Final HIPAA privacy rule contains good news for providers

Nevertheless, experts say many hospitals still have significant work ahead of them

The Department of Health and Human Services (HHS) last week released final regulations implementing changes to the Health Information Portability and Accountability Act (HIPAA) privacy rule.

The news was mostly good for providers. "The final rule contains a few surprises," says John Bentivoglio, former chief privacy officer at the U.S. Department of Justice. However, the vast majority of changes were in the proposed rule issued last March, he says.

The Chicago-based American Hospital Association (AHA) applauded HHS for adopting the changes. "The final regulations retain strong protections for patients’ medical privacy rights while eliminating some major barriers to timely and effective care," the association contends.

Most importantly, the final regulations adopt the proposal to allow written acknowledgment to substitute for written consent requirements and retain written consent as an option. The final rule also allows for the disclosure of "facially de-identified" data for health care operations and research pursuant to a data-use agreement, according to the AHA.

Bill Braithwaite of PriceWaterhouseCoopers in Washington, DC, says he was mildly surprised at how HHS handled the consent issue. "There was a lot of controversy about it, and I would have expected them to compromise a little bit," he says. "Yet, they just adopted what they proposed."

The final rule also allows an additional year to incorporate the business associate requirements into existing written agreements that are not up for renewal and significantly simplifies the research authorization requirements.

The final rule also tightens the restrictions on marketing, says Mary Grealy, president of the Healthcare Leadership Council in Washington, DC. For example, she says it now is very clear that you cannot sell lists of names of patients to pharmaceutical companies.

Braithwaite says HHS did a credible job trying to draw "a difficult line" in this area. "The proposal was way off in one direction," he says. "Their final [rule] was closer to what providers wanted."

Research is another area where HHS made "some very sensible improvements," according to Grealy. For example, a proposal made during the Clinton administration would have required research organizations to remove 19 pieces of identifiable information. "If you were to remove all 19 pieces, the information was useless," she argues.

In the final rule, that list has been shortened considerably. Research institutions are not permitted to use "direct identifiers" such as name, Social Security number, address, e-mail address, or anything that can directly identify a person.

However, they can use items such as the date of admission to a hospital, date of birth, and zip code. "For people doing epidemiological studies, they can still detect patterns they need to detect," says Grealy.

AHA called on HHS to quickly release the security rule, which it says is needed for timely and seamless implementation of the new privacy rule. Now that the final privacy rule is published, Braithwaite says HHS officials working on the security rule can finish their harmonization to make sure the privacy and security regulations are completely compatible. "That means it probably cannot be published before October," he predicts.

Even with the relaxation of certain requirements, the final privacy rule will require sweeping operational changes, the AHA warns. "Now that the final rule has been put to bed, it will be a real race for many companies to comply with the April 14 deadline," Bentivoglio adds.

Because the final rule was subject to change, he says many companies opted to defer a variety of compliance activities, such as drafting agreements. "With the rule in place, companies are confronting the reality that they only have a few months to come into compliance," he says.

Braithwaite says the readiness of most providers depends on whether they have been looking for an excuse to delay their preparation. "Many hospitals and other providers are really strapped for resources," he says. "They have been squeezed pretty tight over the last decade, and they are looking for any excuse not to spend money because their bottom line is really hurting."

According to Braithwaite, who helped draft much of the privacy rule as a senior official at HHS, the final rule is not as onerous as many people believe.

"It is mostly a matter of drafting policies and procedures, writing and filing some documents, and changing some processes," he argues. "It is not that different from what they should already have been doing, although they may not have.

"Many providers may actually have many of the policies and procedures in place already," he adds. "They just have yet to bring them together in a coherent privacy and security plan."