HIPAA Regulatory Alert

Privacy expert urges clarification for privacy regs

Health Privacy Project advocates increase in technical guidance

Health Privacy Project executive director Janlori Goldman said that while many glitches and misinterpretations of the HIPAA privacy regulation have been resolved, others remain and should be addressed by the Department of Health and Human Services (HHS) or Congress. Goldman made her comments in testimony before a subcommittee of HHS’ National Committee on Vital and Health Statistics.

"Where misinterpretation persists," she said, "we urge that both the HHS Office of Civil Rights and the professional and trade associations representing providers, plans, and others affected by the law aggressively step up their technical assistance and guidance. We believe that resources should be devoted to proper and vigorous implementation, and not to using misunderstanding and mishap to build public opposition to the law."

Goldman told the subcommittee that the HHS Office of Civil Rights has received thousands of complaints from consumers since the implementation of the privacy regulation, and a number of the complaints have been referred to the Justice Department as possible criminal violations of the rule. However, no penalties have as yet been imposed.

Five changes sought

She listed five areas in which the privacy rule should be strengthened:

1. Enforcement provisions should require a covered entity to disclose information to law enforcement only in response to a court order issued by a neutral magistrate under a Fourth Amendment probable-cause standard.

2. The section on use of health information for marketing purposes should be strengthened by expanding the definition of marketing and should reinstate the rule’s original safeguards that required covered entities to give consumers notice if a communication was generated by a third party with remuneration to the covered entity and allowed consumers to opt out of further such communications.

3. The scope of the rule should be expanded so that the list of covered entities includes employers, life and disability insurers, pharmaceutical companies, and others who collect sensitive information directly from consumers.

4. People should be given the right to sue under the privacy regulation if their rights are violated.

5. HHS should be required to conduct periodic compliance reviews of covered entities and make a bigger effort to educate the public about its rights under the privacy rule, if it is going to rely on complaints from the public for enforcement.

(For more information, go to www.healthprivacy.org.)