Revised privacy, security rules expected shortly
Revised privacy, security rules expected shortly
Senior officials from the Department of Health and Human Services (HHS) say providers should expect to see the proposed rule for the security portion of the Health Insurance Portability and Accountability Act (HIPAA) in about six weeks.
Bill Braithwaite, who spearheaded the government’s privacy and security efforts before recently moving to PriceWaterhouseCoopers in Washington, DC, says he expects to see a notice of proposed rulemaking in the Federal Register within a month or so that proposes changes to that final privacy rule that make compliance with the rule easier and reduces the burden on the health care industry.
"That seems to be the direction the administration is going," says Braithwaite. However, providers should not expect a change in the compliance date, he warns.
Braithwaite says that point is underlined by the recent extension on the transaction and code set compliance date, in which Congress specifically said the compliance date for the privacy date will not be touched. "Nobody should expect any relief from Congress in terms of a potential extension of that privacy compliance date," he warns.
According to Braithwaite, some people may be taking a false sense of security from the recent delay. "What this bill does is give them a six-month [period] to get ready for compliant transactions," he explains. "I say six months instead of a year because, in order to get the extension, you have to submit a plan that says that you start testing in April 2003."
Steve Lazarus, president of the Washington, DC-based Workgroup on Electronic Data Interchange, points out that there will be updates to all of the rules for privacy, security, and transaction and code sets periodically, but no less frequently than once a year.
"There will be a transaction final rule put out for review shortly as well," he says. "But it won’t change the dates of implementation for transactions other than the extension dates that have been changed by Congress."
Braithwaite says the key to privacy compliance is that it requires a high-level corporate commitment. "It’s not just something you can pass off to information technology and say, You guys go do it,’" he cautions. "That’s not possible."
According to Braithwaite, some hospitals have made privacy and security of the information they hold a priority all along. For them, the additional work necessary to comply with the HIPAA privacy regs may be relatively small.
Many of the things required by HIPAA already may be in place, even if they haven’t been documented. "Some [organizations] can write down what their current policies and procedures are and call it HIPAA because they already have training programs and other things you would expect a health care industry leader to have," Braithwaite says.
Similarly, some organizations may think that their existing budgets for privacy and security are enough to get them going. "Others have not even thought about it, and that is definitely a mistake," says Braithwaite.
One of the most difficult issues providers will have to cope with is that of pre-emption, says Braithwaite. "When it came to privacy, it was politically impossible to write a law that said that state privacy laws are superceded by federal law," he says. As a result, organizations now must review all their state laws as well as HIPAA to determine which is more stringent.
Providers already should know what state laws they should follow, but many do not, says Braithwaite. "Don’t expect HHS to do that kind of analysis," he warns. "HHS has neither the people nor the resources to do that, so you will have to depend on state associations and other organizations to do that."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.