Health Information Compliance Alert

You can't please all the people all of the time, they say but the Department of Health and Human Services came through for HIPAA covered entities with its changes to the privacy rule.

The HHS issued final changes to the privacy rule that seek to give patients "sweeping protections over the privacy of their medical records," the department said in an Aug. 9 release. Those changes include modifications to marketing restrictions and business associate agreements, elimination of separate authorization requirements, and the abandonment of the consent requirement for all covered entities, among other changes (for an overview of the changes, article 6)

The changes have generated nearly palpable sighs of relief bundled with minor criticisms from all those struggling to reach compliance with the regulation.

Among those affected by the modifications is Tara Shewchuk, corporate compliance officer with Chicago-based Resurrection Health Care. She says the HHS had earlier promised covered entities at least six months between the final rule and the effective date, so she's delighted to have an extra two months to prepare.

Shewchuk plans to use that extra time to implement compliance efforts. For example, she says that before the HHS issued the final requirements to the rule, she had planned to shoot two alternate segments for a portion of a HIPAA training video, parts of which were tailored to comply with the consent requirements. Since the HHS flushed the consent rule in the final version, there's no need for Shewchuk to craft that version. "Now, we can go ahead and finalize the 'Notice only' version," she affirms.

Health plan associations greeted the final rule with a mixture of relief and reservation. Both the American Association of Health Plans and the Health Insurance Association of America said they remain concerned that the HIPAA regs do not preempt variegated state laws on privacy.

"A federal rule that preempts myriad state privacy requirements can safeguard patient privacy and would reduce burdensome compliance costs," added HIAA General Counsel Jeff Gabardi. "We hope Congress recognizes the need to keep regulatory costs low and acts to create a uniform national standard."   

Plans are probably right to be concerned. "It will not always be clear whether a law" which could include state constitutions, statutes, rules, common law, court decisions or attorney general opinions "is contrary to and more stringent than HIPAA's requirements," says privacy attorney Alan Goldberg of Goulston & Storrs in Boston.

On the other hand, "HIPAA requirements will, indeed, preempt lots of state law," he tells Eli. For example, HIPAA's "security requirements and the data code sets/transactions requirements will preempt any contrary state laws," Goldberg says. "Security is particularly challenging, in that privacy and security are related in technology" but different when it comes to preemption: State privacy laws that are contrary and more stringent to HIPAA will override the regs, but state security laws won't.

Another attorney believes perhaps the most important change to the privacy standards was the removal of the consent requirement to use and disclose health information for treatment, payment and health care operations.

"That's going to be a real benefit to providers to do privacy standards compliance in an efficient way, and also for better patient care, because a lot of providers were very concerned that the consent requirement was going to interfere with them treating patients because you had to get consent before you even used somebody's health information to treat them," notes Kristen Rosati with Coppersmith Gordon Schermer Owens & Nelson in Phoenix.

Additionally, Rosati believes one of the most significant aspects to the privacy rule is that it requires patient permission or authorization anytime a health care provider or health plan wants to use or disclose patients' health information for purposes unrelated to treatment. Fortunately, she says, "that protection is still there."

The HHS says it received more than 11,000 public comments on the proposed modifications issued in March 2002. The department claims the new rule is designed to enhance the protections afforded by many state laws, and the federal law will serve as a "national base of privacy protections."

In addition, HHS promises that the HHS Office of Civil Rights the agency that will be charged with HIPAA enforcement will issue guidance on complying with the rule. The OCR's efforts could include technical assistance, fact sheets, handbooks and other materials.

Most covered entities will have until April 14, 2003 to comply with the rule, but that deadline will be extended to April 14, 2004 for some small health plans.

To see the rule, go to http://www.hhs.gov/ocr/hipaa/.