The trusted source for
healthcare information and
Health care providers and attorneys who spent part of the Christmas holiday sifting through the 1,500-page document that comprises the patient privacy regulations released by the Clinton administration last week uncovered both good and bad news.
The first concern simply is the shape of the regulation itself. When the standardization portion of the Health Insurance Portability and Accountability Act of 1996 was released last summer, some observers voiced concern that the two remaining components — privacy and security — would not be released together. But that is essentially what has happened.
The final privacy regulation contains some references to security, such as the requirement that hospitals appoint a privacy officer, but it falls far short of the security component the Department of Health and Human Services (HHS) had touted earlier. Now the agency isn’t saying when further security requirements might emerge.
On the whole, Karen Ignani, president of the American Association of Health Plans (AAHP) in Washington, DC, argues that the final regulation fails to strike a "fair balance" between patient privacy and access to optimal health care. But she also cites a range of areas that still are subject to interpretation.
For example, Ignani says it is unclear exactly when an individual must sign an authorization and how that should be organized administratively. But that is just the tip of the iceberg. "Rather than learning from the experience that has occurred in various states, this repeats the mistakes that have been made in the past that have been remedied at the state level," she argues.
Ignani points to Hawaii, where she says similar regulations shut down workers’ compensation treatment and jeopardized the ability of health care providers to implement independent review. In Minnesota, she says, regulations similar to those in the final rule made it almost impossible to use health care information for treatment and research. "Clearly, that is not what anyone on any side of this debate wanted," she says.
According to Dan Mulholland, a partner with Horty Springer in Pittsburgh, the potential threats don’t stop there. "They said that there is no federal right to sue," he asserts. "But I can see somebody very easily making the argument that failing to abide by these rules constitutes negligence, and that would open the door for state lawsuits."
In fact, Mulholland says, even after reading the proposed regulations, he feared the trial bar could make an end run around any prohibition or limitation regarding federal lawsuits included in the regulations.
Mulholland’s theory goes something like this: Many states consider it negligence — or at the very least evidence of negligence — when a set of federal regulations that establishes a standard of conduct (such as maintaining the confidentiality of health information) is violated.
As a result, any breach of confidentiality or violation of the rules could be portrayed as negligence on the part of the provider, Mulholland speculates. "It is only a small step from there to some class-action suit where essentially hospitals or HMOs are held at gunpoint," he says. "Then it becomes a real serious matter."
But not all the news is bad, says Rick Smith, vice president of public policy and research at AAHP. Notably, he points out that the final regulations do not include a private right of action. But he adds that it is also clear that the Clinton administration regrets it did not have the authority to include such a provision.
"The legislation did not intend the private right of action given that there are a series of enforcement measures and penalties available," he explains. "The effort to make individuals third-party beneficiaries of contracts appeared to be an attempt to go well beyond the intent of Congress by bootstrapping in an ability to sue under certain circumstances.
"This is one of the more complex areas of the regulation," he cautions. "There have been some accounts that suggest that the concept of third-party beneficiary may have been somewhat narrowed, although not eliminated."
It is unclear whether Congress will attempt to undo that victory for health care providers. Sen. Patrick Leahy (D-VT) argues that Congress should grant patients a private right of action when their records are misused. But a member of his staff says it is too early to know if hearings on that issue will even be scheduled in the upcoming Congressional session.
Another major question still facing providers is whether Congress will take further steps in this area to create uniformity across states. Congress did not grant HHS that authority. As a result, state laws still are in effect when they are more stringent than federal requirements, leaving providers with a messy patchwork of laws they must cope with.
The most significant changes in the final regulation are that they now cover paper records and oral communication as well as electronic records, and they now require that most providers obtain patient consent for even routine use and disclosure of health records.
The new standards are designed to limit the nonconsensual use and release of private health information and give patients new rights to access their medical records and to know who else has accessed them.
In unveiling the final regulations Dec. 21, President Clinton said the sweeping privacy protections were "carefully crafted" to protect patient privacy in the new era of medical and technological innovation.
He cited one recent survey that showed that more than a third of all Fortune 500 companies check medical records before they hire or promote. Also, one large employer in Pennsylvania had no trouble obtaining detailed information on the prescription drugs taken by its workers.
Clinton also argued there’s a need for further protections that only Congress can provide. For example, he said, only new legislation from Congress can make these new protections fully enforceable and cover every entity holding medical records.