HIPAA Regulatory Alert: Fear, anxiety, frustration, and anger on the HIPAA road

OCR should improve HIPAA responses, report says

There is "an extremely high level of confusion, misunderstanding, frustration, anxiety, fear, and anger" in a broad range of people and organizations as the April 14 compliance date for the Health Insurance Portability and Accountability Act (HIPAA) privacy rule nears.

That’s the finding of the National Committee on Vital and Health Statistics, a statutory public advisory body to the secretary of Health and Human Services (HHS) in the area of health data and statistics.

The 18 private-sector individuals on the committee have, according to HHS, distinguished themselves in the fields of health statistics, electronic interchange of health care information, privacy and security of electronic information, population-based health research, purchasing or financing health care services, integrated computerized health information systems, health services research, consumer interests in health information, health data standards, epidemiology, and the provision of health services.

In a letter to HHS Secretary Tommy Thompson after three public hearings sponsored by the committee to learn about implementation activities of entities covered by HIPAA, the group said that despite widespread support for the goals of HIPAA and the privacy rule, there are many problems still to be resolved and not much time in which to address them.

The letter suggests that the HHS Office of Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS) improve their coordination of education, outreach, and technical assistance by working more closely with different industries, states, and federal health care programs.

In particular, it said, OCR should improve its responses to HIPAA-related questions and enhance its web site to help explain the compliance process. And, it said, HHS should recommend that Congress provide financial assistance, through grants, increased reimbursements, and incentives for providers struggling to comply with HIPAA.

OCR guidance faulted

The committee reported that many witnesses at the hearings said they viewed OCR as not providing adequate guidance and technical assistance. In particular, they "lamented the lack of model notices of privacy practices, acknowledgments, authorizations, and other forms.

"Many witnesses also complained that general guidance was of limited value because of their special industry or professional circumstances. Witnesses conveyed a great sense of frustration that they could not obtain any clarifications from OCR or answers to the questions they submitted via OCR’s web site."

Pre-emption issues made compliance difficult

Many witnesses indicated to the committee that issues of pre-emption made compliance much more difficult, costly, and complicated. To determine whether state privacy laws or the HIPAA privacy rule applies to many health privacy issues, covered entities have to obtain a comprehensive pre-emption analysis detailing whether state or federal laws apply.

The committee said the analyses often are lengthy documents that are expensive to research, highly technical, and not binding on any enforcement agency or the courts. Large, multistate covered entities need to have an analysis for every jurisdiction in which they do business, and there is no national coordination on the issue of pre-emption, and state and local efforts vary widely in their degree of completion and the cost to obtain copies. A related issue, the committee said, involves conflicts and overlaps between HIPAA and other federal laws dealing with privacy.

Based on testimony at the hearings, the committee declared that "the lack of clarity on compliance responsibilities, the unavailability of free and authoritative model forms, and the absence of widely available training materials have left many covered entities lacking the wherewithal to come into compliance."

Small providers giving up

Several witnesses told the committee that less than half of all small providers had made any effort to comply with the privacy rule and that some have no intention of trying to comply.

"One witness reported that some rural providers have given up on compliance and adopted the position that I can’t do this; let them catch me,’" the letter says. "Even more troubling are the potential adverse effects on the health care system. Some witnesses said that some Medicaid and other safety net providers may drop out of the system of providing care to indigent patients because they cannot afford to absorb the costs of complying with the privacy rule, and there is no way to pass along the costs."

The committee also cited witnesses’ fears surrounding HIPAA. Many expressed concern about the possibility of overzealous enforcement by OCR and private lawsuits, both of which were expected to be costly to defend.

Other witnesses said that fear of violating HIPAA has resulted in negative health outcomes, including providers refusing to share patient medical information that would be helpful in treating another patient, and a decline in mandatory or permissive reporting of essential health data to public health agencies, tumor registries, and other entities.

Another key area in the remaining months will be training, the committee said. "Millions of health care workers will need to be trained in the next few months, but there is a shortage of expertise, materials, and funding. Overwhelmingly, witnesses said that generic training will not work; to be successful it must be customized by industry, entity, and job description.

In addition, consumers have received virtually no information about HIPAA, and it will be difficult for them to understand the basis or context for the myriad notifications, authorizations, and other forms with which they will soon be presented. Public education is complicated by consumers’ varying levels of education, cognition, and language proficiency."

The committee said it is aware of the limited resources available to the department, and urged that as much as possible be given to OCR so it can accomplish the massive technical assistance, outreach, and education efforts needed in the coming months to ensure successful privacy rule compliance efforts.

(Editor’s note: Download hearing testimony and other materials from the committee’s web site at www.ncvhs.hhs.gov.)