FC: Peter Swire responds to Jamie Love on medical privacy

[Declan McCullagh <declan () well com>]

***********
In response to this:
http://www.politechbot.com/p-01771.html
***********

Date: Wed, 28 Feb 2001 10:28:33 -0500
To: declan () well com
From: "Peter P. Swire" <swire.1 () osu edu>
Subject: answer to jamie's question


Declan:

	Jamie Love asks a legitimate question about why the medical privacy rules 
came out when they did.  As anyone who was part of the process within the 
government will tell you, we pushed hard to get it done as quickly and well 
as we could.  Here's the timeline that explains what happened:

1996: Congress passes the Health Insurance Portability and Accountability 
Act (HIPAA).  Includes "administrative simplification" requirements to 
speed the computerization of medical records.  Agreement in Congress that 
confidentiality protections should be created at the same time ­ we don't 
want medical records flying around electronically unless we have 
confidentiality, too.

1997:  As required by HIPAA, HHS Secretary Shalala submits a detailed 
report on what legislation should include for medical privacy.

August, 1999: Congress fails to meet the HIPAA statutory deadline for 
writing a medical privacy law.  Despite significant efforts, especially in 
the Senate Health, Education, Labor, and Pension Committee, no medical 
privacy bill even gets out of subcommittee.  HHS thus gains, for the first 
time, authority to issue privacy rules under HIPAA.

October, 1999: President Clinton and Secretary Shalala announce the 
proposed medical privacy rules and open them for public comment by December 
30.  At the strong request of both privacy and industry groups, the comment 
period is extended until February 15 so that careful and detailed comments 
can be drafted on the rule.

February 15, 2000:  Comment period closes, with over 52,000 public 
comments.  Administration forms team of 70 people from over a dozen 
agencies to read and analyze the rules, and create the detailed 
administrative record required to show the basis for each decision.  A 
major rule of this sort almost certainly is challenged in court, and will 
be upheld only if the comments have received a thorough analysis and each 
policy decision is explained in the record.

Summer, 2000: "Administrative simplification" rules announced.  These 
create standard protocols to transfer medical records electronically.  The 
Administration reiterates the decision made in HIPAA, that administrative 
simplification must be accompanied by strong privacy protections.

December 20, 2000.  President Clinton and Secretary Shalala announce the 
final privacy rule.  In double-spaced form, the rule and accompanying 
materials were slightly over 1,000 pages.  In the Federal Register, the 
rule itself is 30 pages, and the accompanying material is 336 pages.  Under 
the HIPAA statute, the rule does not require compliance until 26 months 
after the final rule is announced.

	Why didn't the rule come out earlier?  The first answer is that we only 
received regulatory authority in the second half of 1999, and completed the 
full process of notice and comment in less than a year and a half.  For a 
major rule of this scope and complexity, with this many issues of first 
impression, that time frame is pretty short.

	The second answer is that we tried to get it done sooner.  Hard.  Lots of 
staff were working nights and weekends for long stretches, to draft the 
proposed rule, read and understand the enormous number of comments, and 
draft the final rule and accompanying materials.  Senior White House and 
HHS officials consistently pushed us all to get the work done 
sooner.  Comments came in from almost twenty federal agencies, with 
everything done on extremely tight turn-arounds for very large documents.

	In the fall of 2000, we basically faced the decision of rushing the rule 
into production a month or two before the work was complete or else 
continuing to work on it until it was done right.  We decided to try to 
write the best rule we could.  The privacy rule expects compliance from 13 
percent of the American economy.  Mistakes in the rule could lead to bad 
medical consequences and likely overturn on judicial review.  So, we kept 
working on the rule until we had the needed confidence that the policy was 
workable and the administrative record was strong enough to survive the 
expected court challenge.

	Now the Bush Administration must decide whether to allow the rule to take 
effect on April 15 or else to effectively cancel the rule and start 
over.  My strong recommendation is to have the rule take effect.  HHS can 
then consider the new comments that come in, and can make any changes it 
believes are lawful and appropriate long before compliance is expected in 2003.

	By contrast, if HHS decides not to let the rule take effect, then it will 
face an enormous challenge under the Administrative Procedure Act.  Its new 
decisions would probably need to take account of the 52,000 original 
comments plus the additional comments from the new round.  Until the new 
Administration made its new policy choices and created a detailed 
administrative record to explain each of those choices, the final rule 
could not issue.  It took an incredible effort to write the rule in the 
Clinton Administration where senior officials made the rule a priority.  In 
a new Administration where its industry allies benefit from delay of the 
rule, I believe it quite possible that the privacy rule would never get 
written.  Meanwhile, administrative simplification would go forward, and 
electronic exchange of medical records would become the new industry 
practice without any federal privacy protections at all.




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------