The New Health Information Privacy Regulations: Comment Period Re-Opened
March 2001
A bureaucratic snafu by the Clinton administration as it hastily issued sweeping health information privacy regulations on December 28, 2000 has resulted in a delay of the effective date of the regulations from February 2001 to April 2001. The Clinton administration apparently forgot to send the regulations to Congress as required. Meanwhile, the Bush administration's Secretary of Health and Human Services, Tommy Thompson, took the opportunity to open a 30-day public comment period in order to obtain further public feedback on the regulations. The Clinton administration had issued the privacy rules in the midst of a flurry of last minute regulations before Clinton left office. Details about the comment period are forthcoming.
Many in the health care industry welcome the announcement. Insurance, hospital, and pharmacy groups have criticized the regulations as being too complicated and burdensome. Indeed, the privacy regulations, as they were issued on December 28, were broader than expected. They could potentially require most health care entities to not only overhaul internal record keeping requirements, but also to retrain staff, hire additional staff, develop and implement privacy policies, and even develop sanction procedures for employees who do not comply with the new privacy policies. The regulations, as they are currently written, will be enforced by the Department of Health and Human Services Office of Civil Rights. There are both civil and criminal penalties for violations of the rules with fines up to $250,000 and imprisonment for up to ten years.
Covered Entities
The health care industry is so concerned about the regulations because they could have a major impact on the daily practices of health care providers, health plans, and health care clearinghouses. The regulations currently apply to more than just health information in electronic form; they apply to health information in any form - written, electronic, or oral. They protect any individually identifiable health information transmitted or maintained in any form.
The regulations could also impact the business associates of these entities because the organizations subject to these requirements will be required to enter into written contracts with all of their business associates that include lengthy and detailed privacy protection requirements that obligate the business associate to maintain the privacy of individual health information.
Use and Disclosure Requirements
The regulations include strict requirements limiting the use of individual health information. With certain limited exceptions, patient permission is required before an organization may make any use of individually identifiable health information. In general, any disclosure of individual health information must be restricted to the minimum necessary to accomplish the purpose behind the disclosure.
There are two types of permission required by the current regulations - "consent" and "authorization." A consent is required for the basic activities related to the treatment of a patient. This includes the use or disclosure of health information for the actual treatment of patients, payment for care, and even the organization's own use in its basic health care operations. In other words, every doctor's office would have to obtain a consent from a patient before commencing treatment, submitting bills to the patient's insurance company, or even accessing the patient's health information for the office's own internal purposes. By contrast, any other use or disclosure of the individual's health information would require a more detailed "authorization" from the patient.
Administrative Requirements & Patient Rights
The regulations also articulate numerous patients' "rights" that would require all entities affected by these regulations to maintain detailed records, develop privacy notices for patients, and to both develop and adhere to strict privacy policies. The privacy policy notice that a covered entity would be required to give to patients must describe the entity's privacy policy in detail. The notice must also inform patients how to file complaints with the covered entity and with the Office of Civil Rights as well as the name of the "Privacy Officer" at the entity who can assist the patient with a question or concern.
Patients would further have a right to access and, to a certain extent, control their protected health information. All covered entities would have to keep a record of all uses and disclosures of a patient's health information and this record would have to be made available to patients upon request. Patients may receive one free "accounting" per year of uses and disclosures of their health information, and the accounting would have to be provided within 60 days of the patient's request. The regulations also provide patients with the right to access and inspect their health records as well as to request amendment of their health information. Organizations would also have to develop detailed privacy policies and procedures.
Privacy Officer
Finally, the rules address human resources issues in health care organizations. The rules, as they currently exist, require covered entities to designate a "privacy officer" to serve as a contact person for patients, provide privacy training for all employees, and implement safeguards to prevent intentional or accidental misuse of health information. Health care organizations would even have to develop procedures for sanctioning employees who violate privacy requirements.
Conclusion
Although the Department of Health and Human Services may modify the regulations, it is unlikely that the Department will do away with the regulations altogether. Many Americans are concerned about health information privacy and, thus, it would be politically unpopular for the Bush administration to completely undermine the regulations. In any event, as consumers continue to demand increased privacy protection, particularly in the area of individual health information, many states are likely to jump on the health privacy bandwagon and enact additional consumer privacy protections.