HIPAA Regulatory Alert

Privacy implementation going well, says HHS

Compliance widespread,’ says OCR director

Department of Health and Human Services Office of Civil Rights director Richard Campanelli says that many covered entities have done a good job of coming into compliance with the HIPAA privacy requirements that took effect in April, although there remain some misunderstandings about the requirements that need to be cleared up. Campanelli presented his assessment in a Sept. 23 testimony to the Senate Special Committee on Aging.

"The privacy rule establishes the nation’s first-ever comprehensive standards for protecting the privacy of Americans’ personal health records," he said. "As of April 14, 2003, patients have sweeping federal protections over the privacy of their medical records, right to access and to correct errors in their medical records, right to control how their protected health information is used and disclosed, and a clear avenue of recourse if the rights afforded by the privacy rule are violated."

He told the senators that a number of areas that have received a lot of attention since April were significantly changed through modifications to the rule made last August, but some confusion still needs to be addressed.

One aspect of the privacy rule that had been the subject of much public response during the comment period was the requirement to obtain written consents from patients to use or disclose their protected health information to treat them, obtain payment, or carry out day-to-day operations. "Requiring consent in these contexts," Campanelli said, "would have been unnecessarily burdensome on patients and providers, and interfered with timely access to quality care, without improving privacy. It would have meant, for instance, that a doctor would have needed a patient to sign a privacy consent before he could use health information to treat that patient; that a specialist contacted by the patient’s doctor would have needed to obtain the patient’s consent to read treatment information; and that a pharmacist would have needed the patient’s consent to fill a prescription written by the provider."

He said the modifications to the privacy rule removed the requirements that providers obtain prior consent to use or disclose a patient’s health information for treatment, payment, or health care operations purposes. Although obtaining such consent is considered the optimal situation, he said, the change assures providers ready access to health information about their patients and the ability to share that information so that timely access to quality health care is not unduly impeded.

According to Campanelli, the notice requirement was strengthened at the same time by requiring direct treatment providers to make a good-faith effort to obtain a patient’s written acknowledgement of receipt of a privacy notice. "This ensures that patients have the opportunity to consider the provider’s privacy practices, both to be better informed of how their information may or may not be disclosed, and to be informed of their rights," he said.

The modifications also clarified that with reasonable safeguards, uses and disclosures that are merely incidental to privacy rule uses and disclosures will not be considered a violation. Campanelli said the rule recognizes that communications necessary for quick, effective, and high-quality health care might unavoidably lead to overheard communications. For instance, a physician may discuss a patient’s condition or treatment regimen in the patient’s semiprivate hospital room, or a pharmacist may discuss a prescription with a patient over the pharmacy counter, so long as they take reasonable precautions, such as lowered voices or stepping away from other people.

Misconceptions, not rule, cause confusion

According to Campanelli, "since April 14, 2003, there has been widespread compliance by health plans, health care clearinghouses, and those providers covered by the privacy rule. For example, physicians, hospitals, clinics, pharmacies, health insurance carriers, employer group health plans, and others have distributed notices, required by the privacy rule, that tell consumers about how their health information can and cannot be disclosed, and their rights. . . . Given the extensive scope of the protections established in the privacy rule, implementation has gone smoothly, without the disruption of the health care system that had been predicted in some quarters."

When confusion has arisen, he said, it appears to be not because of problems with the privacy rule itself, but rather because of misconceptions about the rule. In addition, he said, it appears that providers and other covered entities are educating other covered entities where overly restrictive practices were initially adopted and incorrectly blaming them on the privacy rule.

"For example," Campanelli said, "we have heard reports that some covered entities are reluctant to share health information with other providers, for the purpose of treating their patients, claiming that the privacy rule requires that patients execute written consents for these disclosures to occur." Providers who attribute this practice to the rule apparently are unaware that it was modified specifically to permit treatment disclosures among providers without a need for patient consent, he said.

He also mentioned receiving reports of providers saying they cannot share information with family members or loved ones. The reality, he said, is that rather than foreclosing such communications, the privacy rule provides a number of common-sense methods that appropriately permit such disclosures while respecting and protecting individuals’ right to control their health information. In a similar vein, incorrect reports that clergy can’t get information they need about congregation members who are hospitalized have circulated. Campanelli reported that hospitals may continue to maintain patient directories with information including a patient’s religious affiliation if the patient shares it. He said clergy can always ask for individuals by name and get the information they need, but also can refer to hospital directories if the hospital maintains one.

"It appears that confusion on these issues is dissipating as covered entities and consumers become more familiar with the rule’s requirements," he told the committee. "The problems do not arise because of the privacy rule, but rather seem to arise either because providers have elected to take a more restrictive approach than the privacy rule requires, or because of a misconception about the requirements of the privacy rule." He said the Office of Civil Rights has conducted and is continuing to use an extensive public education effort so providers and consumers know what is and is not in the rule.

(Additional information is available from www.hhs.gov.)