SBJ logo

YOUR BUSINESS AUTHORITY

Springfield, MO

Log in Subscribe

Privacy rules undergo wide-anging changes

Posted online

|tab|

The government is changing regulations that affect employers that own or sponsor group health care plans, as well as a variety of health care providers. |ret||ret||tab|

Specifically, the U.S. Department of Health and Human Services (HHS) has employers scrambling not only to interpret the proposed regulations relating to patient privacy but also to implement the requirements by the April 14, 2003, deadline. Because of the complexities of the regulations, the time to plan is now. |ret||ret||tab|

On March 27, HHS released proposed modifications to the Health Insurance Portability and Accountability Act's (HIPAA) final privacy rule, which was originally created to protect the confidentiality of individuals' protected health information. While these regulations are only proposed at this point, odds are they'll be approved this fall. |ret||ret||tab|

The HHS proposed these modifications to strengthen and clarify the complex pre-existing regulations and to assist covered entities in implementing the requirements as stated in the privacy rule.|ret||ret||tab|

|ret||ret||tab|

Covered entities |ret||ret||tab|

It may surprise you to know that most employers must protect their employees' health information with the same vigor as physicians, hospitals and other health care providers. That's because the range of covered entities subject to HIPAA requirements is not limited to physicians, hospitals and other health care providers, but can also include employers that own or sponsor group health plans to the extent they receive their employees' protected health information. The privacy rule states that covered entities may only use or disclose protected health information when required or permitted by the privacy rule. |ret||ret||tab|

|ret||ret||tab|

Disclosure requirements|ret||ret||tab|

Required: A covered entity is required to disclose protected health information when an individual requests access to his or her protected health information and when the secretary of HHS requests access to ensure that entities are complying with the privacy rule. |ret||ret||tab|

Permitted: A covered entity is permitted to use or disclose protected health information after receiving signed consent from the patient to the individual for treatment, to collect payment and to carry out its internal operations. With just a few exceptions, any other use or disclosure of protected health information requires the covered entity to first receive a patient's written authorization.|ret||ret||tab|

There are several key areas of the proposed HIPAA modifications. They are: |ret||ret||tab|

|ret||ret||tab|

Prior consent removed|ret||ret||tab|

The proposed changes relating to the consent requirement make it easier for patients to gain access to their own health care needs by making it voluntary for health care providers to use a consent form for the use and disclosure of protected health information for treatment, payment and health care operations. For example, the privacy rule does not currently allow pharmacists to use protected health information to fill a patient's prescription without the patient first signing a consent form at the pharmacy. Removing this consent requirement allows pharmacists to fill a prescription without a patient's written consent.|ret||ret||tab|

|ret||ret||tab|

Notice of privacy practices|ret||ret||tab|

Although the proposed modifications remove the prior consent requirements, they now require providers to document their good faith effort to obtain a patient's written acknowledgment that he/she has received a copy of the notice of privacy practices, except in emergency situations. |ret||ret||tab|

|ret||ret||tab|

Disclosure|ret||ret||tab|

The proposed modifications clarify that covered entities may disclose protected health information for the treatment, payment and certain health care operations of another covered entity or health care provider. This would make it easier for providers to obtain information needed for reimbursement for health care services. For example, ambulance service providers generally receive their patients' payment information from a hospital emergency department. |ret||ret||tab|

The proposed modification allows hospitals to disclose such information without consent or authorization from the patients receiving care. Under the current privacy rule, a covered entity may only use and disclose protected health information for its own payment and health care operations.|ret||ret||tab|

|ret||ret||tab|

Business associates|ret||ret||tab|

The existing privacy rule requires covered entities to have contracts with all business associates, such as lawyers, billing agencies and consultants, to ensure that they follow the privacy rule's requirements. If the business associates do not comply with the privacy rule, then the covered entity is required to correct the violation, terminate the contract with the business associate or report the violation to the HHS. |ret||ret||tab|

The proposed modifications allow physicians and other covered entities (except for small health plans) an additional year, until April 2004, to rewrite their contracts with their potentially numerous business partners. The proposed modifications also include model business associate contract provisions to make it easier and less costly to update contracts.|ret||ret||tab|

|ret||ret||tab|

Marketing |ret||ret||tab|

While the proposed modifications attempt to limit how patients' medical information can be used for marketing purposes, they also expand the definition of what activities are not considered marketing and remove the opt-out provision that allows patients to remove their names from marketing lists. |ret||ret||tab|

So, even though the proposal requires covered entities to obtain an individual's specific authorization before both sending them any marketing materials and before disclosing protected health information for marketing purposes, many opponents believe that covered entities are more easily able to engage in marketing activities. |ret||ret||tab|

As you can see, interpreting and implementing the proposed modifications to HIPAA's privacy rule is extremely complex and affects just about everyone. Entities now have a year to implement the requirements and must start planning now to avoid facing possible civil or criminal penalties. |ret||ret||tab|

|bold_on|(Frank Evans is a member of Lathrop & Gage's Springfield office. His expertise is in health care law, business and employment litigation, business transactions, real estate and financial institution law. Jill Shanker is an associate at Lathrop & Gage's Kan|bold_on|sas City office. She represents clients in a variety of general health care transactions.)|ret||ret||tab|

[[In-content Ad]]

Comments

No comments on this story |
Please log in to add your comment
More from SBJ Daily Update

Council postpones vote on tax payment requirement for occupational licenses

Advanced search
Editors' Pick
Spring 2025 Architects & Engineers Project Report

Schools, athletic facilities, businesses and infrastructure are among the featured projects.

Most Read

Former Drury coach heads to Arizona State

Silver Dollar City parent company inks acquisition

I-44 work underway in Springfield

City: Galloway Village subdivision decision not subject to referendum process

City employee dies in landfill accident

Gaming company sued for back rent in KC

Christmas comes early to Queen City with new C-Street shop

SBJ.net Poll
Who's got your vote for Springfield mayor on April 8?

*

View results

© 2025, Springfield Business Journal, Springfield, Missouri. All Rights Reserved.
Powered by Creative Circle Media Solutions
Update cookies preferences