Health Information Compliance Alert

Health care providers are weighing in on proposed modifications to the Health Insurance Portability and Accountability Act's privacy rule, and the verdict so far appears to be "good, but could be better."

Provider associations are for the most part lining up to support the proposed changes published March 27 by the Department of Health and Human Services. However, all of the groups are expressing concern that the proposed changes do not go far enough in certain directions.

In an April 12 letter to Congress, a group of 52 health care providers and medical and business orgainzations including the American Association of Health Plans, the American Academy of Family Physicians, the Association of American Medical Colleges and the Federation of American Hospitals applauded the proposal that would remove the mandatory consent requirement as a "workable compromise."

Under the proposed change, health care providers wouldn't need to obtain the prior consent of patents to use or disclose identifiable health information for treatment, payment and healthcare operations. Instead, providers must only make a "good faith effort" to obtain patients' acknowledgement that they had been provided with a notice of their provider's privacy practices. The American Hospital Association called the new acknowledgment requirement a "common-sense modification that protects the intent of the privacy rule without erecting a barrier to care."

The only discordant note in the chorus of approval came from the American Medical Association, which said it was "concerned" that the patient consent requirement had been removed "instead of modifying it to make it more workable," and urged the administration "to strictly limit the activities for which patient information could be used without consent."

In a separate April 12 letter to lawmakers, many of the same groups also expressed their support for proposed modifications that would allow "facially de-identified" data i.e., data that has been stripped of characteristics that could identify an individual to be released for research purposes. However, at the same time the groups expressed concern that the requirements for de-identification were too stringent, and could interfere with research.

"Some of the characteristics admission, discharge and service dates, date of death, zip code, one or more geographic units smaller that a state do not facially or directly identify an individual," the group said, "but they are key data elements for conducting medical research." Admission dates, discharge dates and dates of death, the groups note, are routinely used in epidemiological studies and could be critical in identifying a sudden onset of symptoms that could signal a bioterrorst attack.

Many provider groups have also been vocal in their support of HHS's proposal that would effectively extend the compliance date for implementing the privacy rule's business associate contract provisions. Under the proposal, covered entitites can continue to operate under existing business associate contracts until April 14, 2004 so long as those contracts meet a few simple conditions.

However, some groups have argued that the extension is not particularly helpful, since it doesn't relieve covered entities of their responsibilities with respect to business associates that kick in on the original compliance deadline of April 14, 2003. In prepared testimony before the Senate Committee on Health, Education, Labor, and Pension's April 16 hearing on the proposed changes to the privacy rule, the Alliance of Medical Societies charged that the one-year extension "provides a false sense of flexibility."

And while applauding the extension, the AMA and the AAMC both urged HHS to drop entirely the requirement that covered entities enter into business associate contracts. AAMC proposed instead that HHS "develop a certification program for suppliers that would eliminate the need for many business associate contracts."