The trusted source for
healthcare information and
The Clinton administration leaves health care risk managers with a final regulation establishing the first-ever federal privacy protections for personal health information. Risk managers say the rule’s implementation may not be easy.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, which applies to health insurers, virtually all health care providers and clearinghouses, is intended to give consumers more control over and access to their health information; set boundaries on the use and release of health records; safeguard that information; establish accountability for inappropriate use and release; and balance privacy protections with public safety.
The administration changed the proposed rule by strengthening several key protections, including: extending protections to personal medical records in all forms including paper records and oral communications; providing for written consent for routine use and disclosure of health records; protecting against unauthorized use of medical records for employment purposes; and ensuring that health care providers have all the information necessary to appropriately treat their patients.
The impact of the regulation on health care providers will be tremendous, says Geri Amori, PhD, ARM, FASHRM, risk manager with Fletcher Allen Health Care in Burlington, VT. Amori also is president of the American Society for Healthcare Risk Management.
"This is going to change the entire way we use technology and the entire way we do care now," she says. "It’s going to have some significant implications on the care we provide. It has to. We won’t know what all of those are until we’re into it more."
In releasing the final rule, White House officials said Americans are increasingly concerned about losing their privacy. Recent studies show a rising level of public concern about privacy issues. In 1999, more than 80% of people surveyed agreed with the statement that they had lost all control over their personal information.
"Personal health information can be distributed without consent for reasons that are unrelated to treatment," President Clinton said in releasing the rule. "Under the current loose patchwork of state laws, information held by an insurer can be passed on to a lender who can then deny that patient’s application for a home mortgage or a credit card, or to an employer who uses it in personnel decisions. Personal health information may be disclosed for insurance underwriting purposes, market research, or any other reason without any safeguards to protect it against misuse."
Proponents of the new rule also point out that patients are often unable to access their own medical records. In addition, patients wishing to access or control the release of such records may be unable to do so because of overwhelming barriers established by their insurance company, health care provider, or anyone else who holds their records. The final regulation, which will be fully implemented within two years, is being issued under the authority of the bipartisan Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Amori says the rule should give patients more of a sense of control.
"It’s going to bring to active consciousness something about which many people have been concerned for a long time — privacy in an era of technology," she says. "When I was a kid, my doctor used a 3-by-5 card with my health information on it. As we’ve grown, the amount of technology and the way we use it has grown exponentially. It was inevitable that we would need legislation."
Amori compares the privacy rule to last year’s Institute of Medicine (IOM) report on medical errors. The privacy rule will stir up trouble for risk managers, she says, but it actually is based on sound risk management principles.
"Like the IOM report, it lends backbone to a lot of things we have been saying we needed for a long time," she says. "But it also complicates some of the things we deal with, like ethical issues and payment issues. It is going to increase the complexity of some of our tasks, and it will introduce some new variables."
Recognizing the savings and cost potential of standardizing electronic claims processing and protecting privacy and security, the Congress required that the overall financial impact of the HIPAA regulations reduce costs. As such, the financial assessment of the privacy regulation includes the 10-year, $29.9 billion savings the Department of Health and Human Services projects for the recently released electronic claims regulation and the projected $17.6 billion in costs over 10 years projected for the privacy regulation. This produces a net savings of approximately $12.3 billion over 10 years for the health care delivery system while improving the efficiency as well as privacy protections.
"I don’t think the rule is bad. Like the IOM report, it’s a thorn but a good thorn," Amori says. "It’s what needs to happen, but it’s not going to be easy." (The privacy rule is only one part of the HIPAA regulation. See "Other components added to rules list" in this issue for details.)
Some providers have expressed concern that the rule places an unreasonable burden on them to obtain consent from patients before disclosing medical information in almost any way. The requirement was strengthened from the original proposal so that now the patient must give written consent for just about any type of information release. Providers will have to retain the consent forms for a minimum of six years.
Under the new rule, patients may ask health care providers to restrict how medical information is used within the health care system for treatment, payment, or any other function. And after providing consent, restricted or not, for such purposes, the patient can revoke the consent.
The rule essentially gives the patient a great deal of control over how any medical information is used, and that will be a difficult change for providers, Amori says. Even though providers have long acknowledged that they must protect a patient’s medical information from prying eyes, Amori says they also have been the arbiters of who gets to look and who doesn’t. The HIPAA regulation takes that control from the provider and gives it to the patient.
"We can no longer be the beneficent paternalist," Amori says. "This rule will fly in the face of a lot of old-style medicine. It will change a lot of the routine ways things are done."
Amori says the rule creates a lot of new exposures for risk managers to consider. The government can impose fines for not adhering to the privacy regulation, and Amori says it is inevitable that hospitals will be hit with those penalties. It is uncertain how those fines might be covered by insurance policies, but Amori says she doesn’t expect they would be covered since government fines usually are not.
As soon as the rule was released, health care organizations started squealing and promptly went to the incoming Bush administration for help. The Health Care Leadership Council, an association of 50 chief executives from large health care companies, immediately sent an appeal to the Bush administration, asking for "a more balanced approach to protecting privacy." The American Hospital Association also released a statement saying it would ask the Bush administration for help in changing the rule.
The American Medical Association also expressed concern. The association agrees in principle with the Clinton administration’s latest effort to safeguard the privacy of each individual American’s medical records, according to Donald Palmisano, MD, of the American Medical Association’s Board of Trustees. However, Palmisano cautions that patients and physicians will not know the real benefits, burdens, and costs until the complex maze of new rules and regulations is closely analyzed.
"This is a big step and the devil really is in the details this time," Palmisano says. "It’s important to make sure that good intentions don’t produce unintended consequences. We will be closely examining the new rules to make sure there are no dangerous loopholes or unexpected problems."
Palmisano, a New Orleans surgeon and attorney who is a national expert on patient privacy and confidentiality issues, says there are three things he considers essential for patients’ medical information to remain secure.
"Nothing should be disclosed without the patient’s consent," he says. "Unfettered access to a patient’s health information by government agencies and law enforcement is unacceptable. A patient’s physician must not be unfairly held liable for any misuse of confidential patient information by some third party who might also be doing business with that physician."
The HIPAA privacy rule was changed in some significant ways from its earlier proposal, and risk managers are likely to find that some of the changes are good and some aren’t. Jack Rovner, partner and co-chair of the Chicago health law practice group for Michael Best & Friedrich, says he is impressed with how much the rule was changed in response to the concerns of health care providers.
"They paid a lot of attention to industry comments and the need to accommodate some industry functions that the proposed rule would have made problematic," he says. "They kept in the forefront the government’s idea that protections are necessary for the patient, so it’s still a strong piece of rulemaking."
Rovner says two of the most talked-about changes aren’t likely to hit health care providers hard. The final version of the rule requires that patients give written consent for virtually every release of medical information in the course of treatment, even going from one hospital department to another. That may be overkill in some providers’ view, but it shouldn’t create too much of a problem because providers already do that or something very close to that, Rovner says.
"You sign an informed consent when you first go for care," Rovner says. "How much you have to change that procedure to comply with this rule depends on how extensive the consent already is."
Rovner notes, however, that the rule now provides penalties for not obtaining proper consent. Many providers will not have to change their procedure much for the initial consent, but the ramifications of failing to do so may be much greater than before.
Some providers have expressed concern about a change that extends the privacy protections to all medical records, both paper and electronic. The previous proposal covered only electronic records. While that change may seem like it increases the compliance burden, both Rovner and Amori say providers won’t see much difference.
"The truth is that anything you have on paper these days, you probably have on computer, and vice versa," Amori says. "So that information would be covered in either case. The change could be more significant for some rural hospitals that don’t use computers much, making the rule have more effect for them than it would have before."
The final version of the rule includes a major change that risk managers will welcome. In the proposed version of the rule, providers could make available only the "minimum-necessary" information about a patient even when the patient gave consent for the information transfer. That provision raised all sorts of questions about how doctors would communicate with each other, with some analysts suggesting that the primary doctor would have to be cryptic when talking with a specialist for fear of revealing too much patient information. No one in the health care industry liked that scenario, and it apparently won’t come to pass.
Now, the rule states that the "minimum-necessary" provision does not apply to such doctor-to-doctor consultations. "That’s a major change and a good one," Rovner says.
But the "minimum-necessary" provision still applies to a great many situations.
"The minimum-necessary’ provision says that employees should only see information they need to do their job. You can’t just hand over the medical record and let them find what they need," he says. "That’s going to require some major analysis of what everyone’s job functions are and how you can control information so they get what they need to do their jobs but nothing else. Claims processing doesn’t need to see the same information that the nursing staff does."
Other changes in the final rule allow integrated health care organizations to share information as if they were a single entity, even if they actually are several facilities. This change recognizes the "real world of how health care is delivered," Rovner says. In a hybrid organization with both health care and nonhealth care members, the rule allows the information to be shared between the health care entities but not with the others.
Also, protected health care information cannot be provided to any human resources department within the organization. The only exception is a situation, such as workers’ compensation treatment, in which an outside employer has purchased the health care and the patient has consented to such a release.
For risk managers, the work starts now. Rovner and Amori suggest that health care risk managers start assessing how much current policies and procedures will have to be changed to comply with the rule. Amori suggests that the greatest impact probably will be felt on the financial side of the health care operation. The rule makes it clear that billing employees, for instance, must not have access to protected patient information. It is not sufficient to ensure that they do not disclose or otherwise misuse the information; systems may have to be revamped to ensure they do not even have access to that information.
Much of the risk manager’s work will involve assessing just what information is necessary for certain staffers to do their job. And risk management experts agree that there are a lot of gray areas and unanswered questions that will not be settled until providers move forward and try to comply with the rule.
"We recently looked at some of the envelopes we use to mail information to OB/GYN patients, and that got us wondering," Amori says. "If the envelope says OB/GYN on the outside, does that reveal too much information about the patient? We don’t know how far this is going to go. Questions are going to come up as we move along."