On Monday April 1, the Centers for Medicare & Medicaid Services (CMS) of the US Department of Health and Human Services (DHHS) issued a directive revising guidance in the State Operations Manual to clarify that hospitals must obtain informed consent from patients before conducting sensitive exams.
What does CMS’s revised guidance cover?
The revised guidance clarifies that properly executed informed consent forms and hospital policies for informed consent should not only inform the patient if physicians or residents will perform important tasks related to surgery on the patient but also inform the patient if “medical, advanced practice providers (such as nurse practitioners and physician assistants), and other applicable students” will perform surgery “or examinations or invasive procedures for educational and training purposes” on the patient. Examinations or invasive procedures conducted for educational and training purposes “include, but are not limited to, breast, pelvic, prostate, and rectal examinations as well as others specified under state law.”
Open letter to teaching hospitals and medical schools
In addition, executives at DHHS, CMS, and the Office of Civil Rights (OCR) collectively penned an open letter to the teaching hospitals and medical schools condemning the practice of subjecting patients to sensitive and intimate examinations while under anesthesia without previously obtaining consent. The letter states that while the offices recognize that medical training on patients is an important aspect of medical education, hospitals must set clear guidelines to ensure providers and trainees first obtain and document informed consent from patients before performing sensitive examinations in all circumstances, including when the patient is under anesthesia.
The open letter also references the OCR’s recently issued Frequently Asked Question (FAQ), explaining a patient’s right to restrict which individuals can access their protected health information (PHI) during a medical procedure. The FAQ states that under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, patients can request covered entities to restrict the use and disclosure of their PHI. The FAQ reiterates that if a covered entity agrees to an individual’s requested restriction, it must comply with and document the agreed-upon restriction. The FAQ underscores this rule through an example of an individual scheduled for abdominal surgery who, concerned about students and trainees observing a pelvic exam while unconscious, requests that a covered healthcare provider not use or disclose PHI to medical trainees. If the covered entity agrees to the patient’s request, it must ensure that medical trainees are not in the room with the patient and do not otherwise have access to the patient’s PHI. The OCR will investigate complaints alleging that patients’ PHI was used or disclosed to medical trainees in violation of the HIPAA Privacy Rule.
How does the guidance impact hospitals and covered entities?
While the revised guidance does not create new rules, it emphasizes that there is no implied exception to the requirement of obtaining informed consent from patients, even for medical education or training purposes. The revised guidance and letter underscore the importance of obtaining informed consent and indicate that a failure to do so could result in a HIPAA violation or a hospital’s violation of CMS’s Conditions of Participation.