HIPAA Regulatory Alert

Two HIPAA privacy provisions unnecessarily burdensome’

GAO report gauges provider reaction to privacy rule

A survey of providers, health plans, patient representatives, and others conducted by Congress’ General Accounting Office (GAO) found providers and health plans believe that implementation of the HIPAA privacy rule went more smoothly than expected in its first year, but that two provisions of the rule are unnecessarily burdensome.

The providers and health plans raised issues about the requirements to account for certain information disclosures and to develop agreements with business associates that extend privacy protection downstream. Consumer and provider representatives said the general public is not well informed about rights under the privacy rule, and more structured educational efforts are needed.

The GAO contended some evidence of patients’ lack of understanding of the rule’s scope and provisions may be reflected in the 5,648 complaints filed with the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) in the first year after the privacy rule became effective. Of the roughly 2,700 complaint cases OCR closed as of April 13, 2004, GAO said, nearly two-thirds fell outside the privacy rule’s scope because they involved either accusations of actions not prohibited by the regulation, entities that are not covered under the regulation, or actions that occurred before covered entities were required to be compliant. Of the cases that were covered by the rule, OCR found that in 50%, no violation had occurred.

According to the GAO, provider groups stated that some physicians and hospitals remain unclear about what type of information may be disclosed for law enforcement purposes. Also, health plan representatives reported ongoing difficulties associated with knowing what state laws take precedence over the privacy rule.

The GAO said most provider and health plan organizations interviewed identified the requirement to account for certain disclosures as unnecessarily burdensome. The organizations reported that significant time and resources are needed to establish and maintain systems to track disclosures.

For example, various hospital departments keep patient information in separate systems not necessarily linked electronically. According to the Health Care Compliance Association, hospitals have had to review systems to establish electronic links or have had to create manual-tracking mechanisms. Similarly, health plan representatives reported many plans or insurers generally keep information related to one patient in multiple systems, making it difficult to track all information disclosures for that patient.

Provider and health plan representatives also expressed concern about the volume of disclosures that must be tracked, commenting that frequent, diverse disclosures required by law add significantly to the volume of information that must be tracked continually.

Many organizations GAO interviewed questioned whether the privacy rule accounting provision generates much benefit for patients. These organizations reported that their members have received few or no requests from patients for an accounting of the disclosures of their protected health information.

To somewhat reduce the burden of the requirement to account for disclosures, several organizations suggested that OCR modify the rule to require covered entities to inform patients in the privacy practices notice that when required by law, their information will be disclosed to public health organizations and law enforcement agencies.

The GAO said provider and health plan representatives reported that significant resources also have been required to implement business associate agreements. The organizations said that some of the burden associated with implementing the provision stemmed from confusion and variation in determining which relationships with downstream entities require agreements.

Although the privacy rule provided for phased-in implementation of business associate agreement requirements to accommodate existing contracts, provider and health plan groups still viewed the business associate agreement provision as very burdensome, the GAO said.

Some organizations representing providers and health plans suggested that OCR provide more guidance to covered entities about when and how to enter into a business associate agreement. The organizations said OCR’s existing guidance is not specific enough to assist providers and health plans with their agreements.

Patient advocates reported facing new obstacles when seeking access to protected health information on behalf of patients due to excessive paperwork, misunderstanding of the rule, and reluctance by providers and health plans to share information with legal aid attorneys, state ombudsmen, and others when the rule permits discretion.

Many organizations said patients are not aware of their rights under the privacy rule, either because they don’t understand the notice of privacy practices or because they have not focused attention on privacy issues when notices are presented to them. In its conclusion, the GAO recommended that the secretary of HHS:

  • modify the privacy rule to require that patients be informed in the notice of privacy practices that their information will be disclosed to public health authorities when required by law and exempt such public health disclosures from the accounting for disclosures provision;
  • conduct a public information campaign to improve awareness of patients’ rights under the privacy rule.

In written comments, the GAO said, the department agreed with the finding that implementation went more smoothly than expected and privacy procedures have become routine practice for many staffs.

In commenting on a recommendation that it conduct a public information campaign to improve awareness of patients’ rights under the privacy rule, the agency agreed notices of privacy practices may appear too long and complicated and consumers may not be reading the notices closely. HHS said that the complaint data received by OCR may not indicate consumers are unaware of their rights under the rule, but rather that they don’t properly understand their rights. HHS pointed to two new consumer fact sheets posted to its web site last August, a toll-free phone line to respond to questions about the rule, and efforts to encourage covered entities to develop consumer-friendly notices that highlight key information.

The GAO said a more diverse approach to consumer outreach may be necessary to effectively communicate the new privacy rights. Information available on the web site and through a toll-free phone line provide access to a portion of the general public, it added, but may not reach the many consumers who don’t know of those sources. "We believe it is important that, in current and future efforts to educate the public, HHS more effectively disseminate information about protections provided under the privacy rule," the GAO said.

(Download the GAO report at www.gao.gov/cgi-bin/getrpt?GAO-04-965.)