The trusted source for
healthcare information and
As usual, the devil is in the details
For three years, Congress had the self-imposed mandate to enact comprehensive national medical record privacy standards. It failed to act, and on Nov. 3, the Clinton administration proposed its own standards for electronic medical records. The impact to health care providers will be significant, observers say.
The standards will cover health care providers, health plans, and health care clearinghouses that transmit information electronically. Protection would start when the information becomes electronic and would stay with the information as long as it is in the hands of a covered entity. The regulations will also allow patients access to information about how their records have been used and disclosed. In addition, "redisclosure" can occur only with authorization from the patient. (For more detail about the legislation, see related story, p. 3.)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required Congress to enact privacy standards by Aug. 21, 1999. If Congress was unable to meet that deadline, language in HIPAA required the Secretary of the Department of Health and Human Services (HHS) to issue final regulations by Feb. 21, 2000.
The proposed standards represent an "unprecedented step toward putting Americans back in control of their own medical records," President Clinton said when he introduced the legislation on Oct. 29. Since its publication, the proposed rule has been open for comment from the public for 60 days.
How far-reaching and complex this legislation might be will not be understood until the government releases its final standard for data security, Fried says. "These two [rules] will work together. Data security is largely a technology issue. These privacy requirements are the human side of the protection."
Fried expects the final standard for data security to be strict. "In my conversations with senior officials who are involved with this, they [say they] believe protecting medical privacy requires an even higher standard of security than the security that is available for large financial transactions taking place on the Internet." (For more information on preparing for HIPAA standards, see related story, p. 5.)
Still more to do
Although President Clinton expressed frustration in his remarks that Congress had failed to pass legislation, Fried wonders whether Congress had the political ability to address medical records’ privacy. "There were strong positions on several issues that kept Congress from meeting its responsibility to enact legislation, which is why the secretary is doing what she is required to do," he says.
The initial reaction to the legislation seems positive. After a "first glance" review of the summary of the regulation, the American Health Information Management Association (AHIMA) in Chicago says it seems to "balance the need for confidentiality with the need to access information for important activities, such as quality improvement and medical research." Still, "the devil is in the details," the association adds.
Some of the concern focus on the problem that the secretary’s policy only addresses electronic medical records, not paper medical records. HIPAA only allows HHS to be that expansive, Fried says.
"The secretary said that any document that has been communicated or stored electronically, even if it’s ultimately a paper document, is covered by this regulation," he adds. "Does that mean that a faxed document is covered by this regulation? As currently written, I’d say the regulation requires that it is."
HHS Secretary Donna E. Shalala acknowledged the legislation’s limitations. "Under HIPAA, HHS does not have the authority to protect records that are maintained in paper form only. HIPAA also does not allow HHS to issue standards for records that are maintained by other insurers, or by employers for workers’ compensation purposes, according to a written statement.
"The proposed rule does not establish appropriate restrictions on the use or redisclosure of such information by likely recipients, such as researchers, life insurance issuers, marketing firms, or administrative, legal, and accounting services."
Congress has the responsibility of passing legislation that covers paper medical records, too. "It remains incumbent upon Congress to pass comprehensive confidentiality legislation that protects all information equally — whether it’s in paper or electronic format — and establishes a single, stringent national standard that serves as the law of the land," says Linda L. Kloss, MA, RRA, AHIMA’s executive vice president and CEO.
In addition, only Congress can provide consumers with the right to take action in court when their medical information is used inappropriately.
Another concern: The policy sets a federal floor, allowing states to develop more stringent privacy regulations. "We could end up with a hodgepodge of medical privacy regulations that would be difficult to administer," Fried says. Consumers, therefore, would find they have different privacy protection depending on where they live. Organizations that operate over the Internet or across state lines would find the different levels of protection inefficient and chaotic, he adds. "I think it’s a difficult standard."
Although HHS estimates the five-year cost for covered entities to be at least $3.8 billion, Fried says the health care industry still does not have a good sense of what the overall cost of the legislation will be. "Here is an interesting question; when we begin to really understand what the cost is, what impact will that have on the health care system?"
Even with his concerns, Fried says he thinks the legislation is "ultimately a good thing."
"Patients and consumers have a lot of anxiety about the privacy of their medical information. These are private matters that people want to have protected," he says. "As the Internet begins to get more and more used by health care providers, I think that it is good for the health care industry to be able to assure consumers that their most private information will be protected."
And the health care industry has time to prepare for the implementation of the standards, Fried says. "Don’t panic [about them]. The regulations that were published [recently] are proposed." The final regulations aren’t due out until the end of February, and providers then have a two-year implementation period.
"Hospitals and other providers need to begin to understand what is likely to be required when the regulations become final," he continues. "There will be plenty of time to begin to develop privacy processes and disclosure policies, compliance plans, and to train staff. It will be important for all health care providers to understand what will be required of them and to take steps necessary to be in compliance."