HHS issues new privacy rule

Oct. 1, 2002
By Joan Szabo

The Department of Health and Human Services recently issued the final rule on protecting the confidentiality of patient medical records. As expected, it made some modifications to the regulation originally proposed by the Clinton administration.

While the recently issued regulation will provide a number of new privacy protections, it omits a requirement that a patients written permission must be obtained before his or her personal health information can be handled by doctors, hospitals, pharmacies, and insurance plans.

HHS says it had to make this change to address the serious, unintended consequences of the rule that would have interfered with patients access to quality care. For example, the Bush administration believed the rule would have required patients to visit a pharmacy in person to sign paperwork before a pharmacist could review protected health information in order to fill their prescriptions.

With the recent modification, providers will only be required to provide written notice of their privacy practices and patients privacy rights. We took great care to make sure we werent creating greater hardships or more healthcare bureaucracy for patients as they seek to get prompt and effective care, says Tommy Thompson, secretary. Further, he said the rule protects the confidentiality of Americans medical records without creating new barriers to receiving quality healthcare.

HHS indicated that the new rules are designed to enhance the protections provided by many existing state laws. According to HHS, Stronger state laws and other federal laws continue to apply, so the federal regulation provides a national base of privacy protections.

Impact on laboratories

The laboratory industry welcomes the modification in the rule, but some concerns still remain, says Elissa Passiment, executive vice president of the American Society of Clinical Laboratory Science, a national organization for clinical laboratory science practitioners.

Mainly, the concerns revolve around making the necessary modifications as required by the rule. For example, if a laboratory is faxing information to a physicians office, there is going to have to be some assurance that the lab is faxing it to a secure fax machine, not one that is sitting in the reception area, she says.

The rule applies to all patient records that are kept in electronic form, but not to those that are on paper. With regard to a laboratorys information system and its security, most laboratories are going to take care of this as hospitals take care of their higher information systems. These systems no longer exist separately, and the full burden (of the rule) isnt going to fall just on the laboratory, Passiment explains.

The ultimate goal is to make sure that there is a good enough firewall so that nobody can come in and get access to results or records of any of the patients, she adds.

Here are some of the specific requirements of the final regulation:

Patients must grant permission before entities covered by the regulation could use or disclose protected information in most nonroutine circumstances, such as releasing information to an employer or for use in marketing activities.

Pharmacies and health plans must first obtain an individuals specific authorization before sending marketing materials to him or her.

Patients will be able to access their personal medical records and request changes to correct any mistakes. Patients also can request an accounting of nonroutine uses and disclosures of their health information. In addition, they can seek penalties against anyone who misuses the information.

As far as research is concerned, the final rule facilitates the use of a single combined form to obtain informed consent for the research and authorization to use or disclose protected health information for such research.

Most healthcare providers and insurers are required to comply with the rules by April 14, 2003, or face civil and criminal penalties. If a providers office is still charting everything with paper, complying with the new rules can be relatively simple and inexpensive, says Passiment. But the community hospitals are going to find the implementation of this (regulation) somewhat costly, she adds. This is especially true if these hospitals decide they must hire more personnel to comply with the new privacy requirements.

There also is concern that providers and others covered by the regulation dont have enough time to make the necessary adjustments. The American Association of Health Plans is urging the Bush administration to work with health plans and providers on a transition schedule that reflects the challenges providers and institutions face in implementing the regulation. To date, HHS has not responded to this request.

To help providers prepare for and meet the rules requirements, the HHS Office for Civil Rights (OCR) will continue to conduct outreach and education targeted to health plans, healthcare providers, consumers, and others affected by the rule.

The rule and other useful information is available online at www.hhs.gov/ocr/hipaa.

Joan Szabo is a Washington, DC, freelance writer specializing in
healthcare issues. She has been writing the Washington Report column for MLO for five years.

© 2002 Nelson Publishing, Inc. All rights reserved.