PRIVACYnotes

HIPAA Compliance and Health Privacy

Privacy Compliance Deadline April 14
HPP Launches Privacy Complaint Monitoring Initiative
HPP to monitor HHS enforcement of New Medical Privacy Law

PRESS RELEASE
Tuesday, April 8, 2003


Today the Health Privacy Project (HPP) announces the launch of its HIPAA privacy complaint monitoring initiative. With this initiative HPP will monitor the oversight and enforcement of the HIPAA privacy rule by the Department of Health and Human Services' Office for Civil Rights (OCR), to ensure that patients' privacy rights are enforced effectively. HPP has posted a model complaint form on its website and is asking the public to provide HPP with copies of complaints submitted to OCR. OCR has yet to post an online complaint form, even though most health care providers and health plans are required to comply with the new privacy law by April 14, 2003.

Under the rule, individuals do not have a private right to action. Instead, the law provides that individuals must direct their complaints to HHS' Office for Civil Rights. HHS has the authority to impose civil and criminal penalties if covered entities are determined to be in violation of HIPAA. HHS officials have said that enforcement would largely be driven by complaints and that Òvoluntary compliance is the most effective way to [protect personal health information],Ó signaling to many in the health care industry that HHS does not intend to vigorously enforce the law. HPP will track the number and types of complaints and will monitor how effectively the Office of Civil Rights investigates and resolves complaints.

ÒWe want to ensure that patient's rights will be safeguarded and that the Office for Civil Rights lives up to its responsibility to enforce the HIPAA privacy rule vigorously. Given that HIPAA does not give people the right to sue, individuals must rely on the Bush administration to represent their interests,Ó said Janlori Goldman, Director of the Health Privacy Project. ÒOur monitoring initiative is intended to ensure that consumers' voices are heard.Ó

The HIPAA privacy rule Ð the first major federal law to protect the privacy of peoples' medical records-- grants consumers a number of significant new rights, although in less sweeping form than most patient advocates pressed for. Among other changes, as of April 14:

• people will receive a Ònotice of information practicesÓ from their providers and plans explaining their new rights and how their information will be used;
• patients must be given access to their medical records upon request;
• health care providers and plans are barred from disclosing identifiable health information to employers;
• psychotherapy notes are given special, heightened protections before they can be shared with providers;
• hospitals must give patients the chance to opt-out of having both their name and health status publicly available in the hospital's directory; and
• law enforcement must present some form of legal process before they can obtain access to health information.

For more information, contact:
Janlori Goldman, Director
Health Privacy Project
202-721 5632
http://www.healthprivacy.org

* * *

The Health Privacy Project is a non-partisan non-profit 501(c)3 organization dedicated to protecting privacy in the health care arena, with the goal of promoting increased access to care and improved quality of care. The Project also staffs the Consumer Coalition for Health Privacy, a diverse network of over 100 consumer, disability rights, patient, labor and health care provider organizations engaged in the national and local debate on health privacy.

* * *

As of April 14, 2003, most health care providers, hospitals, health plans and their business associates must be in compliance with the HIPAA medical privacy regulations (http://www.hhs.gov/ocr/hipaa/privacy.html). The law, which was finalized at the end of the Clinton administration and allowed to go into effect nearly two years ago by President Bush, will have a major impact on both consumers as well as health care organizations.

New federal privacy rights will be available to health care consumers; although in less sweeping form than most patient advocates pressed for; and providers and health plans will have to adopt a set of rules and safeguards that promise to bring a large measure of uniformity, predictability; as well as short term burden ; to the collection and use of patients' medical information. Although it remains to be seen whether and how vigorously HHS' Office for Civil Rights will oversee and enforce the privacy regulation, there is no doubt that after April 14, certain key changes should be visible and in place.

Those changes include:

• Anyone entering a doctor's office, hospital, or applying to a health plan for benefits must be given a ÒNotice of Information PracticesÓ that states the new rights mandated by the law, and explains how the Òcovered entityÓ intends to use and disclose the individual's health information. The regulation requires that a good faith effort be made to get people to acknowledge they have received the notice by signing it. The signing of the notice-a requirement put in place after the Bush administration removed the consent requirement from the Clinton version-is intended to increase the likelihood that people will actually receive and read the notice. It would be a good idea for the health care industry to post these notices on a Web site so that consumers could review them in advance.
  
  
• People must be given access to their medical records. Although most states grant people this right, state laws are inconsistent and not well-enforced. The federal law requires that people be able to see, copy and supplement their records. Health care organizations must comply with the request within 30 days, and a reasonable fee may be charged. The new access rule may spur health care organizations to develop secure systems for people to access their records online, saving time and money for all involved.
  
  
• Health care providers and plans will be barred from disclosing identifiable health information to employers. Also, employers acting in their capacity as health plans or providers (in the context of a self-insured company, for instance) are directly covered by the rules. However, because employers are not directly covered by the rule when not wearing the hat of a covered health plan or provider, information they collect as part of an Employee Assistance Program, or through a pre- or post-employment physical, is outside the scope of the privacy law.
  
  
• Psychotherapy notes will be given special, heightened protections, and mental health providers will be able to refuse to disclose their notes to health plans without first obtaining a patient's voluntary authorization. Health plans may not condition the delivery of benefits or enrollment on obtaining authorization from an individual.
  
  
• Hospitals must give patients the chance to opt-out of both having their name and health status publicly available in the hospital's directory, as well as allowing patients to limit the hospital from sharing medical information with family members. The presumption continues to be that certain limited information about hospital patients will be shared with the public and family members, but people will now have the right to bar those disclosures.
  
  
• In most cases, law enforcement officials will have to present some form of legal process (warrant, subpoena or summons) before a covered entity can disclose protected health information to them. This new requirement fills a void where no such federal safeguard existed before. But virtually all health care stakeholders argued for tougher limits on law enforcement's access to medical records.
  
  
• Medical information must be more securely collected, shared and stored by health care providers, plans and information clearinghouses, which must put in place appropriately scaled technical and administrative safeguards.
  
  
• HHS' Office for Civil Rights will receive complaints from individuals who believe their rights under the regulation have been violated. HHS has the authority to impose civil and criminal penalties if covered entities are determined to be in violation of HIPAA. HHS officials recently have said that they believe Òvoluntary complianceÓ with the law is ideal, signaling to many in the health care industry that HHS does not intend to vigorously enforce the law. Given that HIPAA does not give people the right to sue, individuals must rely on the Bush administration to represent their interests.
  
  
• State laws that are more stringent than the privacy regulation will continue to stand. However, just this week HHS announced it would review requests from state officials to allow certain state laws that are ÒcontraryÓ to the regulation to remain in place, where the state can show that it is impossible to implement both the state and federal law.
  
  
• The regulation includes a much wider range of responsibilities for covered entities to follow, such as designating a privacy officer and training employees to adhere to the rule.

One of the major shortcomings of the privacy rule is still that the marketing of health-related products and services is legal, without any notice to consumers that the letters from their pharmacy may be an advertisement paid for by a drug company, and with no right for consumers to opt-out of getting these ads.

HIPAA privacy: Myths vs. reality

Even after a 24-month implementation phase, misinformation and confusion about some of the rule's core provisions abound. For instance, some doctors and hospital officials claim that the privacy regulation prohibits providers from communicating with patients by e-mail. The truth is that the regulation anticipates-and truly encourages-e-mail between practitioners and patients, provided a secure network is used and the messages are encrypted. In fact, the rule expressly allows patients to request Òalternative meansÓ of communicating.

Other voices maintain that hospitals will be barred from giving out patient information to the public, thus keeping friends and family from reaching their loved ones. Again, the regulation established the opposite legal presumption. The hospital may continue to share information about patients (both location and health status, as well as more detailed information with family), unless the patient has specifically asked that such information not be shared.

Similar misreadings appear to be common and include such myths as Òthe privacy rule will impede efforts to prevent and respond to a bioterrorist attack,Ó-legal scholars and authors of the regulation have concluded otherwise; and Òclinical research will be jeopardized because covered entities will be reluctant to share data.Ó Nothing in the rule supports such skittishness, and HHS should issue guidance reassuring the research community and covered entities.

HHS Initiatives Needed

A number of initiatives must get underway immediately to ensure that the regulation is put in place, without being unnecessarily over- or under- interpreted. First, HHS must play a more aggressive role in publishing guidance, responding to questions and publishing clarifications to HIPAA. They should make all of this available online. HHS also must reach out to health care organizations and consumers to publicize the scope of the law and offer technical assistance on implementation. And, HHS must be vigilant in overseeing, monitoring and enforcing the rule. Complaints should be made publicly available, investigated and resolved. The only way to eventually achieve significant voluntary compliance is for HHS to insist; through its own actions; that full compliance is expected, and that failure to do so will have true consequences.

What You Need to Know About HIPAA Compliance!
By Jim Cavagnaro

HIPAA - the Health Insurance Portability and Accountability Act - is a federal law developed, in part, to define and regulate the use of healthcare information in the United States. Entities that provide, pay for or supply health services, medications or equipment, as well as their business partners and vendors, are affected by this new set of regulations. This article summarizes the work that needs to be done to meet requirements necessary to become HIPAA compliant.

READ MORE . . .