ASHRM calls for changes in HIPAA privacy rules, says impact will be severe
ASHRM calls for changes in HIPAA privacy rules, says impact will be severe
The rules intended to protect confidential patient information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will have a major effect on virtually all health care providers and should be changed so they’re more workable, according to comments from the American Society for Healthcare Risk Management (ASHRM) in Chicago.
ASHRM recently submitted comments on the notice of proposed rule-making regarding standards for privacy of individually identifiable health information. During the coming year, the Department of Health and Human Services and the Health Care Financing Administration are expected to publish several proposed and final regulations establishing standards for the movement and uses of health care information. ASHRM says those privacy, security, and administrative simplification regulations will have "a major impact on the day-to-day functioning of the nation’s hospitals" and "the regulations will affect virtually every department of every entity that provides or pays for health care."
Fay Rozovsky, JD, MPH, DFASHRM, president of ASHRM, says risk management professionals are keenly aware of the privacy concerns individuals have regarding the increasing use of electronic means to transfer health-related information. Rozovsky says ASHRM recommended that some areas in the proposal be strengthened, such as the need for a broader definition of "health care operations" to incorporate incident reporting, investigative activities, and other institutional efforts designed to improve systems of delivering and managing the care of patients. ASHRM also pointed out several areas of the proposed rules where confusion or ambiguity over the interpretation could pose difficulties in implementation.
The following are the recommendations from ASHRM:
o Problem: Allowing patients to request that certain protected health information be restricted from further use or disclosure may threaten patient care delivery.
- Recommendation: ASHRM suggests consideration of either the development of standardized criteria by which specified health information may be restricted from further use or disclosure, or a statement that there are no exceptions. Patients’ restriction of the use of their information should be limited to nonemergency situations and to clinical information only. It is very difficult to limit scheduling information and some billing information. That would require changes to many organizations’ systems to eliminate this information from reports.
o Problem: Who may be classified as a "business partner" and the limits on their ability to use the information they receive from the covered entity may be ambiguous.
- Recommendation: ASHRM suggests clarification of the term "business partner" and specific limitations on such partners’ ability to use information they receive from the covered entity. Organizations need to be able to contract with individuals and organizations to complete clinical studies, provide clinical expertise, and increase access to experts and quality of care.
o Problem: Requiring each individual provider within a health care system that includes multiple covered entities to have separate authorizations for the same purpose may create confusion.
- Recommendation: ASHRM suggests consideration of allowing all "authorized" providers within a health care system that includes multiple covered entities to have the same authorization for the common purpose.
o Problem: Disclosure for judicial and law enforcement purposes, uses for government health data systems, directory information, research, and accounting of disclosures may create confusion.
- Recommendation: ASHRM suggests consideration of further limitations and specification on the disclosure of information in order to minimize opportunities for breach of confidentiality (i.e., a requirement for legal process vs. just verbal assurances of the requesting officer).
o Problem: A provision absolves the covered entity of any liability if an employee or other person associated with a business partner discloses protected health information to a law enforcement official, oversight agency, or an attorney if the discloser believes the information is evidence of a violation of law. However, there are no process parameters for a "member of the work force" to give an oversight or law enforcement agency or legal counsel individually identifiable health information if the work force member believes any law has been violated (whistle-blower provisions).
- Recommendation: ASHRM suggests the incorporation of a clause that addresses rules for a "member of the work force" to give an oversight or law enforcement agency or legal counsel individually identifiable health information if that work force member believes any law has been violated.
o Problem: The definition of "health care operations" to incorporate incident reporting and investigative activities needs to be broadened.
- Recommendation: ASHRM suggests incorporating incident reporting and investigative activities in the description of "health care operations."
o Problem: The section exempting information "prepared in anticipation of litigation" does not include protection of risk prevention data gathered about incidents.
- Recommendation: ASHRM suggests the incorporation of the protection of data gathered in the course of incident investigation or other risk prevention activities.
o Problem: Everyone should be held to strict compliance, including federal, state, and local government, as well as private entities and agencies.
- Recommendation: In order to effect compliance with laws that would apply in a particular state, ASHRM suggests the incorporation of a process to give covered entities guidance toward such compliance.
o Problem: A great deal of revision of current policies is required, as well as creation of many new policies and education of staff on those new policies and regulations.
- Recommendation: The implementation date should take into consideration ample time for organizations to develop pertinent policies and education programs.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.