This rule is significant because it establishes for the first time a federally required regime of information practices in the medical industry. The length, and at times complexity, of the preamble discussion may impress small businesses as creating overly burdensome and costly requirements. We believe, however, that several features of the rule, combined with initiatives by the Department and professional associations, will make rule easily administrable for the vast majority of small businesses.
First, a significant portion of the rule addresses the topic of signed individual authorization for disclosure of health information -- the information that the authorization would include and when such an authorization would be required. Importantly, no patient written authorization would be required when information is disclosed for purposes of treatment and payment and health care operations, or when disclosure is mandated by law. In other words, doctors who disclose patient health information only to other doctors for treatment purposes, or to insurance companies to process payment, or for operational purposes can continue to do so without any change in current practices under this proposal. Only those covered entities who disclose health information to marketers, reporters, private investigators, researchers, and others for purposes unrelated to treatment, payment, and health care operations are required to get the written consent of the patient in accordance with this rule.
Second, the Department plans to engage in outreach and education programs to ease the implementation of this rule for small businesses. Already, this rule provides model forms for getting patient authorization and provides an example of a notice of information practices (another requirement in the rule, described further below). We also expect that professional associations will develop forms tailored to specific groups’ needs. The Department pledges to work with professional associations to provide the greatest possible guidance to small businesses covered by this rule.
Third, in implementing this rule, we will apply the principle of “scalability,” so that a particular entity’s characteristics -- including its size, type of business, and information practices -- would be relevant to how that entity adopts procedures to comply with this rule. Take one example – this rule requires the designation of a “privacy official.” Large health plans dealing with a vast range of information flows may well consider hiring a full time person to oversee compliance with the rule, to assist in planning systems development, and to draft contracts with business partners, among other tasks. A small doctor’s office, on the other hand, may instead determine that an existing office manager could oversee the office’s privacy policies. There would be no expectation that this small doctor’s office hire a full-time privacy official. In each of these examples, the covered entity would be complying with the rule’s requirement that a privacy official be designated -- but the ways that each complies would reflect the different circumstances of each entity’s practice.
It is important for small businesses to understand what their obligations would be and to implement the necessary procedures to comply, with the help of Department’s model forms and other resources from professional associations. While most covered entities would need to be in compliance within two years of the final publication of the rule, small businesses would have an extra year to come into compliance.
Here, we set out the principal (although not exclusive) requirements for small businesses:
Each covered entity would have to develop a notice of information practices, which, as described above, could be modeled on the form attached to this proposal or on model forms that we expect professional associations to develop. The notice must accurately reflect the entity’s practices and include the elements listed in §164.512.
Covered health care providers would have to provide the notice to individuals at first service after the effective date of the rule. Providers are also required to post a current copy of the notice in a clear and prominent location for individuals to see. Covered health plans would have to provide the notice to any individual covered by the plan when this rule becomes effective, at enrollment, and after any material change to the notice or at least once every three years.
Covered plans and providers would be required to allow individuals to inspect and copy their protected health information. These plans or providers could charge individuals a reasonable cost-based fee for copying.
Covered plans and providers would have to be able to provide an accounting for uses and disclosures of protected health information for purposes other than treatment, payment, or health care operations. We expect that this burden will be very low for most small businesses, given the nature of most disclosures by such businesses.
Covered plans and providers would be required to allow individuals to request amendments or corrections to their protected health information.
Each covered entity would designate a privacy official. As described above, in a small providers office, the office manager may be the official in charge of making sure that the office is implementing its privacy policies and procedures and taking complaints.
All members of covered entities’ workforces who have contact with protected health information would be required to have some sort of privacy training about the entity’s policies and procedures and to sign a certificate indicating that they had such training. For a small entity, this could simply mean the privacy official briefly discussing how they handle privacy concerns and going over the entity’s notice of information practices.
A covered entity would have to establish administrative, technical, and physical safeguards to protect the privacy of protected health information from unauthorized access or use. For a small provider, this may mean having the ability to securely lock up any record that are not being used and ensuring that records are not kept in an area where anyone who is not authorized could view them.
Every covered entity would be required to have policies and procedures in place that allow individuals to file complaints about possible privacy violations. For a small entity, this could mean simply that they keep a specific file for complaints.
Covered entities would be required to develop and apply sanctions when a member of a covered entity’s work force or business partner fails to comply with the entity’s policies and procedures related to this rule. For a small businesses, these could range from requiring a re-training on privacy, to placing a notation of the violation in an employee’s record, to dismissal or ending a contract with a business partner.
Covered entities would be required to document policies and procedures for use and disclosure of protected health information relating to this regulation, including elements listed in §164.520, and would need to maintain one copy of each version of its notice of information practices, and authorization forms. See §164.520(f) for a full list of recordkeeping requirements.
When using or disclosing protected health information for treatment, payment, healthcare operations, and other purposes, an entity would be required to disclose only the amount of protected health information necessary to accomplish the intended purpose of the use or disclosure.
For those small businesses that hire “business partners” to assist them in carrying out their operations, this rule would require that they take steps, including having certain terms in a contract, to ensure that their business partners are also protecting the privacy of individually identifiable health information. We expect that model contracts will be developed by potential business partners and others that can be used to fulfill the requirements of this section.
This proposed rule would also permit disclosure of patients’ health information in special cases and under certain conditions. These disclosures would be optional under this proposed rule but may be mandatory under other laws. The primary examples of such permissible disclosures are for: public health purposes, for health oversight purposes, for judicial and administrative proceedings, to coroners and medical examiners, to law enforcement agencies, to next-of-kin, to governmental health data systems, for research purposes, other disclosures required by law, among others. Each of these disclosures and uses would be subject to specific conditions, described in the proposed rule.
Entities would be required to have reasonable procedures to verify the identity or authority, as applicable, of persons requesting the disclosure of protected health information if the person making the request is not already known to the entity. In most cases, the covered entity could simply ask for a form of identification like a drivers license.