Politech mailing list archives
FC: HIPAA online survey says privacy rule should remain as-is
From: Declan McCullagh <declan () well com>
Date: Wed, 28 Mar 2001 21:11:56 -0500
******** From: "D'Arcy Guerin Gue" <daggue () phoenixhealth com> To: <declan () well com> Subject: HIPAA Privacy Survey Date: Tue, 27 Mar 2001 16:30:30 -0600 Hello Declan -- We do a lot of work related to HIPAA and, have directly and actively supported efforts by NCVHS, WEDI, AFEHCT, and associations to further privacy and information security in healthcare. You may have heard of our free services to the healthcare industry: HIPAAlert (our email newsletter with 10000+ subscribers), HIPAAlive -- our extraordinarily active discussion listserv, and our web resource HIPAAdvisory.com (largest HIPAA resource site anywhere.) Anyway, I am a longtime subscriber to politechbot -- and a "fan". I thought you might like to know about an online survey we just completed of those "in-the-trenches" of hospitals, payer organizations, vendors, clearinghouses, medical practices, etc -- to determine what they, as individuals, really think of the hotly disputed HIPAA Privacy Rule. As you know, the associations, lobbiests and other power organizations have put great pressures on the new administration -- who seems sympathetic --to slow down or stop the Privacy Rule, which was finalized in December. We noticed that one never hears from actual healthcare professionals and managers, except on conference floors and in listservs -- on the pro's and con's of the Rule's provisions. Certainly, these folks would have difficulty making "private" comments to DHHS in the current renewed "Comment Period," -- especially if their personal opinions don't represent those of their organizations' boards. We ran the survey online over the last 10 days -- receiving 517 responses. As a summary, the majority of respondents clearly expressed their belief that the Privacy Rule should remain, as-is. Obviously, responses to specific questions provide nuances and implications that should be considered when reviewing the whole. I'm attaching a copy of the survey's results; if you are interested in passing them along to your readers, you are welcome to! The "short" version is included in yesterday's HIPAAlert, which is what you're getting -- there is a link from it to a more comprehensive version. Thanks D'Arcy Guerin Gue Sr. VP, Business Development Phoenix Health Systems 9200 Wightman Rd, Suite 400 Montgomery Village, MD 20886 daggue () phoenixhealth com ************ ================================================================= H I P A A L E R T Volume 2 No. 6 March 26, 2001 >> From Phoenix Health Systems...HIPAA Knowledge...HIPAA Solutions << > Healthcare IT Consulting & Outsourcing < ================================================================= HIPAAlert is published monthly in support of the healthcare industry's efforts to work together towards HIPAA security and privacy. Direct subscribers total 10,500+! Do you have interested associates? They can subscribe free at: http://www.hipaadvisory.com/alert/ IF YOU LIKE HIPAALERT, YOU'LL LOVE HIPAADVISORY.COM! -- Phoenix' comprehensive "HIPAA hub of the Internet," per Modern Healthcare magazine. Visit: http://www.hipaadvisory.com ================================================================= T H I S I S S U E 1. From the Editors: Our "Make A Difference" Privacy Issue 2. HIPAAlert's In-The-Trenches Privacy Survey Results 3. Feature Article: What is Happening to Health Privacy? 4. HIPAAnews: Privacy Rule Reactions - Everywhere! 5. HIPAAdvisor: The Comment Period's Impact ================================================================= 1 / F R O M T H E E D I T O R S: We wouldn't want to be sorting through Tommy Thompson's mail lately. Seems like everyone is registering last-minute concerns regarding HIPAA Privacy. Congressmen, WEDI, AHA, the Blues, AHIMA... you! The reaction to our privacy survey was immediate and resounding. In just 2 weeks, over 500 members of the industry spoke up about HIPAA Privacy. See the eye-opening results below. With so many rumors and news-bytes out there, we decided it was time to put together an overall perspective on the status of the HIPAA Privacy Rule. D'Arcy Guerin Gue and Roy Rada have burned some midnight oil to analyze HIPAA Privacy today in an extended feature article - what is happening, what are the issues, who are the players, how we got here, and where the Privacy Rule may be going. See HIPAAnews for an up-to-the-minute, very Privacy-oriented news update -- then, don't miss HIPAAdvisor: this month, our legal perspective on the meaning and potential implications of the renewed Privacy comment period. This issue is a lot to read -- but we think you'll find it's worth it! Diane Boettcher, Editor dboettcher () phoenixhealth com D'Arcy Guerin Gue, Publisher daggue () phoenixhealth com ================================================================= 2 / HIPAA Privacy Survey Healthcare Industry Privacy Survey Results: Healthcare Execs and Staff Say: "Keep the Privacy Rule As-Is!" Until now, the new administration and the media have heard mostly from the big healthcare industry organizations on the pro's and con's of the HIPAA Privacy Rule. The AHA, AMA, Blue Cross Blue Shield and others have registered mostly "cons" -- claiming the Rule is "too burdensome," "unaffordable," "unrealistic" -- and this has created a national political furor. How do individual healthcare professionals and managers feel about the HIPAA Privacy rule? Given the opportunity to personally comment on the new Privacy provisions, how would those in the hospital and payer trenches -- those who are responsible for actually implementing and managing the Rule -- assess its value and practicability? In a one-of-a-kind online national survey taken over two weeks in March, Phoenix Health System's industry newsletter HIPAAlert found out. Overwhelmingly, healthcare industry executives, managers and professionals want the Privacy Rule -- and they want it as-is. The survey, posted in early March at www.HIPAAdvisory.com and announced by HIPAAlert, received responses from 517 Senior Managers, CIO's, Department Managers, Compliance and Security Managers, physicians, and other professionals from hospitals, insurance companies, HMO's, claims clearinghouses, medical practices, and vendors. Following is a summary of results: The survey addressed the contentious issues in the HIPAA Privacy Rule. Participants were asked to say whether they felt specific provisions should be removed, loosened, remain (stay the same), or be stricter. Across questions, across institutional affiliations, and across their roles in healthcare -- the overwhelming pattern of response to the survey was in support of the Privacy rule as written. No pattern emerged to suggest that people from one part of the healthcare environment consistently had a different bias than those in other industry segments. A sampling of results: > "Consent and Authorization" rule: patient health information may not be used unless authorized -- 64% of respondents agreed. In one of the few exceptions to the survey's trend of agreement with the Privacy rule, 75% of payers wanted this provision removed completely. > Use and disclosure of patient data is allowed without authorization, for medical research, law enforcement, other public needs -- well over half of respondents agreed with this provision. However, 56% of respondents felt the provision allowing limited use of patient data for fundraising should be stricter; only 34% agreed with it as written. > Consent is required for use of patient data for treatment, healthcare operations, etc.-- 63% of respondents agreed, 17% wanted this rule loosened. > Only "minimum necessary" disclosure of health information is allowed, even when authorized -- 63% of hospital staff and 59% overall agreed this rule should remain as-is. > Patients have the right to inspect health data used to make decisions about them: 69% of all respondents agreed this rule should remain the same; 82% of providers agreed. > State laws that are stricter should preempt HIPAA -- 53% of participants agreed with this rule; 40% said that HIPAA should always preempt the state laws. > Privacy Rule applies to all individual patient data, whether electronic, paper, oral or other: An overwhelming 70% of all respondents believed this provision should remain as-is. > Business Associate agreements -- 64% of all respondents supported the general provision requiring such agreements. However, just under half (48%) agreed that they should be held responsible for addressing Business Associates' violations if aware of them, with 22% suggesting that the latter requirement be loosened. > Patients have no right to sue under HIPAA -- The majority (66%) agreed with this provision; the remainder felt the opposite. > 57% of respondents felt DHHS' estimated $3.8 billion price tag for Privacy compliance is too low. 10% said it's about right, 6% said it's too high -- 27% didn't know. Nearly half of respondents passed on many personal comments: ..."The privacy rules for the most part are the right thing to do. It is how I would want my information protected/shared"... ..."We do not disagree with the privacy protections of HIPAA. Our problems are with the cost of implementation, especially in a time frame of 24 months"... ..."The issues covered in the Privacy rule are good, but (it) is too complex and interpretation, at least at this point, is not clear enough"... ..."The Privacy rule isn't perfect... however, the opposition by major healthcare players (AMA, AHA, Blues), all the comment periods and "tweaking"... will do nothing to improve the privacy of health information"... ...Finally, as one payer compliance manager wrote, "It's time to stop complaining and just get on with implementing these regs." For more detailed survey results and comments: http://www.hipaadvisory.com/action/privacy/rulesurvey.htm ================================================================= 3 / H I P A A r t i c l e: What Is Happening to Health Privacy? Co-authors: Roy Rada, M.D., Ph.D. University of Maryland, Baltimore County Author of HIPAA@IT D'Arcy Guerin Gue Senior Vice President, Phoenix Health Systems Publisher, HIPAAlert, HIPAAdvisory.com -------------------------------------- In the last month, controversy over the HIPAA Privacy Rule hit new highs -- or lows -- depending on how you look at it. As Congressional opponents and proponents stepped onto the soapbox, we watched - ------------------------------------- Congressional Opponents: Senator Jim Jeffords, Chairman of the Committee on Health, Education, Labor, and Pensions, announced he had asked the General Accounting Office to interview health care organizations to determine the need for additional legislation to change the Privacy regulations. [Hmmm, we already know that Jeffords knows what the healthcare organizations will report: excessive costs. It's in the news everyday. So, why is Jeffords requesting this new time-consuming effort?] Senator Pat Roberts said he was "stunned and terribly worried" about the rule. He cited Kansas hospitals struggling just to keep their doors open who cannot be expected to cope with the new regulations. [We find ourselves wondering -- does he mean hospitals that are losing money are entitled to be judged by lesser standards of privacy than hospitals operating in the black?] House Majority Leader Dick Armey complained that Privacy rule Exceptions allowing access for law enforcement "may actually put private personally identifiable information at greater risk than exists today." He wants the Privacy Rule to be suspended pending a full review. [Our observation: All other existing privacy legislation affords exceptions for law enforcement or like emergency government involvement. The healthcare Privacy Rule is no different. Why not tell the whole story? ]. Congressional Proponents: Senator Christopher Dodd warned that voters would punish politicians who weaken privacy protections. [Really? How informed are voters about the personal health privacy issues at stake? The national furor is all about dollars and power -- the agendas of industry lobbyists -- rather than the pros and cons of Privacy Rule provisions for individual patients. Where are voters hearing that they must develop educated opinions on this rule?] Senator Hillary Clinton said the regulations need to be "more stringent" and expressed concern about the possible release of patient information for marketing purposes. [Fly on the wall comment: Does the controversial new Senator really believe that she can help make the rule stronger? Or is this a feint: her take on the age-old battle strategy of taking the extreme position?] Senator Ted Kennedy focused on the individual, contrasting the burden of the family bread-winner who must find a new job because his employer discovers something in his health information that the employer does not like, against the burden for healthcare organizations in complying with the regulations. [Despite the drama, Kennedy's comment exemplifies an issue: the power that an organization can have over an individual. Do those opposed to the Privacy Rule believe that the employer is right to make decisions about employees based on their health record? Aren't individuals entitled to keep their personal health information private, separate from employer records?] ------------------------------------- Profit Power Supplants People Power When did this skirmish begin? A hundred years ago, record keeping about individuals was limited. Few individuals had insurance -- so, there were no insurance files. A patient's medical record typically existed only in the doctor's memory. There was little "security" because there was little to secure. Privacy was not an issue. Now, people work for organizations that keep extensive records on them. Insurance is the norm, and medical care is institutionalized. Both require the individual to divulge information. Both usually keep some evaluation of him based on his and others' input, and both are increasingly automated to ease information access. Some security measures have been implemented, but they are typically inconsistent and inadequate. As these records have supplanted face-to-face encounters, there has been no compensating tendency to give the individual the kind of control over the collection, use, and disclosure of information about him that face-to-face encounters once enabled. This control or power has moved to the organization. And organizations have strong profit incentives to acquire and use protected health information. As a result, the patient now faces major challenges in trying to - know what information exists about him, - correct errors that may exist in the information, or - know how and by whom the information is being used. The organization can use and disclose patient information in ways that affect the patient's life. The patient may or may not be told what information led to what decisions. As a result, the organization comes to have power over the patient. The patient's desire for control over his or her own information offers a "balance of power." Privacy is first and foremost about power. Within our democratic way of life, individuals should be able to work through the government to achieve a balance of control between their own needs and the needs of organizations. ------------------------------------- But, Is Privacy Abused? Unfortunately, everyday -- yes. There are many ways: - One is intrinsic to inadequate security and access to electronic records. Remember the teenager who recently gained access to her health worker parent's computer, found lists of patients and called to tell them they had tested HIV-positive. - Another type of privacy abuse is breaches of confidentiality to a third party -- as when Congresswoman Nydia Velasquez's psychiatric records of attempted suicide were released to the media during her election campaign. - A third category is plain carelessness, i.e., sending the wrong insurance details to the wrong person. - A fourth type of abuse is secondary uses of medical information by unrelated third parties -- such as selling private medical information to drug companies who then contact individuals to sell them "appropriate" drugs. States have adopted a number of laws designed to improve security and protect patients against the inappropriate use of health information. But a review of these laws shows that these protections are uneven and leave large gaps in their protection. Also, some healthcare organizations have taken their own steps to safeguard the privacy through various security and privacy measures. But they have been hampered by the patchwork of incomplete and inconsistent State regulations. ------------------------------------- Was HIPAA a Political Accident? Despite the complaints of opponents, the answer is no. HIPAA was strongly supported and passed by a bi-partisan Congress in 1996. How did this happen? Historically, the individual's struggle with the organization to achieve privacy has been difficult to crystallize into regulations. These matters are complex and their symptoms not easily visible. People have been too "individual" to come together and mobilize against the interests of large organizations. In the 1980's, enormous concerns about rising healthcare costs added to the complexity of the healthcare environment. To find ways to reduce healthcare administrative costs, the 1991 Bush administration assembled the Workgroup for Electronic Data Interchange (WEDI), with a star- studded membership of executives largely from the health insurance industry. WEDI's mandate -- and strong interest -- was to reduce administrative costs through standardization. However, it eventually found it could not build the required private-public partnership it had promised Bush. In 1996, a bi-partisan Congress passed HIPAA with the intent of improving healthcare portability and standardizing transactions, which had by then become even more cumbersome and costly. But the move to reduce healthcare costs through easier, standardized transmission of patient-identifiable medical details brought sobering political observations about the attendant privacy risks. So, the bi-partisan Congress passed HIPAA not only with "Administrative Simplification" of transactions, but also with an over-riding mandate to ensure that associated privacy vulnerabilities would be resolved. As mandated, a final Transactions Rule was signed in August 2000; the final Privacy Rule was announced in December 2000. A Security Rule has been in the DHHS works for months, with intentions to publish it later this year. ------------------------------------- The Industry Adversaries: In This Corner, Weighing…. Opponents... to the Privacy Rule -- provider organizations and payers --have been vocal since Congress and DHHS began their first attempts to frame it. With the change to a more industry-sympathetic administration, healthcare lobbyists representing hospitals, insurers, HMO's and medical research companies are, ironically, spending hundreds of thousands of dollars to persuade the government to delay, change, or kill the regulations. Their message is overwhelmingly about bottom line profits: implementation presents a burden that will cost them too much. The American Medical Association has said that the rules "will increase costs and paperwork for physicians without improving patient care." The American Hospital Association says that time and resources required would be better spent on direct patient care. Blue Cross Blue Shield says the privacy rule will increase costs for organizations [The fly on the wall must ask -- might not patient care be enhanced, and patients' and industry's costs decreased, with responsible standardization? And, if better security measures were put in place, could we not improve direct patient care by upgrading processes with a boundless new world of sophisticated e-technologies that other, more security-savvy industries are already embracing?] Proponents ...of the Privacy rule within the industry are a different breed, typically representing special interest groups, and having much less lobbying money or power. They include the Consumer Coalition for Health Privacy and the Health Privacy Project at Georgetown University. Janlori Goldman, the Health Privacy Project's Director, speaks widely emphasizing that the rules meet a genuine patient need. The American Health Information Management Association (AHIMA) has urged Secretary Thompson in a letter to "stay the course" and not delay HIPAA Privacy. Organizations like WEDI and Association for Electronic Health Care Transactions (AFEHCT) have made similar appeals through their industry newsletters and at industry conferences. Respected DHHS and other government officials like Bill Braithwaite and Gary Claxton, who have led efforts to work with the industry to develop realistic Privacy and Security regulations, have publicly noted their dismay with the recalcitrance of the healthcare industry. Shannah Koss, an expert on health information technology at IBM, said: It will be incredibly difficult for any politician to stand up and say, "I don't support the public's right to health care privacy." Neither IBM as a company, nor other big information technology vendors that might be expected to speak for better security and patient privacy have spoken up. Apparently, they don't see this as being in their business interests, at least for now. These companies have large clients in the healthcare industry. Taking a public position for new security and privacy practices might alienate the client (even though vendors such as IBM already employ similar practices within their own organizations). Some vendors of healthcare information systems have been told by their clients to provide HIPAA-compliant solutions at no additional cost to the client. This creates an unwanted cost for the vendor. ------------------------------------- Where Are the Patients? We've heard from everyone in the healthcare environment except the individual patient. Does the patient want to speak on this matter? Does the patient know about this matter? The Privacy Rule is about the patient owning the medical record and allowing the healthcare industry to use it. In the Privacy Rule, and not in standard practice before the Privacy Rule, is the model that the patient has access to the complete medical record anytime the patient wants -- not just access but a copy of the information and the right to amend the information. This opportunity for the patient could be revolutionary. In the typical situation today, the patient goes to the healthcare provider, is examined, and is given some treatment. The patient understands little -- what happened, what information was important in decision-making, what the issues facing the doctor were, why the treatment may or may not work. If the treatment doesn't work, the patient returns to the doctor and the process repeats itself. Might the patient contribute to this healthcare process? The Internet offers patients opportunities to create their own medical records and to find healthcare professionals who will work with that medical record. It provides medical knowledge that can help them monitor, understand and even address their health needs. It allows access through e-mail to healthcare practitioners, and other patients with similar conditions. Patient knowledge and proactive, educated attention to the health processes of life may significantly improve patient health and reduce healthcare costs. Today, if a patient asks for a copy of his medical record, he is often told that this is the property of the clinic. If the patient wants to see another doctor, the new doctor will request and receive the patient's records, but not the patient. The Privacy Rule would change this situation by assuring the patient access to the patient's record. Might such access lead to more people engaging in more effective maintenance of their own health? ------------------------------------- The Bush Administration: Headed Towards an Industry TKO? George W. Bush' newly created administration appears emphatically in favor of minimizing government regulation of business. In its brief life, the administration has already demonstrated a strong identification with the interests of health insurers and providers, and the business community overall. DHHS' Secretary Tommy Thompson has publicly said, "Privacy is an important issue" to the administration  but has expanded upon this primarily by suggesting that the HIPAA Privacy Rule might "hinder the health care industry" and be "so burdensome that it interferes with access to health care". The Transactions Rule remains widely supported within the industry, but the accompanying rules for privacy and security may well be delayed by the new administration. If these delays occur, the standardization and associated cost-savings of the Transactions Rule may also be delayed because the Transactions Rule was to have been implemented with privacy and security protections. ------------------------------------- Bottom Line: Can We Pull Privacy Together? The current political atmosphere suggests that the Privacy Rule could be stalled by the Bush administration. DHHS Secretary Tommy Thompson has initiated a renewed, 30-day "Comment Period" for the Privacy Rule, ending March 30. All those who may be affected or who care about the issues at hand - healthcare provider entities, payer entities, special interest organizations, individuals, hospital managers and staff, physicians, nurses, other healthcare providers, vendors, clearinghouses, consultants -- will be heard, we've been told. If you favor more delays in the rule, then you can thank the new administration and the healthcare industry. If you feel the Privacy Rule should be implemented, you may now be perceived by the administration as the political minority - but your comments have been requested, will be recorded, and will be considered. If you feel the Privacy Rule should become effective as scheduled -- but favor some changes in it -- there is room in the process for consideration of changes after the effective date. The new Comment Period for the HIPAA Privacy Rule represents an opportunity to be a significant part of a long and arduous American evolution towards two seemingly disparate phenomena - information automation and individual privacy. Let's make the most of it. ================================================================= 4 / H I P A A n e w s *** USA Today Editorial Supports HIPAA Privacy *** USA Today, in a March 23rd editorial attacked critics of the HIPAA Privacy rule for spreading "bogus horror stories". While admitting that the regulations could be improved, the editorial says that critics are looking for ways to weaken the regulations. The editorial is in reaction to recent lobbying efforts by industry groups to delay or rewrite the HIPAA Privacy rule that was published in December 2000. For more information, go to: http://www.hipaadvisory.com/news/index.htm#usa0322 *** House Subcommittee Holds Hearing on HIPAA Privacy *** Industry representatives continued their calls for changes to the HIPAA Privacy rule during a House Energy and Commerce Health Subcommittee hearing entitled, "Assessing HIPAA: How Federal Medical Record Privacy Regulations Can Be Improved." Held on March 22, 2001, the hearing was intended to focus on the unintended consequences of HIPAA privacy regulations. Dr. John Clough, speaking for the Healthcare Leadership Council, a group of payers, vendor, providers and pharmaceutical companies, called for a delay of HIPAA Privacy, citing "three key provisions [of HIPAA] that are unworkable, would disrupt patient care, and divert limited resources from treating patients: The prior consent requirement, 'minimum necessary' standard, and 'business associates.'" Janlori Goldman, Director of the Health Privacy Project, called the standards "long overdue" and urged that no delay be made. She said that any "real and legitimate" concerns of covered entities could be addressed by DHHS, which has the legal authority to make certain modifications to the regulation, as necessary to permit compliance. For more information, including links to full testimony of all witnesses, go to: http://www.hipaadvisory.com/news/2001/house0322.htm *** Organizations Urge DHHS to Move Forward with HIPAA Privacy **** In a March 19th letter, the American Health Information Management Association (AHIMA) urged Secretary of Health and Human Services Tommy Thompson to "stay the course" of the HIPAA Privacy Rule and allow it to become effective April 14, 2001. AHIMA's executive vice president and CEO, Linda Kloss, MA, RHIA, Expressed AHIMA's concern that comments from others over the last two months -- ranging from the belief that the rule is too costly to a desire to proceed at a much slower pace -- demonstrate an interest in eliminating the rule in its entirety. The Gartner Group also released a statement on March 14th saying, "delay or nonapproval of the HIPAA patient privacy regulation would be a grave mistake." HIPAA patient privacy regulation provides the foundation and security insurance necessary to transform the healthcare industry into an e-healthcare industry, according to Gartner, Inc. *** Congressional Members Offer Varied Reactions to HIPAA Privacy *** A group of 47 Democratic Senators and Representatives sent a letter on March 20th to DHHS Secretary Thompson asking him to "hold the line" on the final HIPAA privacy rule. Senator Kennedy (D-MA) and Representative Edward Markey (D-MA), among others, stated that any "further delay of these crucial protections would be a major setback in years of effort." On March 15th, Representative Ron Paul (D-TX) introduced a Congressional resolution to disapprove the HIPAA Privacy Rule. The proposed joint resolution, which has no co-sponsors, has been referred to the Committee on Energy and Commerce, and other committees. In a March 5th letter to Secretary Thompson, Representative Dick Armey (R-TX) asked for the rule to be placed on hold, pending a comprehensive review. Under the Congressional Review Act, Congress has 60 days to review regulations after receiving official notice. Due to what has been called a "clerical error," Congress did not receive notification of the Privacy rule until February 13, 2001. The Privacy rule is scheduled to become effective on April 14th. For more information, including the text of the Democrats' March 20th letter and Rep. Armey's letter, go to: http://www.hipaadvisory.com/news/ *** URAC Releases Health Web Site Standards for Comment *** URAC, also known as the American Accreditation HealthCare Commission, released a draft set of Health Web Site Standards for public review and comment on February 26th. The quality-based standards will form the foundation of an accreditation program for health Web sites, and includes "opt-in" privacy standards. Once implemented, this accreditation program is intended to provide consumers and other stakeholders with a benchmark to evaluate the quality of health Web sites. Topics addressed by the draft Health Web Site Standards include disclosure; content; linking; privacy and security; accountability; policies and procedures; and quality oversight. The standards have been under development over the past 12 months. After the 60-day public comment period ends, URAC will revise the standards and conduct beta testing before the final standards are approved by URAC's Board of Directors. URAC expects to complete the new standards during the summer For more information and links to standards, go to: http://www.hipaadvisory.com/news/2001/urac022701.htm *** FTC Workshop Focuses on Privacy *** The Federal Trade Commission (FTC) hosted a public workshop on March 13, 2001 that explored how businesses merge and exchange detailed consumer information and how such information is used commercially. According to Internet World Daily, both opponents and proponents of new privacy rules cited new studies claiming that restrictions on the use of consumer information would cost catalog, apparel, and financial companies millions, even billions, of dollars. These costs, the companies said, would be passed on to consumers. Privacy advocates said the numbers were fantasy. The privacy advocates argued in favor of more and better notification about when data is being gathered and for more opportunities for consumers to opt-out of data collection. To ensure compliance and uniformity, advocates called for federal rules. *** Study Finds Physicians Seeking Technology *** The Internet is transforming medical practice for physicians far more rapidly than most industry observers thought possible, according to a recent survey. Respondents agreed computers have already had a positive impact on the practice of medicine and quality of care. Conducted for the Health Technology Center (HealthTech) by Harris Interactive in cooperation with PricewaterhouseCoopers and the Institute for the Future (IFTF), the survey polled physician leaders and office-based practicing physicians in medium and large practice organizations. More than a third of the physicians and practice leaders consider a wide range of Internet-enabled core business and clinical services to be essential advantages. 96% of those surveyed agreed that these technologies will make the practice of medicine easier and improve quality of care no later than 2003. For more information, go to: http://www.hipaadvisory.com/news/2001/healthtech0320.htm ================================================================== 5 / H I P A A d v i s o r : Legal Q/A with Steve Fox, J.D. *** The New Comment Period's Impact *** QUESTION: What impact, if any, does the new comment period have on the implementation of the final privacy rule? ANSWER: It is unclear what effect the new comment period will have on the implementation deadline for the privacy rule. Currently, most covered entities are required to be in compliance with the rule by April 14, 2003. On February 28th, the Department of Health and Human Services ("DHHS") announced that it was re-opening the public comment period on the final privacy rule (the "privacy rule" or "rule") for thirty (30) days. This announcement followed the discovery that the rule had not been sent to Congress for a sixty (60) day review period as required by law. Because major regulatory rules, like HIPAA, do not become effective until expiration of the congressional review period, the effective date of the privacy rule has been delayed until April 14, 2001. With some exception, covered entities must be in compliance with the rule by April 14, 2003, two (2) years after it goes into effect. The administration's position is that the delay in the effective date presents the perfect opportunity to solicit additional public comment in order to make a determination about whether certain provisions of the rule exceed DHHS' authority, as well as to examine potentially adverse and unintended consequences of the rule. DHHS approximates that it has received one thousand (1,000) inquiries about the impact and operation of the rule since it was published in December 2000. Apparently, many of these inquires demonstrate that there is substantial confusion about the procedures mandated by the rule, as well as concern about its complexity and feasibility. Re- opening the comment period appears to be the administration's way of acknowledging these inquiries and the widespread public debate about the rule since its publication. When looking for clues about the impact of the new comment period, it is important to note that this new comment period does not delay the rule's April 14 effective date. Although DHHS has indicated that it intends to review the comments it receives in order to determine whether changes to the final rule are warranted, Secretary Thompson has not wavered from his initial comments about the administration's commitment to ensuring the privacy and security of individually identifiable health information. Should DHHS decide to make modifications to the rule, there are any number of ways that these modifications could be implemented. Among countless other possibilities, DHHS could extend the implementation period for the rule by delaying the compliance date, suspend the rule pending additional review and/or revision, or make modifications to the rule effective sometime after the current April 14, 2003 compliance date. As there has not been any public comment to the contrary, it is reasonable to assume that there are certain underlying principles and policies inherent in the rule that would remain intact even if the rule is modified. For example, the idea that patients should have the right to consent to certain uses of their medical information is not likely to be challenged. However, the mechanism for ensuring that patients are able to exercise this right could potentially be modified. Other HIPAA regulations could potentially be affected if the privacy rule is suspended or delayed. The electronic transaction standards were developed in conjunction with the final privacy rule with the hope that compliance with both standards would be required at approximately the same time. DHHS has indicated that it will seriously consider suspending the application of the transaction standards or take action to withdraw them entirely if the privacy rule is substantially delayed. Remember, the compliance deadline for the privacy rule has not been changed. Accordingly, it is probably a good idea for covered entities to continue ongoing preparations for compliance with the privacy rule. To read past HIPAAdvisor articles, go to: http://www.hipaadvisory.com/action/HIPAAdvisor.htm --------------------------- Steve Fox, J.D., is a partner at the Washington, D.C. office of Pepper Hamilton LLP. This article was co-authored by Rachel H. Wilson, an associate at Pepper Hamilton. Pepper Hamilton LLP is a multi-practice law firm with more than 400 lawyers in ten offices. http://www.pepperlaw.com/ Disclaimer: This information is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice. ================================================================== ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if it remains intact. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
Current thread:
- FC: HIPAA online survey says privacy rule should remain as-is Declan McCullagh (Mar 28)