HIPAA Information

HIPAA Frequently Asked Questions
www.hipaa-for-pharmacy.com

Standards for Privacy of Individually Identifiable
Health Information Summary of Major Changes to Final Rule

Prior Written Consent:
December 2000 Regulation: A healthcare provider must obtain the patient's prior written consent for routine use or disclosure of protected health information for basic activities such as treatment, payment, or healthcare operations. (Ex. A pharmacist may not prepare a prescription phoned-in by a doctor if the patient has not yet provided prior written consent.)

August 2002 Change: Eliminates the prior written consent requirement. Providers have the option of obtaining written consent, but are not required to do so. Providers have "regulatory permission" to use or disclosure health information for treatment, payment and healthcare operations activities. Providers that choose to obtain consent have complete discretion in the process.

Notice of Privacy Practices:
December 2000 Regulation: A healthcare provider must develop a notice of privacy practices for distribution to patients. The notice must describe each purpose for which the provider may use or disclose protected health information including disclosures made as part of treatment, payment or healthcare operations.

August 2002 Change: In lieu of obtaining prior written consent, providers are required to make a "good faith effort" to distribute its Notice of Privacy Practice to patients and obtain written acknowledgment that they received it. Providers should distribute the Notice no later than the date of the first service delivery. The acknowledgment must be in writing, and pharmacists are allowed to have patients sign or initial an acknowledgment in a log book. However, the patient must be informed on the log book of what they are acknowledging and the acknowledgment cannot also be used as a waiver for something else, such as a waiver to consultation with a pharmacist. If a provider cannot obtain written acknowledgment (such as in an emergency or a patient's refusal to give it), the provider must document his or her efforts to obtain it. The regulation also encourages providers to use a "layered" notice that consists of a short notice that briefly summarizes the patient's rights attached to the full notice that contains all of the elements required by the rule.

Authorizations:
December 2000 Regulation: A covered healthcare provider must obtain written patient authorization prior to any use or disclosure of protected health information that does not involve treatment, payment or health care operations. (Ex. marketing, fundraising, etc.)

August 2002 Change: Providers are still required to obtain authorization for use and disclosure outside of treatment, payment and healthcare operations, but providers are no longer required to use different types of authorization forms. The core requirements for authorization forms are standardized into one format.

Marketing:
December 2000 Regulation: A covered healthcare provider must obtain written patient authorization prior to any use or disclosure of protected health information for marketing activities.

August 2002 Change: Providers are still required to obtain authorization for use and disclosure for marketing activities. Marketing involves making a "communication about a product or service that encourages the recipients of the communication to purchase or use the product or service." For example, a pharmaceutical manufacturer offering a pharmacy payment for a list of patients with a particular condition so it can make a communication about its drug product is considered marketing, and would require an authorization. Marketing does not include face-to-face encounters; communications involving a promotional gift of nominal value; or communications with patients involving treatment, the services of the provider, or case management or care coordination for the patient. Refill reminders, even if they are subsidized by a third party, are not considered marketing. Providers may also make communications about general health issues as long as they do not promote a specific product or service.

Minimum Necessary:
December 2000 Regulation: A covered healthcare provider must make reasonable efforts to limit the use or disclosure of health information to the minimum amount necessary to accomplish the intended purpose. The requirement does not apply to treatment activities or communications with patients.

August 2002 Change: Creates an additional exemption for any uses or disclosures for which the provider has obtained an authorization.

Disclosures for Treatment, Payment & Health Care Operations:
December 2000 Regulation: A covered health provider may use and disclose health information for treatment, payment or healthcare operations. For treatment purposes, health information can generally be shared without restriction. However, a provider is limited to use and disclose health information for his or her own payment and healthcare operation activities. The provider must have authorization to share this information with another entity.

August 2002 Change: Providers may disclose health information for the treatment, payment and certain healthcare operation purposes of another entity.

Incidental Uses and Disclosures:
December 2000 Regulation: Did not expressly address incidental uses and disclosures of health information, but requires providers to make reasonable efforts to safeguard health information from any intentional or unintentional use or disclosure that violates the rule.

August 2002 Change: Acknowledges that incidental uses or disclosures may occur in conjunction with lawful use or disclosure of health information. Incidental uses and disclosures are not considered a violation of the regulation as long as the provider has applied reasonable safeguards and implemented the minimum necessary standard. For example, providers must take reasonable efforts not to be overheard discussing patient health information, but they do not need to build a soundproof counseling area.

Uses and Disclosures Regarding FDA-Regulated Products & Activities:
December 2000 Regulation: A covered healthcare provider may disclose health information without consent or authorization for public health purposes, or to persons subject to the FDA jurisdiction.

August 2002 Change: Clarifies that providers may disclose health information without an authorization to a person subject to FDA jurisdiction to collect or report adverse events, track FDA-regulated products, enable product recalls or conduct post-marketing surveillance.

Patient Access to Records:
December 2000 Regulation: Patients may inspect and obtain a copy of their protected health information and a record of any uses or disclosures of protected health information made outside of treatment, payment or healthcare operations.

August 2002 Change: Upon request, providers must provide a record of use and disclosures not related to treatment, payment or healthcare operations, or those not covered by a patient authorization. The regulation also provides exceptions for incidental disclosures and disclosures made as part of a limited data set.

Business Associates:
December 2000 Regulation: Healthcare entities must have written contracts with business associates that receive or create protected health information from or on behalf of the covered entity.

August 2002 Change: The regulation gives providers an additional year to revise existing contracts with business associates (April 14, 2004). This extension only applies to existing business contracts. New business associates contracts, as well as existing contracts that must be renewed prior to April 14, 2003, must comply with the original deadline of April 14, 2003. The regulation includes sample business associate contract provisions. The regulation also clarifies that covered providers are not required to monitor the actions of their business associates. However, if a covered provider is aware of a violation of the business associate contract, the provider must take steps to end the violation.

Research:
December 2000 Regulation: A healthcare entity may utilize protected health information for the purpose of research if the entity has received the patient's authorization, or if the entity has received a waiver of authorization from an Institutional Review Board (IRB) or a privacy board.

August 2002 Change: Eliminates the need for researchers to use multiple consent forms. A researcher may use one form to secure consent for research activities and authorization to use or disclose health information. More closely follows requirements found in the "Common Rule" that governs federally funded research. The transition provisions are also expanded to prevent needless interruption of ongoing research.

Home I Pharmacy Professionals I Practice Sections
HIPAA I Pharmacy PAC I Pharmaceutical Care
Suppliers Directory I Events Calendar
Pharmacy Resource Center I Pharmacy Foundation
Michigan Pharmacist I Classifieds I Continuing Education