The Department of Health and Human Services (HHS) removed the “consent” requirement from its (Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, leaving many people asking why. After all, the fundamental purpose of HIPAA is to protect the privacy of healthcare patients.
Previously, the Privacy Rule required covered entities to obtain a patient's consent before disclosing Protected Health Information (PHI) about that patient. But the HHS removed this specification from the Privacy Rule. So, why was consent removed from the Privacy Rule?
As explained on the official HHS website, officials removed this requirement because it “created the unintended effect of preventing health care providers from providing timely, quality health care to individuals in a variety of circumstances.” Before this specification was removed, doctors and other covered entities could not use or disclose a patient's PHI without seeing the patient in person. This slowed down treatment times while placing patients' health at greater risk.
The HHS provides several examples of how the consent specification affected covered entities and their patients. One such example is that of emergency rooms, where emergency room care providers were required to obtain a patient's consent before treating or otherwise servicing a patient. Of course, this defeats the underlying purpose of an emergency room, which is to provide immediate, emergency medical service.
Another example is that of a doctor who does not provide treatment in person. Previously, doctors were unable to provide treatment to a patient without obtaining the patient's consent in person, which also slowed down treatment and other related service.
To prevent problems such as these from occurring, the HHS amended the HIPAA Privacy Rule, changing the consent from mandatory to voluntary. The new provision allows healthcare practitioners to obtain a patient's consent for treatment, payment and other healthcare operations “at their option.” Furthermore, it allows them to obtain this consent in a manner that does not disrupt their ability to perform these tasks.
To recap, the HHS dropped the consent specification from the HIPAA Privacy Rule so that healthcare practitioners could facilitate treatment more quickly and efficiently. Time is of the essence when treating healthcare patients; thus, practitioners need greater freedom to conduct their operations. Forcing practitioners to obtain a patient's consent before using or disclosing their PHI only slowed down this process while increasing the risk of complication and danger to the patient.