FC: HIPAA online survey says privacy rule should remain as-is

[Declan McCullagh <declan () well com>]

********

From: "D'Arcy Guerin Gue" <daggue () phoenixhealth com>
To: <declan () well com>
Subject: HIPAA Privacy Survey
Date: Tue, 27 Mar 2001 16:30:30 -0600

Hello Declan -- We do a lot of work related to HIPAA and, have directly and
actively supported efforts by NCVHS, WEDI, AFEHCT, and associations to
further privacy and information security in healthcare.  You may have heard
of our free services to the healthcare industry: HIPAAlert (our email
newsletter with 10000+ subscribers), HIPAAlive -- our extraordinarily active
discussion listserv, and our web resource HIPAAdvisory.com (largest HIPAA
resource site anywhere.)

Anyway, I am a longtime subscriber to politechbot -- and a "fan".  I thought
you might like to know about an online survey we just completed of those
"in-the-trenches" of hospitals, payer organizations, vendors,
clearinghouses, medical practices, etc -- to determine what they, as
individuals, really think of the hotly disputed HIPAA Privacy Rule.  As you
know, the associations, lobbiests and other power organizations have put
great pressures on the new administration -- who seems sympathetic --to slow
down or stop the Privacy Rule, which was finalized in December. We noticed
that one never hears from actual healthcare professionals and managers,
except on conference floors and in listservs -- on the pro's and con's of
the Rule's provisions.  Certainly, these folks would have difficulty making
"private" comments to DHHS in the current renewed "Comment Period," --
especially if their personal opinions don't represent those of their
organizations' boards.

We ran the survey online over the last 10 days -- receiving 517 responses.
As a summary, the majority of respondents clearly expressed their belief
that the Privacy Rule should remain, as-is. Obviously, responses to specific
questions provide nuances and implications that should be considered when
reviewing the whole.

I'm attaching a copy of the survey's results; if you are interested in
passing them along to your readers, you are welcome to!  The "short" version
is included in yesterday's HIPAAlert, which is what you're getting -- there
is a link from it to a more comprehensive version.

Thanks
D'Arcy Guerin Gue
Sr. VP, Business Development
Phoenix Health Systems
9200 Wightman Rd, Suite 400
Montgomery Village, MD 20886
daggue () phoenixhealth com

************

=================================================================

H I P A A L E R T           Volume 2 No. 6        March 26, 2001

>> From Phoenix Health Systems...HIPAA Knowledge...HIPAA Solutions <<
                > Healthcare IT Consulting & Outsourcing <

=================================================================

HIPAAlert is published monthly in support of the healthcare
industry's efforts to work together towards HIPAA security
and privacy. Direct subscribers total 10,500+!

Do you have interested associates? They can subscribe free at:
http://www.hipaadvisory.com/alert/

IF YOU LIKE HIPAALERT, YOU'LL LOVE HIPAADVISORY.COM! --
Phoenix' comprehensive "HIPAA hub of the Internet," per Modern
Healthcare magazine. Visit: http://www.hipaadvisory.com

=================================================================

T H I S  I S S U E

1. From the Editors: Our "Make A Difference" Privacy Issue
2. HIPAAlert's In-The-Trenches Privacy Survey Results
3. Feature Article: What is Happening to Health Privacy?
4. HIPAAnews: Privacy Rule Reactions - Everywhere!
5. HIPAAdvisor: The Comment Period's Impact


=================================================================

1 /   F R O M  T H E  E D I T O R S:

We wouldn't want to be sorting through Tommy Thompson's mail
lately.  Seems like everyone is registering last-minute concerns
regarding HIPAA Privacy.  Congressmen, WEDI, AHA, the Blues,
AHIMA... you!

The reaction to our privacy survey was immediate and resounding.
In just 2 weeks, over 500 members of the industry spoke up about
HIPAA Privacy.  See the eye-opening results below.

With so many rumors and news-bytes out there, we decided it
was time to put together an overall perspective on the status of
the HIPAA Privacy Rule. D'Arcy Guerin Gue and Roy Rada have
burned some midnight oil to analyze HIPAA Privacy today in an
extended feature article - what is happening, what are the
issues, who are the players, how we got here, and where the
Privacy Rule may be going.

See HIPAAnews for an up-to-the-minute, very Privacy-oriented
news update -- then, don't miss HIPAAdvisor: this  month,
our legal perspective on the meaning and potential
implications of the renewed Privacy comment period.

This issue is a lot to read -- but we think you'll
find it's worth it!


Diane Boettcher, Editor
dboettcher () phoenixhealth com

D'Arcy Guerin Gue, Publisher
daggue () phoenixhealth com

=================================================================

2 / HIPAA Privacy Survey

Healthcare Industry Privacy Survey Results:

Healthcare Execs and Staff Say: "Keep the Privacy Rule As-Is!"

Until now, the new administration and the media have heard mostly
from the big healthcare industry organizations on the pro's
and con's of the HIPAA Privacy Rule. The AHA, AMA, Blue
Cross Blue Shield and others have registered mostly "cons" --
claiming the Rule is "too burdensome," "unaffordable," "unrealistic"
-- and this has created a national political furor.

How do individual healthcare professionals and managers
feel about the HIPAA Privacy rule? Given the opportunity to
personally comment on the new Privacy provisions, how would
those in the hospital and payer trenches -- those who are responsible
for actually implementing and managing the Rule -- assess its
value and practicability? In a one-of-a-kind online national survey
taken over two weeks in March, Phoenix Health System's industry
newsletter HIPAAlert found out.

Overwhelmingly, healthcare industry executives, managers and
professionals want the Privacy Rule -- and they want it as-is.

The survey, posted in early March at www.HIPAAdvisory.com and
announced by HIPAAlert, received responses from 517 Senior
Managers, CIO's, Department Managers, Compliance and Security
Managers, physicians, and other professionals from hospitals,
insurance companies, HMO's, claims clearinghouses, medical
practices, and vendors.

Following is a summary of results:

The survey addressed the contentious issues in the HIPAA
Privacy Rule. Participants were asked to say whether they felt
specific provisions should be removed, loosened, remain
(stay the same), or be stricter.

Across questions, across institutional affiliations, and across
their roles in healthcare -- the overwhelming pattern of
response to the survey was in support of the Privacy rule as
written. No pattern emerged to suggest that people from one
part of the healthcare environment consistently had a different
bias than those in other industry segments.

A sampling of results:

 >  "Consent and Authorization" rule: patient health information
may not be used unless authorized -- 64% of respondents agreed.
In one of the few exceptions to the survey's trend of agreement
with the Privacy rule, 75% of payers wanted this provision removed
completely.

 >   Use and disclosure of patient data is allowed without
authorization, for medical research, law enforcement, other public
needs -- well over half of respondents agreed with this provision.
However, 56% of respondents felt the provision allowing limited
use of patient data for fundraising should be stricter; only
34% agreed with it as written.

 >  Consent is required for use of patient data for treatment,
healthcare operations, etc.-- 63% of respondents agreed, 17% wanted
this rule loosened.

 >  Only "minimum necessary" disclosure of health information is
allowed, even when authorized -- 63% of hospital staff and 59% overall
agreed this rule should remain as-is.

 >  Patients have the right to inspect health data used to make
decisions about them: 69% of all respondents agreed this rule should
remain the same; 82% of providers agreed.

 > State laws that are stricter should preempt HIPAA --
53% of participants agreed with this rule; 40% said that HIPAA
should always preempt the state laws.

 > Privacy Rule applies to all individual patient data, whether
electronic, paper, oral or other:  An overwhelming 70% of all
respondents believed this provision should remain as-is.

 >  Business Associate agreements -- 64% of all respondents
supported the general provision requiring such agreements. However,
just under half (48%) agreed that they should be held responsible
for addressing Business Associates' violations if  aware of them,
with 22% suggesting that the latter requirement be loosened.

 >  Patients have no right to sue under HIPAA  -- The majority
(66%) agreed with this provision; the remainder felt the opposite.

 >  57% of respondents felt DHHS' estimated $3.8 billion price
tag for Privacy compliance is too low. 10% said it's about right,
6% said it's too high -- 27% didn't know.

Nearly half of respondents passed on many personal comments:

..."The privacy rules for the most part are the right thing to do.
It is how I would want my information protected/shared"...

..."We do not disagree with the privacy protections of HIPAA.  Our
problems are with the cost of implementation, especially in a time
frame of 24 months"...

..."The issues covered in the Privacy rule are good, but (it) is
too complex and interpretation, at least at this point, is not clear
enough"...

..."The Privacy rule isn't perfect... however, the opposition by
major healthcare players  (AMA, AHA, Blues), all the comment periods
and "tweaking"... will do nothing to improve the privacy of
health information"...

...Finally, as one payer compliance manager wrote, "It's time to stop
complaining and just get on with implementing these regs."

For more detailed survey results and comments:
http://www.hipaadvisory.com/action/privacy/rulesurvey.htm

=================================================================
3 /  H I P A A r t i c l e:

What Is Happening to Health Privacy?

Co-authors:
Roy Rada, M.D., Ph.D.
University of Maryland, Baltimore County
Author of HIPAA@IT

D'Arcy Guerin Gue
Senior Vice President, Phoenix Health Systems
Publisher, HIPAAlert, HIPAAdvisory.com
--------------------------------------

In the last month, controversy over the HIPAA Privacy Rule hit new
highs -- or lows -- depending on how you look at it. As Congressional
opponents and proponents stepped onto the soapbox, we watched -

-------------------------------------

Congressional Opponents:

Senator Jim Jeffords, Chairman of the Committee on Health, Education,
Labor, and Pensions, announced he had asked the General Accounting
Office to interview health care organizations to determine the need for
additional legislation to change the Privacy regulations.  [Hmmm, we
already know that Jeffords knows what the healthcare organizations will
report: excessive costs.  It's in the news everyday. So, why is
Jeffords requesting this new time-consuming effort?]

Senator Pat Roberts said he was "stunned and terribly worried" about
the rule. He cited Kansas hospitals struggling just to keep their doors
open who cannot be expected to cope with the new regulations.  [We find
ourselves wondering -- does he mean hospitals that are losing money are
entitled to be judged by lesser standards of privacy than hospitals
operating in the black?]

House Majority Leader Dick Armey complained that Privacy rule
Exceptions allowing access for law enforcement "may actually put
private personally identifiable information at greater risk than exists
today." He wants the Privacy Rule to be suspended pending a full
review.  [Our observation: All other existing privacy legislation
affords exceptions for law enforcement or like emergency government
involvement.  The healthcare Privacy Rule is no different. Why not tell
the whole story? ].

Congressional Proponents:

Senator Christopher Dodd warned that voters would punish politicians
who weaken privacy protections.  [Really? How informed are voters about
the personal health privacy issues at stake? The national furor is all
about dollars and power -- the agendas of industry lobbyists -- rather
than the pros and cons of Privacy Rule provisions for individual
patients. Where are voters hearing that they must develop educated
opinions on this rule?]

Senator Hillary Clinton said the regulations need to be "more
stringent" and expressed concern about the possible release of patient
information for marketing purposes.  [Fly on the wall comment:  Does
the controversial new Senator really believe that she can help make the
rule stronger? Or is this a feint: her take on the age-old battle
strategy of taking the extreme position?]

Senator Ted Kennedy focused on the individual, contrasting the burden
of the family bread-winner who must find a new job because his employer
discovers something in his health information that the employer does
not like, against the burden for healthcare organizations in complying
with the regulations. [Despite the drama, Kennedy's comment exemplifies
an issue:  the power that an organization can have over an individual.
Do those opposed to the Privacy Rule believe that the employer is right
to make decisions about employees based on their health record?  Aren't
individuals entitled to keep their personal health information private,
separate from employer records?]

-------------------------------------

Profit Power Supplants People Power

When did this skirmish begin? A hundred years ago, record keeping about
individuals was limited.  Few individuals had insurance -- so, there
were no insurance files.  A patient's medical record typically existed
only in the doctor's memory.  There was little "security" because there
was little to secure.  Privacy was not an issue.

Now, people work for organizations that keep extensive records on them.
Insurance is the norm, and medical care is institutionalized.  Both
require the individual to divulge information.  Both usually keep some
evaluation of him based on his and others' input, and both are
increasingly automated to ease information access. Some security
measures have been implemented, but they are typically inconsistent and
inadequate.

As these records have supplanted face-to-face encounters, there has
been no compensating tendency to give the individual the kind of
control over the collection, use, and disclosure of information about
him that face-to-face encounters once enabled. This control or power
has moved to the organization. And organizations have strong profit
incentives to acquire and use protected health information.

As a result, the patient now faces major challenges in trying to
- know what information exists about him,
- correct errors that may exist in the information, or
- know how and by whom the information is being used.

The organization can use and disclose patient information in ways that
affect the patient's life.   The patient may or may not be told what
information led to what decisions.   As a result, the organization
comes to have power over the patient.   The patient's desire for
control over his or her own information offers a "balance of power."
Privacy is first and foremost about power.

Within our democratic way of life, individuals should be able to work
through the government to achieve a balance of control between their
own needs and the needs of organizations.

-------------------------------------

But, Is Privacy Abused?

Unfortunately, everyday -- yes. There are many ways:

 - One is intrinsic to inadequate security and access to electronic
records. Remember the teenager who recently gained access to her health
worker parent's computer, found lists of patients and called to tell
them they had tested HIV-positive.

 - Another type of privacy abuse is breaches of confidentiality to a
third party -- as when Congresswoman Nydia Velasquez's psychiatric
records of attempted suicide were released to the media during her
election campaign.

 - A third category is plain carelessness, i.e., sending the wrong
insurance details to the wrong person.

 - A fourth type of abuse is secondary uses of medical information by
unrelated third parties -- such as selling private medical information
to drug companies who then contact individuals to sell them
"appropriate" drugs.

States have adopted a number of laws designed to improve security and
protect patients against the inappropriate use of health information.
But a review of these laws shows that these protections are uneven and
leave large gaps in their protection.  Also, some healthcare
organizations have taken their own steps to safeguard the privacy
through various security and privacy measures.  But they have been
hampered by the patchwork of incomplete and inconsistent State
regulations.

-------------------------------------

Was HIPAA a Political Accident?

Despite the complaints of opponents, the answer is no. HIPAA was
strongly supported and passed by a bi-partisan Congress in 1996.  How
did this happen?

Historically, the individual's struggle with the organization to
achieve privacy has been difficult to crystallize into regulations.
These matters are complex and their symptoms not easily visible. People
have been too "individual" to come together and mobilize against the
interests of large organizations.

In the 1980's, enormous concerns about rising healthcare costs added to
the complexity of the healthcare environment. To find ways to reduce
healthcare administrative costs, the 1991 Bush administration assembled
the Workgroup for Electronic Data Interchange (WEDI), with a star-
studded membership of executives largely from the health insurance
industry.  WEDI's mandate -- and strong interest -- was to reduce
administrative costs through standardization. However, it eventually
found it could not build the required private-public partnership it had
promised Bush.

In 1996, a bi-partisan Congress passed HIPAA with the intent of
improving healthcare portability and standardizing transactions, which
had by then become even more cumbersome and costly.  But the move to
reduce healthcare costs through easier, standardized transmission of
patient-identifiable medical details brought sobering political
observations about the attendant privacy risks. So, the bi-partisan
Congress passed HIPAA not only with "Administrative Simplification" of
transactions, but also with an over-riding mandate to ensure that
associated privacy vulnerabilities would be resolved.

As mandated, a final Transactions Rule was signed in August 2000; the
final Privacy Rule was announced in December 2000. A Security Rule has
been in the DHHS works for months, with intentions to publish it later
this year.

-------------------------------------

The Industry Adversaries: In This Corner, Weighing….

Opponents...

to the Privacy Rule  -- provider organizations and payers --have been
vocal since Congress and DHHS began their first attempts to frame it.
With the change to a more industry-sympathetic administration,
healthcare lobbyists representing hospitals, insurers, HMO's and
medical research companies are, ironically, spending hundreds of
thousands of dollars to persuade the government to delay, change, or
kill the regulations.  Their message is overwhelmingly about bottom
line profits: implementation presents a burden that will cost them
too much.

The American Medical Association has said that the rules "will increase
costs and paperwork for physicians without improving patient care." The
American Hospital Association says that time and resources required
would be better spent on direct patient care. Blue Cross Blue Shield
says the privacy rule will increase costs for organizations [The fly on
the wall must ask -- might not patient care be enhanced, and patients'
and industry's costs decreased, with responsible standardization? And,
if better security measures were put in place, could we not improve
direct patient care by upgrading processes with a boundless new world
of sophisticated e-technologies that other, more security-savvy
industries are already embracing?]

Proponents

...of the Privacy rule within the industry are a different breed,
typically representing special interest groups, and having much less
lobbying money or power.  They include the Consumer Coalition for
Health Privacy and the Health Privacy Project at Georgetown University.
Janlori Goldman, the Health Privacy Project's Director, speaks widely
emphasizing that the rules meet a genuine patient need. The American
Health Information Management Association (AHIMA) has urged Secretary
Thompson in a letter to "stay the course" and not delay HIPAA Privacy.
Organizations like WEDI and Association for Electronic Health
Care Transactions (AFEHCT) have made similar appeals through their
industry
newsletters and at industry conferences. Respected DHHS and other
government officials like Bill Braithwaite and Gary Claxton, who have
led efforts to work with the industry to develop realistic Privacy and
Security regulations, have publicly noted their dismay with the
recalcitrance of the healthcare industry. Shannah Koss, an expert on
health information technology at IBM, said: It will be incredibly
difficult for any politician to stand up and say, "I don't support the
public's right to health care privacy."

Neither IBM as a company, nor other big information technology vendors
that might be expected to speak for better security and patient privacy
have spoken up.  Apparently, they don't see this as being in their
business interests, at least for now.  These companies have large
clients in the healthcare industry.  Taking a public position for new
security and privacy practices might alienate the client (even though
vendors such as IBM already employ similar practices within their own
organizations).   Some vendors of healthcare information systems have
been told by their clients to provide HIPAA-compliant solutions at no
additional cost to the client.  This creates an unwanted cost for the
vendor.

-------------------------------------

Where Are the Patients?

We've heard from everyone in the healthcare environment except the
individual patient.  Does the patient want to speak on this matter?

Does the patient know about this matter?

The Privacy Rule is about the patient owning the medical record and
allowing the healthcare industry to use it.  In the Privacy Rule, and
not in standard practice before the Privacy Rule, is the model that the
patient has access to the complete medical record anytime the patient
wants -- not just access but a copy of the information and the right to
amend the information.  This opportunity for the patient could be
revolutionary.

In the typical situation today, the patient goes to the healthcare
provider, is examined, and is given some treatment.  The patient
understands little -- what happened, what information was important in
decision-making, what the issues facing the doctor were, why the
treatment may or may not work.  If the treatment doesn't work, the
patient returns to the doctor and the process repeats itself.

Might the patient contribute to this healthcare process?  The Internet
offers patients opportunities to create their own medical records and
to find healthcare professionals who will work with that medical
record.  It provides medical knowledge that can help them monitor,
understand and even address their health needs.  It allows access
through e-mail to healthcare practitioners, and other patients with
similar conditions. Patient knowledge and proactive, educated attention
to the health processes of life may significantly improve patient
health and reduce healthcare costs.

Today, if a patient asks for a copy of his medical record, he is often
told that this is the property of the clinic.  If the patient wants to
see another doctor, the new doctor will request and receive the
patient's records, but not the patient. The Privacy Rule would change
this situation by assuring the patient access to the patient's record.
Might such access lead to more people engaging in more effective
maintenance of their own health?

-------------------------------------

The Bush Administration: Headed Towards an Industry TKO?

George W. Bush' newly created administration appears emphatically in
favor of minimizing government regulation of business.  In its brief
life, the administration has already demonstrated a strong
identification with the interests of health insurers and providers, and
the business community overall.  DHHS' Secretary Tommy Thompson has
publicly said, "Privacy is an important issue" to the administration ­
but has expanded upon this primarily by suggesting that the HIPAA
Privacy Rule might "hinder the health care industry" and be "so
burdensome that it interferes with access to health care".

The Transactions Rule remains widely supported within the industry, but
the accompanying rules for privacy and security may well be delayed by
the new administration.  If these delays occur, the standardization and
associated cost-savings of the Transactions Rule may also be delayed
because the Transactions Rule was to have been implemented with privacy
and security protections.

-------------------------------------

Bottom Line: Can We Pull Privacy Together?

The current political atmosphere suggests that the Privacy Rule could
be stalled by the Bush administration. DHHS Secretary Tommy Thompson
has initiated a renewed, 30-day "Comment Period" for the Privacy Rule,
ending March 30.  All those who may be affected or who care about the
issues at hand - healthcare provider entities, payer entities, special
interest organizations, individuals, hospital managers and staff,
physicians, nurses, other healthcare providers, vendors,
clearinghouses, consultants  -- will be heard, we've been told.

If you favor more delays in the rule, then you can thank the new
administration and the healthcare industry.  If you feel the Privacy
Rule should be implemented, you may now be perceived by the
administration as the political minority - but your comments have been
requested, will be recorded, and will be considered. If you feel the
Privacy Rule should become effective as scheduled -- but favor some
changes in it -- there is room in the process for consideration of
changes after the effective date.

The new Comment Period for the HIPAA Privacy Rule represents an
opportunity to be a significant part of a long and arduous American
evolution towards two seemingly disparate phenomena - information
automation and individual privacy.

Let's make the most of it.

=================================================================

4 /  H I P A A n e w s

  *** USA Today Editorial Supports HIPAA Privacy ***

USA Today, in a March 23rd editorial attacked critics of the HIPAA
Privacy rule for spreading "bogus horror stories". While admitting
that the regulations could be improved, the editorial says that
critics are looking for ways to weaken the regulations.

The editorial is in reaction to recent lobbying efforts by industry
groups to delay or rewrite the HIPAA Privacy rule that was published in
December 2000.

For more information, go to:
http://www.hipaadvisory.com/news/index.htm#usa0322



  *** House Subcommittee Holds Hearing on HIPAA Privacy ***

Industry representatives continued their calls for changes to the HIPAA
Privacy rule during a House Energy and Commerce Health Subcommittee
hearing entitled, "Assessing HIPAA: How Federal Medical Record Privacy
Regulations Can Be Improved."

Held on March 22, 2001, the hearing was intended to focus on the
unintended consequences of HIPAA privacy regulations.

Dr. John Clough, speaking for the Healthcare Leadership Council, a
group of payers, vendor, providers and pharmaceutical companies, called
for a delay of HIPAA Privacy, citing "three key provisions [of HIPAA]
that are unworkable, would disrupt patient care, and divert limited
resources from treating patients: The prior consent requirement,
'minimum necessary' standard, and 'business associates.'"

Janlori Goldman, Director of the Health Privacy Project, called the
standards "long overdue" and urged that no delay be made.  She said
that any "real and legitimate" concerns of covered entities could be
addressed by DHHS, which has the legal authority to make certain
modifications to the regulation, as necessary to permit compliance.

For more information, including links to full testimony of all
witnesses, go to:
http://www.hipaadvisory.com/news/2001/house0322.htm



  *** Organizations Urge DHHS to Move Forward with HIPAA Privacy ****

In a March 19th letter, the American Health Information Management
Association (AHIMA) urged Secretary of Health and Human Services Tommy
Thompson to "stay the course" of the HIPAA Privacy Rule and allow it to
become effective April 14, 2001.

AHIMA's executive vice president and CEO, Linda Kloss, MA, RHIA,
Expressed AHIMA's concern that comments from others over the last two
months -- ranging from the belief that the rule is too costly to a
desire to proceed at a much slower pace -- demonstrate an interest in
eliminating the rule in its entirety.

The Gartner Group also released a statement on March 14th saying,
"delay or nonapproval of the HIPAA patient privacy regulation would be
a grave mistake."  HIPAA patient privacy regulation provides the
foundation and security insurance necessary to transform the healthcare
industry into an e-healthcare industry, according to Gartner, Inc.



 *** Congressional Members Offer Varied Reactions to HIPAA Privacy ***

A group of 47 Democratic Senators and Representatives sent a letter on
March 20th to DHHS Secretary Thompson asking him to "hold the line" on
the final HIPAA privacy rule.   Senator Kennedy (D-MA) and
Representative Edward Markey (D-MA), among others, stated that any
"further delay of these crucial protections would be a major setback in
years of effort."

On March 15th, Representative Ron Paul (D-TX) introduced a
Congressional resolution to disapprove the HIPAA Privacy Rule.  The
proposed joint resolution, which has no co-sponsors, has been referred
to the Committee on Energy and Commerce, and other committees.

In a March 5th letter to Secretary Thompson, Representative Dick Armey
(R-TX) asked for the rule to be placed on hold, pending a comprehensive
review.

Under the Congressional Review Act, Congress has 60 days to review
regulations after receiving official notice. Due to what has been
called a "clerical error," Congress did not receive notification of the
Privacy rule until February 13, 2001. The Privacy rule is scheduled to
become effective on April 14th.

For more information, including the text of the Democrats' March 20th
letter and Rep. Armey's letter, go to:
http://www.hipaadvisory.com/news/



  *** URAC Releases Health Web Site Standards for Comment ***

URAC, also known as the American Accreditation HealthCare Commission,
released a draft set of Health Web Site Standards for public review
and comment on February 26th. The quality-based standards will form the
foundation of an accreditation program for health Web sites, and
includes "opt-in" privacy standards. Once implemented, this
accreditation program is intended to provide consumers and other
stakeholders with a benchmark to evaluate the quality of health Web
sites.

Topics addressed by the draft Health Web Site Standards include
disclosure; content; linking; privacy and security; accountability;
policies and procedures; and quality oversight. The standards have
been under development over the past 12 months.

After the 60-day public comment period ends, URAC will revise the
standards and conduct beta testing before the final standards are
approved by URAC's Board of Directors.  URAC expects to complete the
new standards during the summer

For more information and links to standards, go to:
http://www.hipaadvisory.com/news/2001/urac022701.htm



  *** FTC Workshop Focuses on Privacy ***

The Federal Trade Commission (FTC) hosted a public workshop on March
13, 2001 that explored how businesses merge and exchange detailed
consumer information and how such information is used commercially.

According to Internet World Daily, both opponents and proponents of new
privacy rules cited new studies claiming that restrictions on the use
of consumer information would cost catalog, apparel, and financial
companies millions, even billions, of dollars. These costs, the
companies said, would be passed on to consumers. Privacy advocates said
the numbers were fantasy.

The privacy advocates argued in favor of more and better notification
about when data is being gathered and for more opportunities for
consumers to opt-out of data collection. To ensure compliance and
uniformity, advocates called for federal rules.



  *** Study Finds Physicians Seeking Technology ***

The Internet is transforming medical practice for physicians far more
rapidly than most industry observers thought possible, according to a
recent survey. Respondents agreed computers have already had a positive
impact on the practice of medicine and quality of care.

Conducted for the Health Technology Center (HealthTech) by Harris
Interactive in cooperation with PricewaterhouseCoopers and the
Institute for the Future (IFTF), the survey polled physician leaders
and office-based practicing physicians in medium and large practice
organizations.

More than a third of the physicians and practice leaders consider a
wide range of Internet-enabled core business and clinical services to
be essential advantages. 96% of those surveyed agreed that these
technologies will make the practice of medicine easier and improve
quality of care no later than 2003.

For more information, go to:
http://www.hipaadvisory.com/news/2001/healthtech0320.htm

==================================================================

5 / H I P A A d v i s o r : Legal Q/A with Steve Fox, J.D.

  *** The New Comment Period's Impact ***

QUESTION: What impact, if any, does the new comment period have on the
implementation of the final privacy rule?

ANSWER: It is unclear what effect the new comment period will have on
the implementation deadline for the privacy rule.  Currently, most
covered entities are required to be in compliance with the rule by
April 14, 2003.

On February 28th, the Department of Health and Human Services ("DHHS")
announced that it was re-opening the public comment period on the final
privacy rule (the "privacy rule" or "rule") for thirty (30) days.  This
announcement followed the discovery that the rule had not been sent to
Congress for a sixty (60) day review period as required by law.
Because major regulatory rules, like HIPAA, do not become effective
until expiration of the congressional review period, the effective date
of the privacy rule has been delayed until April 14, 2001.  With some
exception, covered entities must be in compliance with the rule by
April 14, 2003, two (2) years after it goes into effect.  The
administration's position is that the delay in the effective date
presents the perfect opportunity to solicit additional public comment
in order to make a determination about whether certain provisions of
the rule exceed DHHS' authority, as well as to examine potentially
adverse and unintended consequences of the rule.

DHHS approximates that it has received one thousand (1,000) inquiries
about the impact and operation of the rule since it was published in
December 2000.  Apparently, many of these inquires demonstrate that
there is substantial confusion about the procedures mandated by the
rule, as well as concern about its complexity and feasibility.  Re-
opening the comment period appears to be the administration's way of
acknowledging these inquiries and the widespread public debate about
the rule since its publication.

When looking for clues about the impact of the new comment period, it
is important to note that this new comment period does not delay the
rule's April 14 effective date.  Although DHHS has indicated that it
intends to review the comments it receives in order to determine
whether changes to the final rule are warranted, Secretary Thompson has
not wavered from his initial comments about the administration's
commitment to ensuring the privacy and security of individually
identifiable health information.  Should DHHS decide to make
modifications to the rule, there are any number of ways that these
modifications could be implemented.  Among countless other
possibilities, DHHS could extend the implementation period for the rule
by delaying the compliance date, suspend the rule pending additional
review and/or revision, or make modifications to the rule effective
sometime after the current April 14, 2003 compliance date.

As there has not been any public comment to the contrary, it is
reasonable to assume that there are certain underlying principles and
policies inherent in the rule that would remain intact even if the rule
is modified.  For example, the idea that patients should have the right
to consent to certain uses of their medical information is not likely
to be challenged.  However, the mechanism for ensuring that patients
are able to exercise this right could potentially be modified.

Other HIPAA regulations could potentially be affected if the privacy
rule is suspended or delayed.  The electronic transaction standards
were developed in conjunction with the final privacy rule with the hope
that compliance with both standards would be required at approximately
the same time.  DHHS has indicated that it will seriously consider
suspending the application of the transaction standards or take action
to withdraw them entirely if the privacy rule is substantially delayed.

Remember, the compliance deadline for the privacy rule has not been
changed.  Accordingly, it is probably a good idea for covered entities
to continue ongoing preparations for compliance with the privacy rule.

To read past HIPAAdvisor articles, go to:
http://www.hipaadvisory.com/action/HIPAAdvisor.htm

---------------------------
Steve Fox, J.D., is a partner at the Washington, D.C. office of
Pepper Hamilton LLP. This article was co-authored by Rachel H. Wilson,
an associate at Pepper Hamilton. Pepper Hamilton LLP is a
multi-practice law firm with more than 400 lawyers in ten offices.
http://www.pepperlaw.com/

Disclaimer: This information is general in nature and should not be
relied upon as legal advice. Only your attorney is qualified to
evaluate your specific situation and provide you with customized
advice.

==================================================================




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------