September 24, 2003
Five months after the April 2003 compliance date for HIPAA's privacy rule has passed, it is clear that despite efforts by privacy officials, their staffs, and their counsel to anticipate and plan for the rule's many implications, a number of unanticipated challenges have arisen that demand attention.
A new report in HFMA's Resource Center, "Unanticipated Challenges of the HIPAA Privacy Rule," by Brian Gradle, counsel at Hogan & Hartson L.L.P. in Washington, D.C., outlines several of these concerns, along with some strategies being employed by privacy officials to address them. Today's article addresses two challenges discussed in the report.
An unclear role of patients' personal representatives
The privacy rule has raised new concerns over the role of people acting as "legal representatives" of patients. Although adult children, relatives, and close personal friends have served as informal counselors and confidantes of patients for years, the privacy rule has created new reasons for covered entities to verify the actual, lawful authority of such representatives to act on behalf of patients and receive protected health information.
For example, a "power of attorney" is frequently quite limited in its scope. It could be written to concern only matters regarding a person's financial investments, and indeed might not grant any authority to an individual to receive a patient's health information. Similarly, an adult child may be listed on an advance directive as the person to make the decision regarding the cessation of life support, but that authority may be strictly limited to the situations articulated in the advanced directive.
Consequently, it is essential that before disclosing protected health information to any purported legal representative, a covered entity must clearly establish the true, legal authority of that individual under applicable law.
Another approach that some providers, particularly hospitals, have taken is to require patients to sign a "designated party release" form on admission. Such a release expressly authorizes the provider to discuss the patient's condition with the people designated on the release, thereby avoiding the ambiguity that may arise if the hospital were only to obtain the oral permission, as required under the privacy rule.
Enhanced disclosure standards
Many healthcare entities are experiencing unexpected treatment and administrative delays because referring providers have chosen to adopt policies that exceed the privacy rule standards. Whether such heightened standards is a consequence of a desire to enhance patient involvement, or is a risk management device used because of uncertainty about the requirements of the privacy rule is not always clear.
For example, notwithstanding the fact that HIPAA permits, without patient authorization, provider-to-provider disclosure of health information for purposes of treatment, some providers have nevertheless determined that they will not make disclosures unless they have obtained prior patient authorization -- in some cases requiring written patient authorization.
Providers that have tried to get protected health information from another covered entity for treatment purposes, only to be told that such information cannot be provided without the patient's authorization, have sometimes found it effective to discuss the issue with the provider's privacy official, in order to ensure that there is no misunderstanding of the permissible disclosure provisions of the privacy rule.
Once providers have been identified who insist upon written disclosure authorizations, providers seeking the information can consider taking steps to get the authorizations themselves, if necessary, to minimize treatment or administrative delays.
SOURCE:
Excerpt from "Unanticipated Challenges of the HIPAA Privacy Rule," by Brian Gradle, counsel at Hogan & Hartson LLP in Washington, D.C., and a member of HFMA's HIPAA@Work Task Force. Available free on-line to HFMA members; nonmembers may purchase the document for $15 from HFMA member services, (800) 252-HFMA, ext. 2.
ADDITIONAL RESOURCES:
- HIPAA: Comprehensive List of HFMA Products and Services
If you have questions or comments about HFMA Wants You to Know, contact editor Laura Noble .
HFMA Wants You to Know ISSN: 1540-0697. Volume II, Issue 20. Copyright 2003, Healthcare Financial Management Association. All rights reserved.