GENERAL OVERVIEW OF THE REQUIREMENTS OF THE PRIVACY RULES

The Health Insurance Portability and Accountability Act of 1996 Privacy Rules require most, if not all, medical geneticists to ensure the privacy of identifiable health information relating to patients and research subjects. A medical geneticist will need to comply with HIPAA if he or she, or the institution at which he or she practices, electronically transmits health information for billing or other purposes. Once HIPAA compliance is triggered, the medical geneticist must comply with respect to all information, including information in nonelectronic form.

HIPAA protects all “individually identifiable health information,” which is information that (1) is created or received by a health care provider, (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (3) identifies the individual or reasonably could be used to identify the individual. This information is called “protected health information” or “PHI” when it is in the hands of a medical geneticist who is covered under HIPAA.

HIPAA’s requirements focus on three areas. Under HIPAA, a medical geneticist must (1) monitor and control the uses and disclosures of PHI, (2) provide patients with certain rights with respect to their PHI, and (3) establish and implement certain administrative policies and procedures to ensure that the privacy of health information is prioritized and protected.

For a more thorough review of HIPAA’s requirements, see Lynn D. Fleisher, PhD, JD, and Laura J. Cole, JD, “Health Insurance Portability and Accountability Act is here: What price privacy?,”Genetics in Medicine, July/August 2001.

IMPORTANT MODIFICATIONS TO THE PRIVACY RULES

The August 2002 modifications made several significant changes to the HIPAA Privacy Rules.

Consent requirement changes to acknowledgment of notice of privacy practices

The 2002 modifications deleted the requirement that a health care provider with a direct treatment relationship obtain written consent from a patient before using or disclosing PHI for treatment, payment, or health care operations purposes. Now, a medical geneticist or other provider may use or disclose PHI for those purposes without consent. A provider is still permitted to get an informed consent, but it is no longer required under the Privacy Rules. If a provider chooses to obtain consent, the provider has discretion in designing the form.

Although consent is no longer required, the 2002 modifications to the Privacy Rules created a new requirement: that direct-treatment providers make a good faith effort to obtain from each patient a written acknowledgment that the patient received a copy of the provider’s Notice of Privacy Practices. Thus, a clinical geneticist who has a direct treatment relationship with patients must provide patients with a copy of the geneticist’s Notice of Privacy Practices and make a good faith effort to obtain the patient’s written acknowledgment of receipt. Although the content of Notice must comply with the Privacy Rules, the form of the written acknowledgment is flexible: it could be a tear-off on the bottom of the Notice, a signature in a log book, a separate list, or another written form. If the geneticist is unable to obtain an acknowledgment, the geneticist must document his or her good faith attempt to do so and the reason the acknowledgment could not be obtained. A laboratory geneticist, because of the indirect treatment relationship, is exempt from distributing the Notice (except upon request) and from obtaining the acknowledgment.

Incidental uses and disclosures of Protected Health Information

The 2002 modifications clarified that “incidental” uses and disclosures of PHI, which fell into a somewhat gray area under the 2000 final rules, will not, in and of themselves, constitute a violation of the HIPAA Privacy Rules. “Incidental” uses and disclosures generally are secondary to permitted uses and disclosures, and the modified Privacy Rules recognize that they cannot always be prevented. For example, the following are considered incidental under the Privacy Rules: sign-in sheets in waiting rooms, conversations regarding a patient where the speakers may be overheard, or discussion of a patient’s condition during training rounds. For these incidental uses and disclosures to be acceptable, however, the geneticist must have employed reasonable safeguards, such as lowering his or her voice when discussing a patient in a hallway. Also, except for uses and disclosures for treatment purposes, or disclosures made to the patient, the geneticist must have used or disclosed only the minimum amount of information necessary to accomplish the use or disclosure.

Research

The HIPAA Privacy Rules extend to research and require a geneticist to obtain a patient’s authorization to use or disclose the patient’s PHI for research activities. The authorization must include several specific provisions to meet the Privacy Rules’ content requirements. In some circumstances, the Privacy Rules permit the researcher to obtain a waiver of the authorization requirement from an institutional review board (IRB) or Privacy Board. The Privacy Rules also permit the use and disclosure of PHI without authorization for certain limited activities (preparation of research protocol, limited subject recruitment activities, research limited to decedents’ information).

The 2002 modifications made several changes to the rules relating to use and disclosure of PHI for research. First, a research authorization now may be combined with other forms of legal permission related to the research study, such as the informed consent document. Second, the Privacy Rules no longer require that an authorization for research contain an expiration date or event. Rather, the authorization may simply state that it will not expire. Third, the criteria that an IRB or Privacy Board must use to determine whether it is appropriate to waive the authorization requirement were made somewhat more lenient (although such waiver continues to be most relevant for retrospective or reanalysis studies, where the researcher will not be in direct contact with the research subject). Fourth, where PHI is used or disclosed pursuant to such a waiver, the accounting requirement is now more limited. A geneticist is no longer required to tell the patient specifically when and how the patient’s information was disclosed for research. Instead, the geneticist may provide the patient with a list of all the protocols for which the patient’s PHI may have been disclosed for research pursuant to a waiver, along with the researcher’s name and contact information and certain other limited information.

Finally, under the 2002 modifications, although a subject still may revoke his or her authorization, the revocation does not apply to the extent that the researcher has acted in reliance on the authorization. That is, researchers may continue using and disclosing a subject’s PHI, even after the subject has revoked authorization, as may be necessary to maintain the integrity of the research study.

Deadline extension for certain Business Associate Agreements

A medical geneticist must enter into “Business Associate” agreements with third parties that perform services on behalf of the medical geneticist and that have access to PHI. Such agreements are designed to ensure that Business Associates who receive PHI adhere to the requirements of the Privacy Rules.

Under the original Privacy Rules, the Business Associate Agreement was required to be in place by April 14, 2003. The 2002 modifications provided an extension to the timeframe for putting in place Business Associate Agreements. If a medical geneticist has a written agreement with a Business Associate that was executed and effective before October 15, 2002, the agreement need not be modified to include HIPAA’s Business Associate provisions until the agreement is reopened, or April 14, 2004, whichever comes sooner. If a written agreement was not in place on October 15, 2002, then a HIPAA-compliant Business Associate Agreement should have been in place by April 14, 2003. Regardless of when the Business Associate provisions are memorialized in writing, as of April 14, 2003, a medical geneticist must make sure its Business Associates comply with the Privacy Rules’ substantive Business Associate requirements.

Creation of the limited data set

The 2002 modifications created a new category of disclosures that are permitted without authorization from the patient or research subject but which require instead an agreement from the recipient to protect the information being disclosed. A medical geneticist may disclose such a “limited data set” of an individual’s PHI for purposes of research, public health, or certain of the recipient’s health care operations. Because the individual does not authorize the disclosure, the information must be stripped of most of the direct identifiers that are listed in the regulation (such as name, social security number, etc.). Significantly, however, a “limited data set”may contain certain information that would not be allowed in “de-identified” information, such as admission and discharge dates, birth and death dates, state, county, city, precinct, neighborhood, and zip code.

To disclose a limited data set, the medical geneticist must enter into a Data Use Agreement with the recipient that requires the recipient to protect the data. A Data Use Agreement must contain data protection provisions that are similar to those in a Business Associate Agreement. If the recipient of the data will also be using the data for Business Associate purposes, then the medical geneticist also will need to enter into a Business Associate Agreement with the recipient. For example, a hospital performing billing services on behalf of a geneticist would be the geneticist’s Business Associate and a Business Associate Agreement would be necessary. If the hospital receives limited data from the geneticist for inclusion in a cancer registry, a Data Use Agreement would be required. Where the recipient will be using some data in limited form pursuant to a Data Use Agreement and other data in identifiable form pursuant to a Business Associate Agreement, the medical geneticist may combine these two agreements into one document.

IMPORTANT CONSIDERATIONS FOR MEDICAL GENETICISTS

In addition to the recent changes made to the Privacy Rules, certain issues under the Privacy Rules may be of particular interest to medical geneticists.

Are medical geneticists Business Associates of hospitals?

As discussed above, before a medical geneticist may disclose PHI to a Business Associate so that the Business Associate may perform services on behalf of the medical geneticist, the geneticist must obtain “satisfactory assurances” that the Business Associate will appropriately safeguard the geneticist’s PHI. To achieve such satisfactory assurances, the medical geneticist must have a written contract which includes the specific content requirements set forth in the Privacy Rules. On the other hand, if a medical geneticist provides services for or on behalf of another covered entity, such as a hospital, the geneticist may be a Business Associate of the other covered entity, and would need to sign the other entity’s Business Associate Agreement. For example, a geneticist would be a Business Associate of a hospital if the hospital engages the geneticist to provide training to medical staff on the hospital’s behalf.

However, a medical geneticist is not a Business Associate of a hospital where the geneticist is providing medical services solely on behalf of patients. For example, if a hospital sends specimens to a geneticist for testing and analysis, the geneticist is not a Business Associate of the hospital. This is true even though the geneticist is providing a service—analyzing the specimens—at the hospital’s request. The Business Associate distinction depends on whether the services (1) are provided on behalf of the hospital or the hospital’s patients and (2) serve an administrative purpose or are for the purpose of treatment. Where a geneticist is providing an administrative service to the hospital, the geneticist is a Business Associate. Where a geneticist is solely analyzing specimens to provide treatment services for patients, the geneticist is not a Business Associate and should not need to sign a Business Associate Agreement.

Suspension of patients’ right to access during research

During the course of research, a geneticist may temporarily suspend a patient’s usual right to have copies of or access to his or her medical records. The Privacy Rules recognize that allowing a patient to access his or her records during a research study might compromise the integrity of the study. To suspend a patient’s access rights, the geneticist must obtain the patient’s agreement to the suspension as part of the patient’s consent to participate in the research or the patient’s authorization for the use and disclosure of his or her PHI for the research. The researcher also must inform the patient that the right of access will be reinstated upon completion of the research.

Authorizations to use or disclose identifying photographic images

If there is one principle underlying the HIPAA Privacy Rules, it is the prohibition of improper uses or disclosures of individually identifiable health information. Although the concept appears simple, implementation often requires a careful analysis of whether a specific record set of an individual does in fact contain identifying elements. The Privacy Rules list 18 identifiers, the presence of one or more of which will make a record set “protected”: (1) names, (2) all geographic subdivisions smaller than a state, except for the initial three digits of a zip code, (3) all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89, (4) telephone numbers, (5) fax numbers, (6) electronic mail addresses, (7) social security numbers, (8) medical record numbers, (9) health plan beneficiary numbers, (10) account numbers, (11) certificate/license numbers, (12) vehicle identifiers and serial numbers, including license plate numbers, (13) device identifiers and serial numbers, (14) URLs, (15) internet protocol (IP) addresses, (16) biometric identifiers, including finger and voiceprints, (17) full-face photos or comparable images, and (18) any other unique identifying number, characteristic, or code.

Obviously, then, a medical geneticist may not use or disclose information containing a full-face photograph or similar image except in accordance with the Privacy Rules. This prohibition extends to any photographic or other information that could be used to identify an individual. Accordingly, even if the photograph does not show the patient’s full face, but contains a unique identifying mark, it would be considered “identifiable.” To use or disclose any identifiable photograph or other information, a written HIPAA authorization is likely to be required.

What is HIPAA’s role in the duty to warn debate?

Geneticists have long debated the appropriate balance between protecting the privacy of a patient’s medical genetic information and sharing the patient’s information with family members to “warn” the family members of a genetic risk. Although the HIPAA Privacy Rules do not address this issue explicitly, they strongly suggest that, except in very limited circumstances, a geneticist may not disclose a patient’s medical genetic information—to anyone—without the patient’s written authorization.

The Privacy Rules permit a medical geneticist, or other provider, to disclose PHI about a patient to the patient’s friends and family members but only to enable such people to assist in the patient’s care. This permission does not extend to disclosures for the benefit of the patient’s family members. Thus, a medical geneticist may disclose PHI to a family member, another relative, a close personal friend, or another person identified by the patient. The disclosure must, however, be limited to the PHI that is directly relevant to the person’s involvement in the patient’s care or payment for the patient’s care. And, the purpose of this permission must be solely to benefit the patient.

HIPAA does include a provision that permits a provider to disclose information to avert a “serious and imminent threat to the health or safety of a person or the public.” This provision allows a geneticist to disclose PHI if the geneticist believes, in good faith, that the disclosure is necessary to prevent or lessen a serious and imminent threat to the person receiving the information. It is intended to be used in circumstances where a threat is imminent and the provider would have no other avenue to diffuse a serious danger. Where a threat is not imminent, the Privacy Rules would require the provider to obtain an authorization from the patient to disclose the patient’s information to family members for any reason other than for assistance with the patient’s care.

The geneticist also must use his or her professional judgment to determine whether any disclosure would be consistent with applicable law and standards of ethical conduct. In this connection, it must be remembered that about half of the states have enacted specific genetic information privacy statutes, many of which expressly prohibit the disclosure of medical genetic information without the written consent of the patient. In other states, the same result is obtained through more general medical privacy acts. In states where such prohibitions exist, they would not be preempted by the Privacy Rules. Although other states may not have explicitly addressed this issue, the intent and language of HIPAA, as well as the common law of medical privacy, strongly counsel against unauthorized disclosure.

CONCLUSIONS

By the time this issue of the Genetics in Medicine reaches you, the HIPAA Privacy Rules will have gone into effect. But this is far from the end of the story. HIPAA has refocused our views of personal and medical privacy and raised the nation’s collective awareness of potential violations. The current “final” Privacy Rules are certain to be modified, perhaps many more times, and will continue to be debated and, probably, litigated. They are far from perfect. But the concept of medical privacy that HIPAA has reinvigorated is here to stay. As it should be.