Health Information Compliance Alert

Every relationship requires communication. The NCVHS’ bond with HHS was no different when it submitted a detailed letter to Secretary Tommy Thompson explaining it needed help concerning implementation of the privacy rule.

The National Committee on Vital and Health Statistics Nov. 25 wrote a letter to Department of Health and Human Services’ Secretary Thompson seeking further aid with implementation of the Health Insurance Portability and Accountability Act.

Despite finding widespread support among covered entities for the goals of the privacy rule, the NCVHS was discouraged by dozens of testimonies in recent hearings in Baltimore and Salt Lake City that expressed “an extremely high level of confusion, misunderstanding, frustration, anxiety, fear, and anger as the April 14, 2003 compliance date nears.”

Much of the testimony — delivered before NCVHS’ Subcommittee on Privacy and Confidentiality — expressed anxiety over preemption analyses, the lack of vital model compliance forms and generally the complexity of compliance responsibilities. Some even suggested that since HIPAA compliance was so time-consuming and ultimately too costly a requirement, some covered entities would exercize a “catch me if you can” disposition.

In response to the disturbing testimony, the NCVHS issued its own recommendations to HHS for implementing the privacy rule. The letter broke down the committee’s proposal into five sections: coordination and collaboration, education, outreach and technical assistance, regulation and enforcement, guidance, and additional resources necessary for implementation of the Administrative Simplification provisions of HIPAA. According to the letter, some of the specific measures the NCVHS requested include:

• Coordinating education and outreach.The HHS Office for Civil Rights and the Centers for Medicare & Medicaid must coordinate and collaborate with each other to facilitate the delivery of HIPAA answers to covered entities.

• Providing technical assistance. Aimed at helping covered entities with unique compliance demands, the OCR should establish “covered entity teams” to assist certain professionals and industry sectors with compliance quagmires.

• Revamping OCR’s Website. OCR’s frequently asked questions page needs improvement. Not only should the OCR expedite its response time to HIPAA questions, it should tailor the questionsto the needs of specific entities.

• Alleviating the burden of individually undertaken preemption analyses. OCR must provide the underlying principles behind HIPAA preemption by assisting in the publication of state preemption analyses.

• Creating materials for public distribution that educate the public with respect to the privacy rule. OCR’s public education “needs to proceed along many tracks, including editorial briefings, extended radio and television interviews, feature articles, and town meetings,” the letter noted.

• Funding research to analyze the effects of the privacy rule. CEs needs to see clearly what form HIPAA enforcement will take.

• Clarifying OCR’s view on certification. The OCR should issue a statement reinforcing its position that vendors’ products cannot certify compliance.

• Offering guidance, guidance, guidance. OCR “should draft and make widely available model forms and templates, including state-specific, industry-specific, and profession-specific forms. Such forms should include model notices, model authorizations, and model acknowledgments of notices received. In addition, OCR should consider publishing standardized gap assessment guides, simple checklists, a HIPAA practice management handbook, and time-lines to assist covered entities,” the NCVHS requests.

Editor’s Note: The items listed above represent only a few of the committee’s concerns regarding HIPAA implementation and compliance. To view the NCVHS’ letter and recommendations in its entirety, go to http://ncvhs.hhs.gov/021125lt.htm.