The trusted source for
healthcare information and
The Department of Health and Human Services (HHS) has gone beyond its proposed rule and given the privacy of health information even more protection in its final regulations, which were released Dec. 20. Some industry analysts charge that the rule could seriously impede the flow of critically important information.
The most significant change in the final regulations: They now apply to paper records and oral communications in the hands of covered entities in addition to electronic records. The regulations also limit the routine and non-routine release and use of private health information. (See "Highlights of the Final Regulations," in this issue.)
The privacy regulations are part of the requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 1996; they were designed to limit the non-consensual use and release of private health information and to give patients the right to access their medical records and to know who has access to them. The regulations will go into effect in two years.
HIPAA imposes a massive and complex burden on providers, health plans, and clearinghouses, as well as their business associates, say attorneys from the law firm Davis Wright Tremaine. "It’s going to touch on almost every facet of hospital operation and the patient care process," says Reece Hirsch, JD, a partner in the firm’s San Francisco office.
Some analysts are openly critical of the final privacy rule. "We are very concerned about the new requirement that providers must now obtain prior written consent for even the most routine health care treatment and payment," says Mary Grealy, president of the Healthcare Leadership Council in Washington, DC.
The regulations will impede the flow of essential data to health providers and medical researchers, and patients will pay the price, she says. "Within these hundreds of pages of rules and regulations there are numerous hurdles, barriers, and obstructions that will curtail the flow of information through the health care system. Who pays the price when a doctor, a pharmacist, or a lab technician can’t get the information they need in a timely manner? The patient will, and that’s something about which we should all be concerned."
The American Hospital Association in Chicago is concerned that hospitals could be held responsible for the mistakes of its business partners, such as insurers, clearinghouses, and accrediting agencies that misuse patient information. "While hospitals will take every step possible to ensure that contractors comply with these important rules, with anywhere between 50 to 750 business partners, it’s unrealistic to expect them to monitor the internal business practices of each," says Dick Davidson, AHA president.
His organization is also troubled that the rule gives law enforcement officials easy access to patient records without sufficient restrictions on how that sensitive information can be used, Davidson says. For example, law enforcement officials can request protected information for the purposes of locating a missing person.
"We have visions of America’s Most Wanted calling an institution and asking for information," says Dan Rode, MBA, FHFMA, vice president of policy and government relations for the American Health Information Management Association (AHIMA) in Chicago. "There needs to be some clarification [of this provision] — I’m not sure that’s what [HHS] meant."
Although the AHA is concerned that the costs for complying with the privacy rule could be staggering for hospitals, AHIMA hasn’t seen anything in its review that calls for a panic, Rode says. "There are a couple of things that need to be corrected and there are some things that need more explanation. But we haven’t found anything that would cause us to want to rescind [the rule] at this point."
AHIMA does have questions about whether all providers are considered to be covered entities under the final rule. "A covered entity on the provider side is defined as an organization that uses electronic transactions. It’s possible that some physicians [who do not use information this way] may not be considered a covered entity."
With this in mind, would a provider need an authorization before contacting one of these physicians regarding a patient’s treatment, Rode asks. "It appears that when [HHS] wrote this, they presumed that all providers were covered entities. That may not be the case."
The Secretary of HHS could correct a lot of these problems within the first year these rules are out, according to HIPAA, Rode says. Legislation is also needed to fill in several gaps in the legislation, he adds. For example, information exchanged in regard to workers’ compensation claims has no restriction.
The challenges providers face from these privacy regulations will depend on the size of the organization, Rode says. "We also don’t have the security regulation in front of us, which is the other foot on this giant. It may have some obstacles, as well."
Providers’ privacy teams need to analyze the regulations themselves to see where their practices fit the requirements of the rule, Rode says. "Look at consents and authorizations. See whether some of what is being handled now on a non-consent basis has an authorization, and look at fundraising and marketing materials to see if they comply with the rule."
Institutions that have a wide-open practice for medical records within their own staff are now going to be required to classify personnel and determine who has access to what and when, Rode explains. "For larger institutions, that is going to take some time."
Institutions are also going to have to look at their business associate situations and determine what contractual language will need to be changed. "They may have to bring in legal counsel to determine whether they are or are not a covered entity under certain circumstances and whether their business associates are," he says.
Some providers already have software in place to track the release of information. Most institutions, however, have yet to conduct training on the issues of privacy, nor have they written policies and procedures to address them, Rode says.
Rode says he expects that state hospital associations and respective parties within the state governments will be comparing the federal regulations against state law. "If there are concerns, they can address them through the state [representatives] to determine which would take precedent or decide if the state should ask for an exception."
Providers and health plans may also benefit from discussing the extent to which they should share information, Rode says. "The rule says the health plan gets to decide that issue, but at the same time the onus is on the health plan to provide a rationale as to why they need information above and beyond what is included in the transaction."
Hospitals and physician offices have an advantage over health plans in implementing the final regulations, Rode says. "Hospitals have addressed many of these issues in their release-of-information practices and their health information management practices. Their medical records departments in many cases already have a privacy officer who overlooks this kind of activity. For most physician offices, this is a containable, sizable kind of activity and probably can be handled quickly once the offices understand the rules."
Health plans, however, will need more analysis and planning, mainly because they haven’t had a medical records function, he explains. "They are going to have to take a look at their protected health information and determine what controls they are going to need. For many of these groups that is going to be a fairly large challenge because they haven’t had the expertise."
Health care institutions should also prepare for public reaction once the regulations take effect and become publicized, Rode says. He anticipates an increase in the number of patients who request access to their records and who have questions about the rule for their providers and insurers.
"Since many states have not had a law allowing access to medical records, providers may have an initial volume [of people requesting access,]" he says. "That certainly is going to affect institutions." That volume should diminish, he predicts, ultimately becoming no more of an issue than it is currently.
Then there is the question of how the rule will be policed. "The federal government has no funding for the Office of Civil Rights to do much with this," Rode says. The enforcement issue will have to be examined in the coming year, with the Office of the Inspector General’s office having some involvement too.
Until enforcement becomes more of a reality, Rode expects that most action on the rule will be taken on a complaint-by-complaint basis. "We will still be talking about the exception rather than the rule. Providers will have to look at it from that perspective, as well."