Reminders for Providers on HIPAA regarding Obtaining Consent and Notice of Privacy Practices:
The Department of Health and Human Services (HHS) believes in strong privacy protections for individually identifiable health information but does not want to compromise timely access to quality health care.
HHS also understands that the opportunity to discuss privacy practices and concerns is an important component of privacy, and that the confidential relationship between a patient and a health care provider includes the patient’s ability to be involved in discussions and decisions related to the use and disclosure of protected health information about him or her.
A health care provider that has a direct treatment relationship with an individual is not required by the Privacy Rule to obtain an individual’s consent prior to using and disclosing information about him or her for treatment, payment, and health care operations.
- Although covered entities will not be required to obtain an individual’s consent, any uses or disclosures of protected health information for treatment, payment, or health care operations must still be consistent with the covered entity’s notice of privacy practices.
- No longer mandated, this Final Rule allows covered entities to have a consent process if they wish to do so. The consent provisions in Sec. 164.506 are replaced with a new provision at Sec. 164.506(a) that provides regulatory permission for covered entities to use or disclose protected health information for treatment, payment, and health care operations.
- A new provision is added at Sec. 164.506(b) that permits covered entities to obtain consent if they choose to and makes clear any such consent process does not override or alter the authorization requirements in Sec. 164.508. Section 164.506(b) includes a small change from the proposed version to make it clearer that authorizations are still required by referring directly to authorizations under Sec. 164.508.
Individuals retain the right to request restrictions, in accordance with Sec. 164.522(a). This allows individuals and covered entities to enter into agreements to restrict uses and disclosures of protected health information for treatment, payment, and health care operations that are enforceable under the Privacy Rule.
NOTICE OF PRIVACY PRACTICES – OBTAINING ACKNOWLEDGEMENT OF RECEIPT
How the requirement should be implemented when the provider’s first contact with the patient is over the phone, electronically, or otherwise not face-to-face, such as with telemedicine:
- It was suggested that the good faith acknowledgment of the notice be required no later than the date of first face-to-face encounter with the patient rather than first service delivery to eliminate these perceived problems.
- The notice acknowledgment process must be flexible and provide covered entities with discretion in order to be workable.
- Therefore, the final modification adopts the flexibility proposed in the NPRM for the acknowledgment requirement. The rule requires only that the acknowledgment be in writing and does not prescribe other details such as the form that the acknowledgment must take or the process for obtaining the acknowledgment.
- For example, the final rule does not require an individual’s signature to be on the notice.
- Instead, a covered health provider is permitted, for example, to have the individual sign a separate sheet or list, or to simply initial a cover sheet of the notice to be retained by the provider.
- Alternatively, a pharmacist is permitted to have the individual sign or initial an acknowledgment within the log book that patients already sign when they pick up prescriptions, so long as the individual is clearly informed on the log book of what they are acknowledging and the acknowledgment is not also used as a waiver or permission for something else (such as a waiver to consult with the pharmacist).
- For notice that is delivered electronically as part of first service delivery, HHS believes the provider’s system should be capable of capturing the individual’s acknowledgment of receipt electronically.
- In addition, those covered health care providers that choose to obtain consent from an individual may design one form that includes both a consent and the acknowledgment of receipt of the notice.
- Covered health care providers are provided discretion to design the acknowledgment process best suited to their practices.
- Failure by a covered entity to obtain an individual’s acknowledgment, assuming it otherwise documented its good faith effort, is not a violation of this rule.
- Such reason for failure simply may be, for example, that the individual refused to sign the acknowledgment after being requested to do so.
- This provision also is intended to allow covered health care providers flexibility to deal with a variety of circumstances in which obtaining an acknowledgment is problematic. Or to simply initial a cover sheet of the notice to be retained by the provider.
- For example, a health care provider whose first treatment encounter with a patient is over the phone satisfies the notice provision requirements of the rule by mailing the notice to the individual no later than the day of that service delivery.
- To satisfy the requirement that the provider also make a good faith effort to obtain the individual’s acknowledgment of the notice, the provider may include a tear-off sheet or other document with the notice that requests such acknowledgment be mailed back to the provider.
- For service provided electronically, HHS believes that, just as a notice may be delivered electronically, a provider should be capable of capturing the individual’s acknowledgment of receipt electronically in response to that transmission.
- HHS believes that the notice acknowledgment process must not negatively impact timely access to quality health care.
- The Privacy Rule allows for electronic documents to qualify as written documents for purposes of meeting the rule’s requirements. This also applies with respect to the notice acknowledgment.
- For notice delivered electronically, HHS intends a return receipt or other transmission from the individual to suffice as the notice acknowledgment.
HHS would not consider a receptionist’s notation in a computer system to be an individual’s written acknowledgment.
- HHS understands that obtaining an individual’s acknowledgment of the notice may not always be feasible or practical.
- With respect to commenters’ concerns regarding potential liability, HHS’ position is that a failure by a covered entity to obtain an individual’s acknowledgment, assuming it otherwise documented its good faith effort (as required by Sec. 164.520(c)(2)(ii)), will not be considered a violation of this rule.
DON’T FORGET THAT UNTIL MODIFIED, SECTION 1557 STILL APPLIES.
- With one exception for emergency treatment situations, the proposal would require that the good faith effort to obtain the written acknowledgment be made no later than the date of first service delivery, including service delivered electronically.