How will you make any changes?
Any changes to the final rule must be made in accordance with the Administrative Procedures Act (APA). HHS intends to comply with the APA by publishing its rule changes in the Federal Register through a Notice of Proposed Rulemaking and will invite comment from the public. After reviewing and addressing those comments, HHS will issue a final rule to implement appropriate modifications.
Congress specifically authorized HHS to make appropriate modifications in the first year after the final rule took effect in order to ensure the rule could be properly implemented in the real world. We are working as quickly as we can to identify where modifications are needed and what corrections need to be made so as to give covered entities as much time as possible to implement the rule. Covered entities can and should begin the process of implementing the privacy standards in order to meet their compliance dates.
[45 CFR § 164.506]
The Privacy Rule establishes a federal requirement that most doctors, hospitals, or other health care providers obtain a patient’s written consent before using or disclosing the patient’s personal health information to carry out treatment, payment, or health care operations (TPO). Today, many health care providers, for professional or ethical reasons, routinely obtain a patient’s consent for disclosure of information to insurance companies or for other purposes. The Privacy Rule builds on these practices by establishing a uniform standard for certain health care providers to obtain their patients’ consent for uses and disclosures of health information about the patient to carry out TPO.
• Patient consent is required before a covered health care provider that has a direct treatment relationship with the patient may use or disclose protected health information (PHI) for purposes of TPO. Exceptions to this standard are shown in the next bullet.
• Uses and disclosures for TPO may be permitted without prior consent in an emergency, when a provider is required by law to treat the individual, or when there are substantial communication barriers.
• Health care providers that have indirect treatment relationships with patients (such as laboratories that only interact with physicians and not patients), health plans, and health care clearinghouses may use and disclose PHI for purposes of TPO without obtaining a patient’s consent. The rule permits such entities to obtain consent, if they choose.
• If a patient refuses to consent to the use or disclosure of their PHI to carry out TPO, the health care provider may refuse to treat the patient.
• A patient’s written consent need only be obtained by a provider one time.
• The consent document may be brief and may be written in general terms. It must be written in plain language, inform the individual that information may be used and disclosed for TPO, state the patient’s rights to review the provider’s privacy notice, to request restrictions and to revoke consent, and be dated and signed by the individual (or his or her representative).
• An individual may revoke consent in writing, except to the extent that the covered entity has taken action in reliance on the consent.
• An individual may request restrictions on uses or disclosures of health information for TPO. The covered entity need not agree to the restriction requested, but is bound by any restriction to which it agrees.
• An individual must be given a notice of the covered entity’s privacy practices and may review that notice prior to signing a consent.
• A covered entity must retain the signed consent for 6 years from the date it was last in effect. The Privacy Rule does not dictate the form in which these consents are to be retained by the covered entity.
• Certain integrated covered entities may obtain one joint consent for multiple entities.
• If a covered entity obtains consent and also receives an authorization to disclose PHI for TPO, the covered entity may disclose information only in accordance with the more restrictive document, unless the covered entity resolves the conflict with the individual.
• Transition provisions allow providers to rely on consents received prior to April 14, 2003 (the compliance date of the Privacy Rule for most covered entities), for uses and disclosures of health information obtained prior to that date.
Also, learn more about how we may help you become compliant with HIPAA Security Standards with our HIPAA Security Assessment ToolKit™ and HIPAA compliance software tool.
Thank you for reading our HIPAA Privacy FAQ posts which are intended to help you understand and comply with the HIPAA laws.