What's Happening with HIPAA: Modifications

Agency regulations can be a jungle of legal language, and physicians who are not aware of regulations may find themselves in an administrative conundrum. The most notable regulations facing Texas physicians are the federal regulations created to implement "HIPAA." In this monthly feature , the TMA Office of General Counsel discusses practical steps on how to begin the process of complying with those regulations .

HIPAA Modifications
By Lee Spangler, JD, TMA Office of General Counsel

On April 14, 2001, the federal government adopted the HIPAA privacy regulations. Even though the government adopted the regulations as first proposed by the Clinton administration, the Bush administration indicated it intended to make further modifications. Staying true to its intent, modifications to HIPAA were published in the Aug. 14, 2002, Federal Register . In terms of their effect on patients' access to health care and physician practices, the changes are indeed fundamental in nature.

The most debated modification is the removal of the mandate that required a physician to obtain the patient's written consent to use medical information for his or her benefit before treatment. The rule has been modified so that obtaining written consent is entirely voluntary.

This modification doesn't mean the government can require physicians to disclose patient information to just anyone. HIPAA gives patients the right to request restrictions on uses and disclosures of their medical information for treatment, payment, or health care operations.

The government says the modifications allow a physician to obtain written consent from a patient in any format chosen by the physician. Thus, no specific language is required to be within the voluntary consent.

Although removal of the written consent requirement indicates the government believes patients implicitly consent to the use of their medical information when they present themselves for treatment, this does not mean that the government removed all of the strings that were attached.

Physicians must make a good faith effort to obtain a patient's written acknowledgment that he or she has received a copy of the practice's notice of privacy policies. In the preamble to the rule modifications, the government indicated that failure to obtain a signature is not necessarily a violation of the rule, but there must be a good faith effort. 

Exactly what constitutes a "written acknowledgment"? The regulation itself doesn't say. However, the commentary to the rules says the government would prefer the patient's signature.

Incidental Disclosures
When the privacy rules were initially announced, many physicians complained that the rules would conflict with many day-to-day operations. These included front-desk sign-in sheets in doctors' offices and charts by the patient's bedside in hospitals and nursing homes. At that time, the Bush administration unofficially indicated that HIPAA rules would not prevent such routine activities.

The newly issued regulations include language the government believes will permit many of those common uses and disclosures. Sign-in sheets are now clearly permissible. 

Several stakeholders said the original rules seemed to create obstacles to parental access to medical information and, therefore, indicated that minors may have been granted the ability to consent to medical procedures. The Bush administration said HIPAA was intended only as a privacy regulation and did not change parental rights or affect consent for treatment. 

The modified regulations make clear that current state law on parental access to medical information will still apply. Thus, current office procedures for the use and disclosure of a minor's medical information may remain basically unchanged.

Sale of Practices
Before the changes, a literal interpretation of the regulations could lead to the belief that each patient must authorize the transfer of medical records when a medical practice is sold. The modifications clarify that HIPAA will permit the transfer of medical records and other assets of the practice when it is sold to another physician.

Public commentary on the original rule's marketing provisions was quite negative. Initially, a covered entity was permitted to use health information to market products and services if the patient was allowed to opt out of future marketing.

The new rule now generally prohibits marketing without obtaining the patient's authorization, but there is an exception. A covered entity may still use protected health information for marketing if it is conducted face-to-face or if it is in the form of a promotional gift of nominal value. 

Business Associates
The government has allowed an additional year to obtain HIPAA privacy-compliant agreements with business associates. This extension applies to all current noncompliant contracts with business associates that were not renewed or modified after Oct. 15, 2002. From now on, agreements must conform to the HIPPA privacy regulations.

One Last Note
As always, the key to whether a physician must comply with HIPAA depends on whether he or she is a "covered entity." A physician is covered if protected health information is transmitted electronically in relation to a HIPAA standard. The HIPAA information at issue must relate to:


  • Health care claims, attachments, and status;
  • Health care payment and remittance advices;
  • Coordination of benefits;
  • Health plan eligibility;
  • Enrollment or disenrollment in a health plan; or
  • Referral certification and authorization. 



The Office of the General Counsel of the Texas Medical Association provides this information with the express understanding that (1) no attorney-client relationship exists, (2) neither TMA nor its attorneys are engaged in providing legal advice, and (3) the information is of a general character. You should not rely on this information when dealing with personal legal matters; rather, legal advice from retained legal counsel should be sought.