The trusted source for
healthcare information and
Many health care groups, such as the Chicago-based American Hospital Association and American Medical Association, have rallied for changes in the Health Insurance Portability and Accountability Act (HIPAA) privacy rule, saying it is flawed and burdensome. But one survey shows that many individual health care professionals and managers wanted the rule to remain as written.
The survey was conducted in March by Phoenix Health Systems, a Washington, DC-based health care information systems consulting firm, for its newsletter HIPAAlert. The survey received responses from 517 senior managers, chief information officers, department managers, compliance and security managers, physicians, and other professionals from hospitals, insurance companies, health maintenance organizations, claims clearinghouses, medical practices, and vendors.
The survey addressed the contentious issues in the HIPAA privacy rule. Participants were asked to say whether they felt specific provisions should be removed, loosened, remain (stay the same), or be stricter. Across the board, the overwhelming pattern of response to the survey was in support of the privacy rule as written, the survey says. No pattern emerged to suggest that people from one part of the health care environment consistently had a different bias from those in other industry segments. (For reaction to the Bush administration’s decision to implement the privacy rule, see "Get used to it: HIPPA privacy regulations are here to stay," in this issue.)
Here are some of the respondents’ opinions about the rule’s provisions:
• "Consent and Authorization" rule: Patient health information may not be used unless authorized. Sixty-four percent of respondents agreed with this rule. In one of the few exceptions to the survey’s trend of agreement with the privacy rule, 75% of payers wanted this provision removed completely.
• Use and disclosure of patient data is allowed without authorization for medical research, law enforcement, and other public needs. More than half of respondents agreed with this provision. However, 56% of respondents said the provision allowing limited use of patient data for fundraising should be stricter; only 34% agreed with it as written.
• Consent is required for use of patient data for reasons such as treatment and health care operations. Sixty-three percent of respondents agreed; 17% wanted this rule loosened.
• Only the "minimum necessary" disclosure of health information is allowed, even when authorized. Sixty-three percent of hospital staff and 59% overall agreed this provision should remain as is.
• Patients have the right to inspect health data used to make decisions about them. Sixty-nine percent of all respondents agreed this rule should remain the same; 82% of providers agreed.
• State laws that are stricter should pre-empt HIPAA. Fifty-three percent of participants agreed with this rule; 40% said HIPAA should always pre-empt the state laws.
• The privacy rule applies to all individual patient data, whether electronic, paper, oral, or other. Seventy percent of all respondents believed this provision should remain as written.
• Business associate agreements are required. Sixty-four percent of all respondents supported the general provision requiring such agreements. However, just under half (48%) agreed that they should be held responsible for addressing business associates’ violations if aware of them, with 22% suggesting that the latter requirement be loosened.
• Patients have no right to sue under HIPAA. The majority (66%) agreed with this provision; the remainder felt the opposite.
The survey also found that 57% of respondents said the Department of Health and Human Services’ estimate of a $3.8 billion price tag for privacy compliance is too low. Ten percent said it’s about right. Six percent said it’s too high, and 27% said they didn’t know.