Search
AboutJoin/RenewCalendarCareers@MMSContactSite Map
 
 
 
My MMS
MMS eCommunities
Advocacy and Policy
Member Benefits and Services
Member Participation
Continuing Education
For Patients
Public Health
Physician Practice Resources
MMS Governance
Charitable Foundation
News and Publications
publishers of The New England Journal of Medicine
Massachusetts Medical Society
860 Winter Street
Waltham MA 02451
(800) 322-2303 or (781) 893-4610
© Copyright 2008

Final Privacy Rule Published

August 16, 2002

On August 14, 2002, changes to the HIPAA Privacy Rule were finalized and published in the Federal Register. The modifications maintain the privacy compliance date of April 14, 2003. Highlights of the changes include:

*Consent requirement is no longer mandatory, but remains optional. Covered entities are no longer required to obtain an individual's consent prior to using the individual's protected health information for treatment, payment or health care operations. However, the final Rule does require that covered entities provide patients with notice of the patient's privacy rights and the privacy practices of the covered entity; and direct treatment providers must make a good faith effort to obtain patient's written acknowledgement of the notice of privacy rights and practices.

*Business Associate contracts. Sample contract provisions provided in the final Rule. Covered entities may also now use existing written contracts provided that the contracts are revised within one of year of the compliance date of April 14, 2003, making them compliant with the business associate requirements .

*Authorization Forms. The final Rule eliminates separate authorization requirements for covered entities. An authorization may be combined with other authorizations so long as the provision of treatment, payment, enrollment in a health plan or eligibility for benefits is not conditioned on obtaining any of the authorizations, and the authorization is not for the use or disclosure of psychotherapy notes. 

*Minimum Necessary standard does not apply to Authorized Disclosures. All uses and disclosures of protected health information that are made pursuant to any authorization are exempt from the minimum necessary standard. The minimum necessary standard remains in place for all other uses and disclosures.

*Incidental Uses & Disclosures. The final Rule explicitly permits certain incidental uses and disclosures that occur as a by-product of a use of disclosure otherwise permitted under the Privacy Rule. Examples include: the use of waiting room sign-in sheets; use of patient charts at bedside; physician-patient conversations in semi-private rooms; and physician conferencing at nursing stations without fear of being heard by a passerby. An incidental use or disclosure is permissible, however, only if the covered entity has employed reasonable safeguards and implemented the minimum necessary standards to protect the personal health information being used or disclosed.

*Parents and Unemancipated Minors. The final Rule clarifies that state laws or other applicable laws should be followed regarding parental access to protected health information of minors. In special cases where a minor controls his or her own health information under state law or other applicable law, and the law does not define the parents' ability to access the minor's health information, a physician can exercise discretion to grant or deny such assess so long as the physician's decision is consistent with state or other applicable law.

HHS fact sheet summarizing the law

Final rule (.pdf)


Printer-Friendly Version
HOME SEARCH ABOUT JOIN/RENEW CALENDAR CAREERS CONTACT SITEMAP FEEDBACK
PRIVACY POLICY SITE CREDITS