HIPAA privacy requirements considered burdensome’

First year smoother than expected

Providers and health plan representatives say two provisions of the HIPAA privacy rule — the requirement to account for certain information disclosures and the requirement to develop agreements with business associates that extend privacy protections "downstream" — are unnecessarily burdensome, according to a recent report from the Government Accountability Office (GAO). While the report found that implementation of the Health Insurance Portability and Accountability Act (HIPAA) privacy rule went more smoothly than expected during the first year after most entities were required to be compliant, a variety of issues that continue to be problematic were raised.

The GAO has recommended that the Department of Health and Human Services (HHS) modify the privacy rule to exempt public health disclosures from the accounting of disclosures requirements.

"This requirement is seen by many to have created a costly and unnecessary demand on providers and health plans, and a drag on the flow of information for purposes considered to be in the public interest," the GAO said.

"Public health entities noted that some states have had to take concerted action to ensure that providers’ concerns about complying with the privacy rule do not impede the flow of important information to state health departments and disease registries," the report stated. "Some consumer advocacy groups told us that patients’ families, friends, and other representatives have experienced unnecessary difficulty in assisting patients.

"These groups perceived that while providers and plans are allowed, in certain cases, to disclose health information without written patient authorization, they are reluctant to do so," the report continued.

Patients do not understand privacy rules

There also is indication that the general public is not well informed about their rights under the privacy rule. According to consumer and provider representatives, the report said, patients may not understand the privacy notices they receive, or do not focus their attention on privacy issues when the notices are presented to them.

"Some evidence of patients’ lack of understanding is reflected in the 5,648 complaints filed with the Office for Civil Rights (OCR) in the first year after the privacy rule took effect," the report said. "Of the roughly 2,700 complaint cases OCR closed as of April 13, 2004, nearly two-thirds were found to fall outside the scope of the privacy rule because they either involved accusations of actions that were not prohibited by the regulation, involved entities that were not covered entities’ as defined by the privacy rule, or involved actions that occurred before covered entities were required to be compliant."

Of those that were germane to the rule, the report continues, OCR determined that about half represented cases in which no violation had occurred.

The report, which can be found at www.gao.gov, recommended that HHS conduct a public information campaign to improve patients’ rights under the rule.