Medical Device Link.

Originally Published MX May/June 2002

BUSINESS NEWS

In a move meant to clarify the rules for protecting patient privacy under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the U.S. Department of Health and Human Services (HHS) recently proposed a broad series of changes to the regu-lations originally published in December 2000.

Published in the Federal Register on March 27, the proposal would modify some of the key provisions included in the department's earlier rule, entitled "Standards for Privacy of Individually Identifiable Health Information." According to HHS, the new proposal responds to confusion over the impact and operation of the privacy rule in various sectors of the healthcare industry. Areas modified under the revised rule include the following.

• Consent, including other provisions for uses and disclosures of protected health information for treatment, payment, and healthcare operations.
• Notice of privacy practices for protected health information.
• Minimum necessary uses and disclosures, and oral communications.
• Business associates.
• Uses and disclosures for marketing.
• Parents as the personal representatives of unemancipated minors.
• Uses and disclosures for research purposes.
• Uses and disclosures of protected health information for which authorizations are required.
• Deidentification of protected health information.

The department's revisions would simplify or reduce some of the original requirements that hospitals and healthcare professional organizations claimed would be impractical or onerous.

"HHS got a lot of pushback from the professional community to get rid of the consent requirement," says Lisa J. Acevedo, a senior associate in the health law department of the law firm of Foley & Lardner (Chicago). That rule required entities covered under the privacy rule to obtain a patient's consent before using the patient's health information internally or sharing it with other entities.

"Many end-users pointed out that the December 2000 rule on consent had a number of unintended consequences that made it very difficult for healthcare professionals to provide treatment," says Acevedo.

According to HHS, however, many healthcare professionals also commented that eliminating the consent requirement would put them in an awkward position with regard to professional ethics.

In the end, the revised HHS rule merely requires caregivers to obtain written acknowledgment that the patient has received a copy of the covered entity's notice of privacy practices. It permits professionals to request patient consent, but does not require them to do so.

The proposed revisions may set off a battle between the end-user community and patient advocacy groups, who view the reduced requirements as a betrayal of the public trust. "We should not allow the other protections . . . provided in the HIPAA privacy regulations to be carved away until we find ourselves back at square one," says Beth A. Kost, vice president for professional services and corporate compliance officer at Precyse Solutions (King of Prussia, PA), a health information management consulting firm.

Although medtech manufacturers have for the most part stayed away from the HIPAA battleground, they should have an interest in the outcome. According to Acevedo, the revised rules will affect the ways that covered entities can make use of patient information for marketing communications. This will be of interest to manufacturers that provide funding for those communications. The revised rule would also change the ways that institutional review boards permit researchers to handle such information in conjunction with clinical trials.
Even though the HIPAA privacy rules remain directed primarily at healthcare professionals and their facilities, manufacturers should keep an eye on changes in the rules. "The indirect effects are pretty strong," notes Acevedo.

Copyright ©2002 MX