Privacy legislation: Fasten seat belts for ‘enormous impact’
Privacy legislation: Fasten seat belts for enormous impact’
As usual, the devil is in the details
For three years, Congress had the self-imposed mandate to enact comprehensive national medical record privacy standards. It failed to act, and on Nov. 3, the Clinton administration proposed its own standards for electronic medical records. The impact to health care providers will be significant, observers say.
The standards will cover health care providers, health plans, and health care clearinghouses that transmit information electronically. Protection would start when the information becomes electronic and would stay with the information as long as it is in the hands of a covered entity. The regulations will also allow patients access to information about how their records have been used and disclosed. In addition, "redisclosure" can occur only with authorization from the patient. (For more detail about the legislation, see related story, p. 3.)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required Congress to enact privacy standards by Aug. 21, 1999. If Congress was unable to meet that deadline, language in HIPAA required the Secretary of the Department of Health and Human Services (HHS) to issue final regulations by Feb. 21, 2000.
The proposed standards represent an "unprecedented step toward putting Americans back in control of their own medical records," President Clinton said when he introduced the legislation on Oct. 29. Since its publication, the proposed rule has been open for comment from the public for 60 days.
The legislation will have an enormous impact on every health care provider in the country, says Bruce Fried, JD, partner and chair of the health law group at ShawPittman, an international law firm in Washington, DC. Fried also is the former director of the Center for Health Plans and Providers at the Health Care and Financing Administration (HCFA) in Baltimore. "The regulations will require providers to become educated in the new privacy policy. They will have to train themselves and their staff as to how to be compliant," he says. "They will also have to build privacy processes that protect the privacy of their patients."
How far-reaching and complex this legislation might be will not be understood until the government releases its final standard for data security, Fried says. "These two [rules] will work together. Data security is largely a technology issue. These privacy requirements are the human side of the protection."
Fried expects the final standard for data security to be strict. "In my conversations with senior officials who are involved with this, they [say they] believe protecting medical privacy requires an even higher standard of security than the security that is available for large financial transactions taking place on the Internet." (For more information on preparing for HIPAA standards, see related story, p. 5.)
Still more to do
Although President Clinton expressed frustration in his remarks that Congress had failed to pass legislation, Fried wonders whether Congress had the political ability to address medical records’ privacy. "There were strong positions on several issues that kept Congress from meeting its responsibility to enact legislation, which is why the secretary is doing what she is required to do," he says.
The initial reaction to the legislation seems positive. After a "first glance" review of the summary of the regulation, the American Health Information Management Association (AHIMA) in Chicago says it seems to "balance the need for confidentiality with the need to access information for important activities, such as quality improvement and medical research." Still, "the devil is in the details," the association adds.
Some of the concern focus on the problem that the secretary’s policy only addresses electronic medical records, not paper medical records. HIPAA only allows HHS to be that expansive, Fried says.
"The secretary said that any document that has been communicated or stored electronically, even if it’s ultimately a paper document, is covered by this regulation," he adds. "Does that mean that a faxed document is covered by this regulation? As currently written, I’d say the regulation requires that it is."
HHS Secretary Donna E. Shalala acknowledged the legislation’s limitations. "Under HIPAA, HHS does not have the authority to protect records that are maintained in paper form only. HIPAA also does not allow HHS to issue standards for records that are maintained by other insurers, or by employers for workers’ compensation purposes, according to a written statement.
"The proposed rule does not establish appropriate restrictions on the use or redisclosure of such information by likely recipients, such as researchers, life insurance issuers, marketing firms, or administrative, legal, and accounting services."
Congress has the responsibility of passing legislation that covers paper medical records, too. "It remains incumbent upon Congress to pass comprehensive confidentiality legislation that protects all information equally — whether it’s in paper or electronic format — and establishes a single, stringent national standard that serves as the law of the land," says Linda L. Kloss, MA, RRA, AHIMA’s executive vice president and CEO.
In addition, only Congress can provide consumers with the right to take action in court when their medical information is used inappropriately.
Another concern: The policy sets a federal floor, allowing states to develop more stringent privacy regulations. "We could end up with a hodgepodge of medical privacy regulations that would be difficult to administer," Fried says. Consumers, therefore, would find they have different privacy protection depending on where they live. Organizations that operate over the Internet or across state lines would find the different levels of protection inefficient and chaotic, he adds. "I think it’s a difficult standard."
Although HHS estimates the five-year cost for covered entities to be at least $3.8 billion, Fried says the health care industry still does not have a good sense of what the overall cost of the legislation will be. "Here is an interesting question; when we begin to really understand what the cost is, what impact will that have on the health care system?"
Even with his concerns, Fried says he thinks the legislation is "ultimately a good thing."
"Patients and consumers have a lot of anxiety about the privacy of their medical information. These are private matters that people want to have protected," he says. "As the Internet begins to get more and more used by health care providers, I think that it is good for the health care industry to be able to assure consumers that their most private information will be protected."
And the health care industry has time to prepare for the implementation of the standards, Fried says. "Don’t panic [about them]. The regulations that were published [recently] are proposed." The final regulations aren’t due out until the end of February, and providers then have a two-year implementation period.
"Hospitals and other providers need to begin to understand what is likely to be required when the regulations become final," he continues. "There will be plenty of time to begin to develop privacy processes and disclosure policies, compliance plans, and to train staff. It will be important for all health care providers to understand what will be required of them and to take steps necessary to be in compliance."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.