Congress scrambles to meet August deadline for medical records privacy legislat
Congress scrambles to meet August deadline for medical records privacy legislation
Federal fraud investigators seek access to identifiable patient records
Congressional efforts to pass medical records privacy measures before the job is turned over to the Department of Health and Human Services (HHS) are snagged on how much latitude health care investigators should have in acquiring individual patient records. Sen. Ted Kennedy (D-MA) in late May drew fire from the Department of Justice (DOJ) with proposals that would make it harder for health care investigators to acquire patient medical records.
"The current drafts still allow law enforcement to use tools that don’t require judicial oversight, such as an administrative subpoena," explains Kennedy aide Jim Manley. "There are also no limitations on the use of the information that is gathered."
It is just those restrictions the DOJ is trying to avoid. John Bentivoglio, special counsel for health care fraud at DOJ, recently told the Senate Committee on Health, Education, Labor and Pensions that in many cases DOJ’s ability to investigate and prosecute serious crimes—including health care fraud—will depend on its ability to obtain "individually indentifiable health information in a timely and appropriate manner." As an example, he cited the need to conduct "a comprehensive review of patient medical charts" in a potential investigation of a hospital suspected of billing health insurance plans for services that were never provided.
Among the three bills currently vying for the top spot, only the one sponsored by Sen. Patrick Leahy (D-VT) would require law enforcement officers to obtain a court order before gaining access to medical records. Leahy’s bill also would prohibit law enforcement agencies from using medical records as part of any centralized law enforcement database. The other two front-runners—bills sponsored by Sen. Robert Bennett (R-UT) and Sen. Jim Jeffords (R-VT)—would give law enforcement much wider latitude.
Another key issue is whether or not the bill passed by Congress should override existing state laws in this area, or pre-emption. The bills sponsored by Sens. Bennett and Jeffords would essentially blast existing state laws, but Sen. Leahy’s bill would not. Multi-state health care providers say a patchwork of state and federal regulations in this area would spell disaster. Already, they point out, the draft bills each approach 100 pages. And that is before HHS turns those laws into regulations.
A third issue is "private right of action," says Don Asmonga, government relations director for the Chicago-based American Health Information Management Associa tion (AHIMA). This refers to the right of a private individual to sue an institution for wrongful disclosure of health information. "But that is something that is going to be a tough sell in the Republican conference," he says.
If Congress fails to meet the Aug. 21 deadline, the 1996 Health Insur ance Portability and Accountability Act (HIPAA) requires HHS to address the issue with the development of regulatory guidelines.
Regardless of Congress’ actions on medical records privacy, it’s time for health care institutions to start thinking about and implementing patient medical record confidentiality measures.
"If health care institutions are not paying attention to privacy laws, they should be," says privacy expert Bob Gelman of Gelman & Associates in Washington, DC. "Institutions need to have policies in place and need to begin thinking about it," he asserts. "Much of what a health care institution will need to do is pretty clear, and a fair amount of it can be done—or at least started—right now, because they are going to have to do it one way or the other eventually.
"Most health care institutions don’t have adequate privacy policies," says Mr. Gelman. "They don’t understand what kind of records they have, where the information comes from, or where it goes to." They often do not have clear rules for regulating the use of information internally and its disclosure, he adds. "All of these things will be required in some fashion by the legislation or regulations."
According to Mr. Gelman, the elements in the bills are the elements of fair information practices, and that is sort of a checklist that providers should be using to develop a policy.
In fact, Sandra Fuller of AHIMA points out that her organization has drawn up just such a list that it is urging providers to begin reviewing. That list—appropriately termed "The HIPAA Checklist"—says the first thing providers should do is assign responsibility for tracking the progress of regulations as they develop. AHIMA also recommends these steps:
• Plan internal educational programs to describe HIPAA requirements to those responsible for implementing the changes.
• Perform a gap analysis of existing policies and procedures compared to the requirements of the proposed standards.
• Become familiar with the Notice of Proposed Rule Making for the employer identifier number.
• Become familiar with information security standards and standards development organizations.
• Discuss the proposed requirements with current vendors who may be supporting your organization’s information systems.
Doug Peticord, a health care information expert with Washington Health Advocates, reports that one new feature just added to the Senate’s privacy bill is the requirement for an Information Protection Officer. "This would mean that every hospital and provider group would have to designate a person with the authority and obligation to establish and maintain safeguards over the confidentiality of patient information," he says.
"I think it is a good idea for every institution to have somebody assume this role right now if they have not already done so," adds Mr. Peticord. "Even if this concept gets dropped from the bill itself, it is a step that makes a lot of sense."
In addition, the security requirements health care institutions will have to live by have already been outlined under the HIPAA regulations published as a proposed rule, notes Mr. Gelman. "Institutions don’t have to wait for that to become final, because those regulations are probably not going to be much different than the draft regulations," he says. "That is where a lot of time and effort and money will be required.
"It is not just a matter of protecting your patients, which is certainly part of the puzzle; it is protecting yourself," warns Mr. Gelman. "Stories about health privacy violations find themselves on the front page of the local newspaper, and it is only a matter of time before institutions get caught or sued—or both."
Contact Mr. Asmonga at (202) 218-3535 and Mr. Peticord at (202) 543-7460. AHIMA’s "The HIPAA Checklist" is available in its entirety at: www.ahima.org/publications/2a/ pract.brief.499.html.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.