HIPAA Regulations Adopted But Remain Controversial

April 16, 2001 Update

U.S. Health and Human Services Secretary Tommy Thompson announced that the proposed privacy rules under HIPAA would take effect as scheduled last Thursday. The rules have become rather controversial in some respects, and Secretary Thompson indicated that he expected changes over time. April 15, 2003 is the deadline for industry compliance.

April 4, 2001 Update

HIPAA, Health Insurance Portability and Accountability Act, was enacted in 1996 as a health insurance regulatory act. However over the past 3 years the legislators have been creating privacy regulations relating to medical records and medical information which will be incorporated under HIPAA. The privacy regulation section was originally suppose to be in effect in February 2001 but due to failure to follow the proper review and comment procedures the effective date has been moved to April 14, 2001.

The other side of this regulation is that although a federal regulation there is a provision that if a state privacy law is more stringent then that state law will override HIPAA. Therefore the health providers must be aware of the state laws and HIPAA in order to balance which is stricter under what sections.

For the past month, certain sections of the privacy regulations have been under attack during the review and comment period. Those sections are discussed below.

PATIENT CONSENT
The first section under attack is the section that deals with patient consent. Under that section, health care providers must receive written consent from the patient in order to disclose the patient's health care information for treatment, payment, and health care operations. It is argued that if this section is approved then doctor's offices will be restricted in their activities of setting appointments, discussing treatment with the patient over the phone, and other daily activities until they have written consent from every patient on file. The consent issue also becomes a problem when it relates to pharmacies. In many instances someone other than the patient picks up the prescription and unless a written consent is on file stating the names of those persons who may pick up the prescription, the pharmacy will not be able to release it.

On the other hand, those in support of this provision maintain that patient trust and confidence will grow because that patient knows that his privacy is being protected from the first visit.

MINIMUM NECESSARY
Under this section, covered entities are asked to disclose only the "minimum necessary" when discussing health information with health insurers and third parties. In other words, this section excludes limits and requests and may potentially limit the use of a complete medical record for patient treatment. It is argued that this is contrary to the goal of treatment and that it will cause more errors in diagnoses. On the other hand, this writer has been told by mental health professionals that they no longer feel free to take thorough notes as a matter of protecting patient privacy. So the quality of health care argument is being used both ways.

The review and comment period ended on March 30, 2001. It is now to be decided if the April 14th date will take effect or if the Health and Human Services decides to tweak the regulations further. If the April 14th date does take effect then all of the parties covered under theses provisions (doctors, health insurers, hospitals, etc.) have two years to comply without being charged any fines.

January 9, 2001 (Original Story)

One of the most controversial areas in the privacy arena has been the issue of personal health information. While the Congress is still grappling with the idea of how to handle Net taxes and privacy in the information world, the Health and Human Services department with the assistance of President Clinton have finalized some privacy standards in the forum of Health Care. The recent release of standards are designed to protect the privacy of personal health information for all patients. Specifically these rules protect the information that is kept on medical records which are no longer just the paper chart file kept in the doctor’s office, but also include any electronic format of a patient’s medical record.

These standards are enforced under HIPAA and those that are affected by the standards include those health care plan providers, online pharmacies, and online websites that deal with health care transmittals electronically. Essentially it deals with anyone who is transmitting health care information electronically. However the protections are not limited to electronic format only but also include protection to all personal health information that was orally communicated and those paper records that have not been converted into electronic form. Additionally the standards do not allow those employers who subscribe to an ERISA health plan to use personal health information to make employment decisions. Apparently in some of the ERISA plans no barrier exists between the employer that manages the plan and the part of the company that awards promotions and makes hiring decisions. These privacy standards will require companies to create a barrier between those departments. One of the final adoptions to these standards is that consent will be needed before a patient’s health information is given out for both conventional and non-conventional disclosures.

IT administrators for large health institutions such as hospitals, expect HIPAA compliance to become a major undertaking, perhaps rivaling Y2K in scope.