HHS privacy chief expects HIPAA security rule before 2002

Official says the final HIPAA security regulations probably won’t address electronic signatures

Hospitals and other health care providers can expect to see the final regulation for the security portion of the Health Insurance Portability and Accountability Act (HIPAA) before the end of 2001, according to Bill Braithwaite, a senior advisor at the Department of Health and Human Services (HHS).

"I truly believe that the final rule for security will be out before the end of this year," predicts Braithwaite, who, after playing a major role in the development of privacy and security regulations, plans to depart HHS soon for a position with PricewaterhouseCoopers.

The security regulation probably will not include a rule about electronic signatures, he told the Third Annual HIPAA Summit in Washington, DC, on Oct. 25. "The feedback that we are still getting from the industry is that the consensus standard for the health care industry about electronic signatures is not there yet."

Many ideas are being promoted, Braithwaite adds. But he says that if it is not interoperable with other implementations by other companies and other mechanisms, it is not going to work as a consistent standard across health care.

According to the Centers for Medicare and Medicaid Services (CMS) Deputy Administrator Reuben King-Shaw, there was much debate at HHS and CMS over whether to release the rules, standards, and code sets as a package or as a series. While most providers would prefer a package, that is not likely to ever happen, he says.

Braithwaite acknowledges that there is a gap between the time providers are required to comply with the transaction standard and the time they must comply with the privacy standard. "But that’s the way it goes," he says. "There will always be gaps, hopefully small ones, between these various rules."

According to Braithwaite, HHS lacks the resources to do everything all at once.

Rather, the agency is trying to group things in such a way that when providers implement one rule, there is enough information in the standard or elsewhere that implementation is not drastically affected by the next rule that comes out, Braithwaite says.

"You won’t have to go back and totally re-engineer and rewrite what you did to implement the first rule," he says. "That’s the philosophy," he adds. "I hope we get it right."

Braithwaite also warns against taking any false hope from bills in Congress that would delay certain portions of the HIPAA rules. "You must approach this as if the delay is not going to happen," he warns. "Congress has a lot more on its mind right now than giving you a couple of months or years to delay what you do about administrative simplification."

According to Braithwaite, further delay will only divide the health care industry into those people who already have invested money and those who waited. "We would be saying that the people who took a head start now have to pay the price for those people who waited."

He also argues that HIPAA requirements will be implemented in "a reasonable" fashion. "It is not a technical requirement for you to build soundproof booths so that you can talk to patients without the fear of being overheard," he explains.

"The basic idea is that for security to work, you must have not only the technology, but the behavioral safeguards, the institutional commitment of the administration and people, and training must be in place, or it does not matter what technical security you have in place," says Braithwaite. "It is worthless."

He says that’s why the emphasis on the final security rule will be on policies and procedures that are done to support whatever technology is deemed appropriate.

In several instances, Braithwaite says hospitals have implemented major new hospital information systems, but when doctors objected that they slowed things down, information technology personnel turned off security features to speed up the system.

"There is no excuse for that anymore," he argues. "The security technology is there in almost every environment now," he explains. "What we need is the commitment, the philosophical and administrative policies, and procedures to back it up."

Braithwaite says he also fields many questions about the enforcement rule.

He notes that the law does not require HHS to produce such a rule, but says that HHS thinks it is "a good idea" because it will inform providers about the process HHS will be using. The agency has yet to decide which organization will handle this, he adds.

"We still have a little work to do before we can write and release this," he says, adding that he expects it will come out next year, sometime before the October 2002 effective date for the transaction rule.