Karin Bierstein, J.D.
Assistant Director of Governmental Affairs (Regulatory)

The Transactions and Code Sets provisions of the Health Insurance Portability and Accountability Act (HIPAA) originally mandated that providers and most health plans be ready to comply with new national electronic transactions standards by October 16, 2002. Congress extended the deadline by a year last December. To qualify for the extension, however, physicians and other "covered entities" must file a plan for attaining full compliance by October 15, 2002.

Submitting this compliance plan is much less difficult than it might seem. A model application was posted on the Department of Health and Human Services (HHS) Web site <www.cms.hhs.gov/hipaa> on March 29 as required by the legislation extending the deadline. Anesthesiologists or their practice managers may complete the application online, or they may print it out and return it by mail. They may also provide the requisite information in a format of their own. The instructions indicate that completing the application should take about 15-20 minutes, an estimate that appears quite realistic.

The information to be submitted includes the following:

• Name and tax identification of the physician/group practice (or other "covered entity")
  
  
• Name and address of person requesting the extension (this may be an administrator)
  
  
• Reason for requesting the extension (Check all that apply. Since the data elements for anesthesia claims are still being developed, you may want to check "need more information about the standards" and "need additional clarification on standards" in particular.)
  
  
• Implementation budget (probably either "less than $10,000" or "$10,000­$100,000," but "other" is an acceptable answer.)
  
  
• Implementation strategy (separate sets of very basic questions on "HIPAA Awareness," "Operational Assessment" and "Development and Testing.")

The extension is granted automatically; the compliance plan submission is not a qualifying test of any sort. Its purpose appears to be twofold: 1) to let HHS know how far along physicians, health plans and data clearinghouses are in their efforts to comply with HIPAA and 2) to make those covered entities that have yet to focus on complying with the HIPAA requirements begin to do so.

There is no downside to applying for the extension. The vast majority of anesthesia practices, like the Medicare "health plan" itself, will probably need the extra time.

Proposed Changes to the Privacy Rule
"After publication of the Privacy Rule, HHS received many inquiries and unsolicited comments through telephone calls, e-mails, letters, and other contacts about the impact and operation of the Privacy Rule…"

So wrote HHS in a notice published in the Federal Register on March 21, 2002, proposing to modify certain standards in the rule implementing the HIPAA privacy protections. The rule was published in final form in December 2000. (Physicians and other covered entities have until April 14, 2003, before they must be in compliance.) Among the original rule's more controversial provisions were those requiring written consent for any use of patients' "individually identifiable" or "protected" health information (PHI) and limiting disclosures to an ill-defined "minimum necessary." The proposal substantially eases these requirements and mitigates other aspects of the original rule.

Consent and notice: In its current form, the Privacy Rule would require treating physicians (and hospitals) to obtain written consent before using a patient's health information for "treatment, payment or health care operations." Many states and institutions already require such consent, and the HIPAA rule would neither weaken that protection nor prevent providers from voluntarily obtaining consent. Responding to objections that in many instances a mandatory consent process would delay treatment, HHS now proposes to eliminate the HIPAA requirement. Instead, HHS would strengthen the HIPAA notice provisions. Physicians and hospitals with a direct treatment relationship would have to make "a good faith effort to obtain an individual's written acknowledgment of receipt of the provider's notice of privacy practices." The notice should be provided at the first encounter (which could be electronic, not necessarily face-to-face) unless emergency circumstances exist. The theory behind the notice and acknowledgment provisions is that a discussion of confidentiality and privacy (if not a consent process) should enhance the physician-patient relationship, and therefore the patient should also be able to request restrictions on the use of his or her PHI. If the patient refuses to sign an acknowledgment, the physician may still provide treatment.

What does this mean for anesthesiologists? Hospital-based anesthesiologists who currently rely on the hospital's notice and consent procedures and obtain patients' information directly from the hospital would not be greatly affected. In almost all instances, they would constitute an Organized Health Care Arrangement (OHCA) with the hospital. Participants in an OHCA will be permitted to share PHI.

Pain medicine physicians with private offices, on the other hand, may find the elimination of the consent requirement beneficial. Their situations may be more analogous to those of some of the providers who objected to the consent mandate: 1) pharmacists who were concerned that they could not begin to process prescriptions phoned in by physicians until patients appeared in person to consent to the use of their information; 2) hospitals that did not want patients to have to make a special advance trip simply to consent to the use of their data for scheduling and preparation for procedures; and 3) covering physicians who could not talk to patients needing treatment over the telephone and other providers whose services would be hindered by the need for prior face-to-face contact.

Note that the proposed rule would only do away with the consent requirement, which applies to using PHI for treatment, payment or health care operations such as quality assurance or compliance programs. The need to obtain authorization for other uses (research, marketing, etc.) will not be affected.

"Minimum necessary" standard and Incidental disclosures: Physicians and hospitals have been very concerned with the privacy rule's restrictions on disclosure of PHI and its requirement that "covered entities" take reasonable steps to limit the use or disclosure of PHI to the "minimum necessary." The original wording of the regulations suggested that providers could violate HIPAA through hospital hallway conversations or by discussing a patient's condition in training rounds. Those who commented wondered whether the rule would prevent the use of sign-in sheets in waiting areas or the placement of medical records beside patients' beds or gurneys. The guidance on privacy standards published by HHS last July stressed the notion of reasonableness but recognized providers' nervousness and promised modifications to the regulations, which HHS has now proposed.

The revised regulations explicitly state that a covered entity may use or disclose PHI both internally and to another health care provider treating the patient in question. Thus one physician may send a copy of the patient's medical record to another specialist who needs the information for treatment purposes. Information also may be disclosed to other covered entities for payment purposes and for use in specified "health care operations," including quality improvement, training, certification and credentialing activities. The covered entity will still, however, need to adopt policies and procedures that minimize the amount of PHI used and disclosed and appropriately limit the persons who have access to the information. (The entire medical record may sometimes be the minimum necessary.)

What about incidental disclosures through hallway, elevator or bedside discussions? Can anesthesiologists continue to conduct preanesthesia evaluations in busy holding areas? Can patients' names be listed on the scheduling board? In most instances, the answer to these two questions is probably yes. The proposed rule provides that incidental uses and disclosures that 1) cannot reasonably be prevented, 2) are limited to the minimum necessary and 3) occur as a byproduct of an otherwise permitted use or disclosure will be permitted. HHS cites as an example of a disclosure that exceeds the minimum necessary standard "asking for a patient's health history on the waiting room sign-in sheet." That is obviously very different from posting a patient's name, procedure, surgeon and anesthesiologist on the board in the operating room suite.

Not all the public's questions and confusion have been addressed yet. HHS is planning to provide further guidance on the minimum necessary standard as well as technical assistance materials to help covered entities implement the provisions of the rule.

Business Associates: The privacy rule requires covered entities to enter into written contracts obligating their business associates (billing companies, accountants, consultants, etc.) to protect the privacy of patient information. The proposal includes model business associate contract provisions that should make it easier and less costly for physicians to implement the requirements. It would also give physicians an additional year to change existing contracts. The proposed rule does not alter the controversial requirement that covered entities must try to cure or mitigate any breach by its business associates or even terminate the relationship.

ASA was one of many medical societies, led by the American Medical Association, that sought the elimination of the business associates provisions in a letter sent to HHS on March 5. We believe that it is unfair and unreasonable to hold physicians responsible for compliance with the privacy rule by business associates over whom HHS has no direct jurisdiction.

The need to eliminate the Business Associates rules is one of the areas on which ASA commented in our formal response to the proposed rule.

return to top

FEATURES

Anesthesiology in the Electronic Era

• EMIT: Untangling the Web of Electronic Communication
  
  
• Wireless Devices Improving Communications in the Operating Room
  
  
• Educational Technology 2002
  
  
• Use of Handheld Computers for Resident Education in Anesthesiology
  
  

ARTICLES

• Board of Directors Interim Meeting Summary
  
  
• National Residency Matching Program Results for 2002
  
  
• House of Delegates Adopts Updated 'Guidelines for Sedation and Analgesia by Nonanesthesiologists'
  
  
• Medicare and the Anesthesia Shortage, Part 2
  
  
• Private Payer Perils
  
  
• DRUG SHORTAGE: Injectable Corticosteroid Product in Short Supply
  
  
• 2002 SEE Program Strives for Excellence
  
  
• Waste Anesthetic Gases Videotape Now Available
  
  

DEPARTMENTS

• Ventilations
• Administrative Update
• Washington Report
  
• Practice Management
  
• State Beat
  
• Subspecialty News
  
• What's New in…
  
• Residents' Review
  
• ASA News
  
• In Memoriam
  
• Letters to the Editor
  
• FAER Report
  
  

The views expressed herein are those of the authors and do not necessarily represent or reflect the views, policies or actions of the American Society of Anesthesiologists.

NL Archives

Information for Authors