HIPAA Regulatory Alert

Should HIPAA's privacy rule be revised?

It depends on who you ask

Does the HIPAA privacy rule need to be revised to meet the needs of the current changing health care environment involving health information exchange? The answer depends on who you ask.

When the American Health Information Community's work group on confidentiality, privacy, and security held a day-long meeting to consider a "working hypothesis" that the HIPAA privacy rule, and especially its scope of coverage, is inadequate for today's health information technology needs, members heard a variety of opinions. Privacy advocates and some vendors said the rule needs to be changed, while representatives of an existing health care data exchange and a coalition of providers, drug companies, and drug distributors suggested things are fine the way they are.

The privacy rule, which was drafted in 2000 and significantly revised in 2002, does not allow patients to control use and transmission of sensitive health care information. And its protections only apply to HIPAA-covered entities — payers, providers, and claims clearinghouses.

Part of the work group's hypothesis is that there needs to be one or more "enforceable mechanisms" to ensure that privacy and security requirements are met. The group noted that the Department of Health and Human Services (HHS) Office for Civil Rights had received more than 27,000 complaints of possible HIPAA privacy rule violations through April 2007, and has not issued a single fine against a HIPAA violator.

Another element in the group's hypothesis is that any organization handling protected health information should be required to meet privacy and security criteria at least equivalent to any relevant HIPAA requirements, and that rules should apply to them directly rather than through business associate agreements with covered entities.

Some of the harshest criticism came from University of Louisville Institute for Bioethics, Health Policy, and Law Director Mark Rothstein, a member of the National Committee for Vital and Health Statistics.

"It is debatable whether the HIPAA statute and its privacy rule ever provided an effective framework for regulating health policy," Rothstein declares. "It is not debatable that new developments in health IT render the HIPAA privacy rule obsolete and incapable of providing meaningful health privacy protection to consumers. Consequently, a new, comprehensive regulatory approach is necessary, and Congress will need to enact new legislation to provide HHS with the statutory authority to promulgate more far-reaching regulations."

Privacy not the main focus

Rothstein contends HIPAA was drafted with claims simplification in mind and that health privacy was an afterthought. A significant concern, he says, is that tens of thousands of providers that deal with individually identifiable health information are not subject to HIPAA because they don't submit electronic claims for payment.

"A health care provider's legal obligation to protect the privacy of personal health information should not turn on whether or how the provider is paid," he says. "The harm to be avoided has nothing to do with the method of payment, and individuals' health privacy should not vary based on the irrelevant criterion of method of claims processing. Furthermore, members of the public are already confused about the extent of protection of their health information, and they should not be put in the position of relying, perhaps to their detriment, on a federal rule of limited applicability."

According to Rothstein, the privacy rule also does not apply to many non-health care entities that routinely receive and consider information contained in individually identifiable health records, including employers, life insurers, disability insurers, long-term care insurers, financial institutions, and other public and private entities. In some instances, he says, disclosure of health information is permitted without any consent or authorization, and once information is released to an organization that is not a covered entity, HIPAA does not apply to any subsequent uses and disclosures.

Shortcomings he sees under HIPAA include: (1) the lack of coverage and enforcement of business associate arrangements; (2) individuals not being given an opportunity to opt in or opt out of a network; (3) individuals having no ability to segregate sensitive elements of their health records; (4) the lack of provisions for establishing contextual access criteria or role-based access criteria to restrict the scope of disclosures; (5) loose standards for disclosure of protected health information to law enforcement and other third-party requestors; and (6) inadequate enforcement, research, oversight, outreach, and education.

"In a real sense," Rothstein says, "the shortcomings of the HIPAA privacy rule will be magnified with the establishment of a national health information network. The foremost shortcoming of HIPAA is its limited applicability. If Congress fails to address this fundamental issue, all of the other, needed revisions of the privacy rule will be largely irrelevant. Comprehensive health information exchange demands comprehensive privacy and security protection."

'Effective privacy rule'

Taking the opposite position was Health Leadership Council President Mary Grealy. She says the five years of deliberations that led to the privacy rule "carefully weighed the competing interests in our extraordinarily complicated health care system… The result of these deliberations we believe to be an effective privacy rule."

She says the Health Leadership Council has chaired the Confidentiality Coalition, a broad-based group of organizations that support uniform national privacy standards. The coalition, she says, sought a rule that would strike a balance between protecting the sanctity of a patient's medical information and ensuring that necessary information is available for providing quality health care and conducting vital medical research. They also advocated for a rule with effective confidentiality safeguards that would not burden providers and patients with unnecessary paperwork or delays in treatment. "We believe that the privacy rule, to a great extent, achieved this balance and has increased consumers' confidence in the privacy of their medical records," Grealy says.

While recognizing that dialogue about health information technology and standards for the electronic transaction of health care has raised questions about the privacy and security of electronic health information in an electronic context, Grealy says it is important to remember that it was concern about the impact on patient privacy of the health system widely adopting electronic transactions that spurred the HIPAA privacy rule.

"The current HIPAA regulations are very restrictive and health care organizations like our members have taken a very conservative compliance approach in their business practices… We understand that many believe that the HIPAA privacy rule must be revised in light of electronic transfer of data and web-based access to personal health records, so that patients may trust that the system will keep their data private. We share the belief that patients' confidence in health information technology systems is of the utmost importance in order for them to be successful.

"We believe that it is vitally important that patients understand the protections contained in the HIPAA rule, so they can be confident that their records are and will be protected. We also need to do a better job informing patients and consumers how appropriate access to their health information will improve the quality of their health care and the care of future generations."

State variations could be changed

While defending HIPAA, Grealy also says it is too restrictive in that it permits "significant state variations that we believe will create serious impediments to interoperable sharing or sending of health information, particularly across state lines." She says many state laws provide for more restrictive handling of patient records for treating mental health, substance abuse, and HIV/AIDS. Also, in the original privacy rule released by HHS in 2000, patient consent was required for exchange of health care information for treatment, payment, and other health care operations. That consent provision was removed in the 2002 revision. Grealy says her council opposed the consent provision and warned that proposals to add a consent requirement for health information exchanges "would be unnecessary and harmful."

She says that if patients are able to direct where information may flow within the health care system, "it will upset HIPAA's careful calibration designed to facilitate providers having all the necessary facts for proper diagnosis and treatment."

AHIC working group meeting information is available on-line at www.hhs.gov/healthit/ahic/confidentiality/cps_archive.html.