Group. She can be reached at (516) 663-6635 or  Ruskin Moscou Faltischek is General Counsel to the Suffolk County Medical Society.