The trusted source for
healthcare information and
Preparing to implement the federal privacy regulation, issued late last year by the Department of Health and Human Services (HHS), is an ongoing concern for access managers and their organizations. Various affected parties continue to weigh in with their perspectives on the final rule for what was dubbed the "Standards for Privacy of Individually Identifiable Health Information." (See "Sample position description: Privacy Officer," in this issue.)
Taking some of those perspectives into account is a report by the General Accounting Office (GAO), requested by the Senate Health, Education, Labor, and Pensions (HELP) Committee. It focused on these two issues:
According to the report, there is a great deal of concern with the breadth and complexity of the regulation coupled with uncertainty about how organizations must comply. For example, HHS noted "the regulation establishes the privacy safeguard standards that covered entities must meet, but it leaves detailed policies and procedures for meeting these standards to the discretion of each covered entity."
Following are highlights of some key areas of concern identified in the GAO report, Making Patient Privacy a Reality: Does the Final HHS Regulation Get the Job Done? as summarized on the Web site of the National Association of Healthcare Access Management.
Several patient advocacy groups are concerned that the regulation permits physicians, hospitals, and other covered entities to market commercial products and services to patients without their authorization. While patients have the right to request restrictions on certain disclosures, providers are not required to accept such requests.
The American Medical Association (AMA) questioned why providers are required to obtain patient consent to disclose personal health information for all routine uses, but this standard is not applied to health plans. While the AMA supports this requirement on providers, it believes it should be extended to health plans, who often use identifiable information for quality assurances, quality improvement projects, and utilization management, to name a few.
Several groups raised questions about the implementation of the consent requirement. For example, pharmacists are worried about the difficulties in obtaining written consent prior to treatment (filling a prescription for the first time), if it is called in by a physician and picked up by a family member or friend.
Research organizations have concerns with several privacy-specific criteria added by the regulation, which they believe are too subjective. For example, an institutional review board must determine whether the privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to the value of the research involved.
The regulation acts as a federal floor, which is superceded by state laws that are more stringent. Therefore, the regulation may pre-empt some, but not all, state laws. This could prove cumbersome for covered entities, particularly those that operate in more than one state. While patient groups are pleased that states have the option to enact stronger privacy laws — and many feel states will begin to take such action — provider organizations would prefer uniform standards that eliminate the state-by-state variations, according to the GAO report.
Complicating the issue further, HHS does not intend to provide technical assistance regarding state pre-emption issues, thus requiring covered entities to perform their own analysis.
Many of the groups interviewed for the report questioned whether the HHS Office of Civil Rights is equipped to assist entities in implementing the regulation. The office is currently understaffed for the task at hand and has yet to release its strategic plan for moving forward. Further, the majority of covered entities, with the exception of small health plans, are required to be compliant with the regulation by Feb. 26, 2003. (Editor’s note: Due to a bureaucratic foul-up, officials apparently failed to transmit the final regulation to Capitol Hill in late December, which has necessitated extending that deadline to April 14, 2003.) Many feel this is an unrealistic time frame that may need to be extended.
In general, members of the Senate HELP Committee agreed this is a critically important issue that must be addressed. Republicans questioned the cost and complexity of the regulations and whether two years is adequate for covered entities to put the necessary systems in place to be compliant. Democrats, on the other hand, felt the regulation was a good first step, but that more must be done to provide patients with additional protections. This issue will likely remain on the Congressional radar screen over the next several months as more information becomes available on implementation from HHS and more organizations have time to digest the more than 1,500 pages in the regulation.
The American Hospital Association (AHA), meanwhile, has issued model consent and notice forms to help hospitals comply with the privacy regulations mandated under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The forms were attached to a regulatory advisory on HIPAA-mandated privacy practices by the AHA, which has requested a delay in implementation of the regulation.
The AHA’s model notice requires eight pages to inform hospital patients of their privacy rights. To see the advisory and model forms, go to www.aha.org.