The privacy rule was finalized on August 14, 2002. Changes made to the original rule were in general beneficial to providers. Consent forms will no longer be required for treatment, although providers may choose to continue to use them. Physicians will still be required to use and disclose only the "minimum necessary" protected health information (PHI) to accomplish the purpose for which the information is being used or disclosed, but the new final rule excludes some situations in which the minimum necessary requirement will apply. A model business associates contract is provided in the final rule, making it easier for providers to comply with the rule’s requirement that they have written business associate contracts with vendors who need access to the provider’s PHI to perform tasks on behalf of providers. Researchers now only need to provide one form for consent and authorization, instead of two.

There are also proposed changes in the transaction rule. Certain data elements that were required by the final rule are now situational in the proposed rule. Unnecessary data elements have been removed. Certain items, like special program indicator codes, will now be able to be reported via external code sets rather than as data elements in a transaction. The proposed rule also adopts requests from the industry by adding data elements, codes, or loops to enable covered entities to perform certain business functions in the standardized transactions, such as cross-referencing two subscriber IDs (e.g., surviving spouse and dependents).

A final rule was published in May 2002 that created a standard employer identifier. The Employer Identifier Number (EIN) that is already in use by the IRS will be the standardized unique employer identifier number.

A proposed rule to cease using the National Drug Codes in transactions for nonretail pharmacy transactions was published in May 2002. DHHS developed the proposal in response to widespread industry concern over the tremendous cost of implementing the National Drug Codes (NDC). The NDC will either not be replaced at all, or will be replaced by the HCPCS.

This article is not, and should not be construed as, legal advice or an opinion on specific situations.

Keywords: HIPAA, privacy, transactions, code sets, NDC, employer identifier