Legislative Watch

Subscribe | Advertise | About Us | Contact Us | Home

November 2004

By George G. Olsen, JD

One Year Later

A look at HIPAA a year after the implementation of the privacy rule.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) directed the Secretary of Health and Human Services (HHS) to develop and implement federal regulations to protect the confidentiality of an individual's health information. After an extremely long rule-making process, HHS issued a very complex rule to ensure the confidentiality of medical records and, in so doing, imposed extensive new responsibilities for health care providers, health plans, and other entities to protect such information.

April 14, 2004 was the first anniversary of the date by which most covered entities were required to be in compliance with the privacy rule.

FIRST YEAR EXPERIENCE
In September 2004, the GAO issued a report entitled "Health Information-First-Year Experiences under the Federal Privacy Rule" (available at: www.gao.gov). The purpose of the report was to "determine how different groups have fared under the new regulation."

The GAO interviewed representatives of 23 national organizations representing health care consumers, providers, health plans, state officials, public health agencies, researchers, privacy professionals, and a health care accrediting organization. The GAO also discussed the rule with the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control and Prevention (CDC), and the HHS Office of Civil Rights (OCR) which is charged with enforcing the privacy rule. As a general proposition, GAO stated that:

Organizations representing providers and health plans told us that implementation of the Privacy Rule went more smoothly than expected during the first year. In addition, they reported that initial confusion has diminished and new privacy procedures have become routine for their members' staff.

The organizations did identify two provisions of the privacy rule that have caused problems because they are "unnecessarily burdensome."

One of these provisions is the requirement that, upon request, health care providers, health plans, and health care clearinghouses ("covered entities") must furnish individuals with an accounting of any disclosures of their protected health information made in the preceding 6 years. This provision covers most disclosures other than for treatment, payment, or operations purposes.

The privacy rule specifies that the accounting must include the date of each disclosure, the name and address of the person to whom the disclosure was made, a description of the information, and a statement of the purpose of the disclosure.

Providers and health plans argue that the accounting requirement consumes "significant time and resources" because protected health information may be maintained and disclosed from multiple systems within the same entity. These systems must be electronically linked or tracked manually to ensure that all disclosures are identified and included in any requested accounting. The providers and plans also described the large volume and variety of disclosures that must be tracked for purposes of the accounting requirement. By way of example, the GAO report cited information from the Minnesota Department of Public Health, which identified "over 50 state statutes in which health information may or must be released to specific state or legal organizations, such as health departments, health licensing boards, and schools."

Despite the considerable resources that plans, providers, and clearinghouses must expend for disclosure tracking and accounting systems, they report that they receive "few or no" requests from patients for an accounting of the disclosures of their protected health information.

Given the burdensomeness and costs associated with complying with the accounting provision, the GAO recommended that the Secretary of HHS modify the privacy rule to (1) require that patients be informed in the notice of privacy practices that their information will be disclosed to public health authorities when required by law and (2) exempt such public health disclosures from the accounting-for-disclosures provision.

In response to this recommendation, HHS said that it had considered adopting a similar provision when it modified the privacy rule in August 2002, but ultimately decided not to do so pending further experience with the provision. HHS will continue to monitor this aspect of the rule to ascertain whether a change may be beneficial.

BUSINESS ASSOCIATES
The second problematical provision is the requirement that providers, plans, and clearinghouses must enter a written agreement with any "business associates" with which they share protected health information. Within the meaning of the privacy rule, "business associates" perform various functions for the covered entity, which involve the use of individually identifiable health information-eg, benefit management and claims processing. The contract must specify safeguards for medical information and authorize penalties (including termination) for violation of the privacy protections.

Organizations reported to the GAO that there is a great deal of uncertainty about which relationships with downstream entities require written business associate agreements. They cite the "broad language" of the business associates provision and the absence of adequate guidance from the OCR as primary causes of the lack of certitude. In addition, plans and providers have expended substantial manpower, legal, and financial resources developing and negotiating agreements that comply with the privacy rule.

The GAO did not make any specific recommendations concerning business associate agreements. Instead, the report observed that the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) "was able to successfully avoid these types of problems by including a standard business associate agreement as an addendum to applications for health care accreditation." By contrast, the report notes, providers individually negotiating with business associates "do not have similar leverage to compel the use of their particular agreements."

The GAO stated that organizations representing providers and health plans believe that the OCR should issue additional guidance about business associate agreements. However, the GAO stopped short of recommending this action.

OVERCOMING OBSTACLES
State public health organizations advised the GAO that their access to patient health information has been impeded by the privacy rule because it deters providers from reporting such data to public health officials. The report cites a survey by the Council of State and Territorial Epidemiologists of 40 state and local programs designed to detect early signs of an epidemic, which found that three programs had encountered "substantial" difficulties and 10 experienced "some" problems securing health information from providers because of the privacy rule.

Similarly, the Centers for Disease Control and Prevention advised GAO that it had faced "obstacles to its surveillance of mental health disabilities." In an effort to address these problems, state and federal agencies have pursued changes in state law and improvements in the data collection process, and targeted education about the privacy rule.

For example, Massachusetts, Kentucky, and North Dakota clarified their laws to specify when reports may be made to public health agencies without authorization from the patient, make certain reporting mandatory, and make state laws more consistent with the dictates of the privacy rule.

Research organizations such as the Association of Clinical Research Organizations, the National Cancer Advisory Board, and the Association of American Medical Colleges informed the GAO that access to data for research has been delayed or obstructed by the disparate responses that providers make to requests for health information under the privacy rule. They contend that in several instances, research studies involving multiple care sites have been slowed because of the rule.

Researchers also believe that perceived conflicts between the privacy rule and the Common Rule-the federal regulation governing the protection of human subjects in research-have exacerbated the problem. The organizations representing researchers recommended additional assistance from the OCR through formal revisions in the rule and federal guidance documents.

Patient advocates contend that they have had difficulty obtaining protected health information on behalf of their patients as a result of the privacy rule. They told GAO that their access is compromised by "excessive paperwork, misunderstanding of the rule, and reluctance by providers and health plans to share information with legal aid attorneys, state ombudsmen, and others when the rule permits discretion." In a similar vein, groups such as America's Health Insurance Plans (AHIP) and Blue Cross Blue Shield Association (BCBSA) reported that some health plans are "confused about how to implement the Privacy Rule's provisions for releasing information to families and friends of patients to assist in their care."

Even when the rule permits a plan to exercise discretion in releasing data to such persons, concern about the rule has caused many plans to take a conservative approach to patient authorization requirements, "requiring any adult calling on behalf of another adult to obtain an authorization form signed by the patient." Such a strict reading of the rule resulted in one health plan mandating 10,000 patient authorizations in the first year of the rule. Some long-term care facilities have pursued a similar tack by not disclosing information to family members of a nursing home resident unless they have an authorization from the patient.

CONCLUSIONS
The GAO concluded that the first year of the privacy rule "went more smoothly than expected" and that new privacy procedures have become "routine" at many providers and health plans. Nevertheless, several problems have been exposed by implementation of the rule, which HHS is seeking to rectify.

George G. Olsen, JD, is a partner of the firm Williams & Jensen, PC, Washington, DC. He is also legal counsel for the National Association of Rehabilitation Agencies and Providers.

LOOKING FOR EXPERT ADVICE?

Experts here are available to answer all your questions!

Please contact us for more information about this feature, or to become an expert.

MEDIA CENTER

Interactive Media

Resources

	Classifieds
	Calendar
	Consumer Resources
	Media Kit
	Advertiser Index EAB Reprints Submit an Article

Featured Jobs

Bio Medical Equipment Tech III Specialist
Kansas City, Missouri

Hospitalist Civista Medical Center
La Plata, Maryland

Nurse, RN, NP, Legal Nurse, Chart Reviewer
King of Prussia, Pennsylvania

More Jobs...

Find a Job

www.thejobcure.com

ADDITIONAL ONLINE RESOURCES

Allied Healthcare		Medical Education
24X7mag Chiropractic Products Magazine Clinical Lab Products (CLP) Orthodontic Products The Hearing Industry Resource HME Today Rehab Management	Physical Therapy Products Plastic Surgery Products Imaging Economics Medical Imaging RT Magazine Sleep Review	SynerMed Communications IMED Communications
		Practice Growth
		Practice Builders

Become a featured employer

Featured Employer

Triage Staffing

Our Values and Priorities are In Order

Are you looking for a little less "give" and a little more "take?" Do you have a proven track record of patient care and professionalism?

Let's Explore Partnering Our Strengths Today

November 2004