Going Public on Patient Privacy

  • By Paul Tyree, April Whitfield
  • Apr 01, 2000

In the recent movie Enemy of the State, actor Will Smith has a turbulent experience with the federal government's lack of control regarding the privacy rights of an individual citizen.

While the movie may be a far cry from the real world, the release of President Clinton's executive order on Oct. 28, 1999, and the subsequent release of regulations in the Federal Register on Nov. 3, 1999, has put in full swing the real turbulence regarding patient privacy and health care organizations.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addressed several issues that would have an impact on technology and health care. One issue is the format of the transfer of information.

Currently, the issue is patient privacy. HIPAA required that legislation on patient privacy standards be created no later than Aug. 21, 1999. In its absence, the Department of Health and Human Services (HHS) would have the ability to regulate patient privacy issues.

As expected, Congress failed to act by the deadline, and the regulators now have an opportunity to set policies. One benefit of the proposed regulation is that health care information technology (HIT) companies can begin the process of completing new system tools to become compliant with the requirements. This will improve the HIT sector that had been weakened by Y2K concerns.

The bad news is payers and other health care institutions will pay for the changes. As for the patient, the regulations should allow the transfer of medical information in a secured manner.

Software vendors offering to transfer patient data via the Internet will also benefit by being HIPAA compliant.

Summary of Proposed Privacy Regulations

According to the Federal Register, the proposed rule applies only to electronic information; however, computerized records that have been copied to paper also are covered. A summary of the 39 pages of comments can be found at http://aspe.hhs.gov/admnsimp/pvcsumm.htm.

The regulations are designed to address the following:

  • allow health information to be used and shared easily for treatment and for payment of health care
  • allow health information to be disclosed without an individual's authorization for certain national priority purposes, such as research, public health and oversight but only under defined circumstances
  • require written authorization for use and disclosure of health information for other purposes
  • create a set of fair information practices to inform people of how their information is used and disclosed, ensure that they have access to information about them and require health plans and providers to maintain administrative and physical safeguards to protect the confidentiality of health information and protect against unauthorized access

The rule, which is expected to preempt weaker state privacy provisions but keep stronger ones in place, restricts the use and disclosure of medical information and imposes civil and criminal penalties, including imprisonment, for violations.

Currently, the rule has a 60-day comment period while HHS faces a Feb. 21 deadline to publish a final version.

The Good

:The Chicago-based Blue Cross and Blue Shield Association (BCBSA) does support several features of the Clinton administration's proposed privacy rule. The association is pleased the rule includes a statutory authorization, said Allisa Fox, executive director for policy.

This means that an individual purchasing health insurance agrees to permit the use and disclosure of identifiable information for purposes of treatment, payment and health plan operations. Usage of identifiable information for other purposes would require separate patient authorizations.

In addition, the proposed rule does not require health care providers to track treatment and payment-related disclosures among other providers, which reduces the administrative burden, Fox said.

In addition, the proposed rule limits the copying and presentation of medical records for patient inspections to what is called "designated record set." This generally includes records retrievable by patient name or identification number, which means patients will more likely receive bona fide medical records and not administrative documents.

The Bad

A major concern for the association is language in the proposed rule requiring business partners of providers and payers to sign contracts agreeing to comply with the rule.

"You basically have to audit all of your business partners or you are liable for their actions," Fox said. "A health plan has thousands of partners."

For example, if a physician sends billing data to a billing firm, and the firm creates claims and forwards them to a health plan, the billing firm now is a business partner of the plan, Fox said.

Six associations representing providers, payers and software vendors have asked Clinton to extend the time period for submitting comments on the administration's proposed medical information privacy rule.

The groups are the American Association of Health Plans (AAHP), American Hospital Association (AHA), American Medical Association (AMA), Association for Electronic Health Care Transactions (AEHCT), Blue Cross and Blue Shield Association, and Health Insurance Association of America (HIAA).

"Given the far-reaching implications of these proposed regulations for our health care delivery system as well as the significant effect on patient privacy protections, we believe it is essential that our organizations have adequate time to prepare thoughtful and thorough comments," stated a November 11 letter to Clinton from a consortium of payers.

The Ugly

The ugly part of this ruling will likely be the cost of compliance. Implementation of the Clinton administration's proposed medical information privacy rule will cost $3.8 billion, according to an analysis for the Blue Cross and Blue Shield Association.

This is much higher than the federal government's estimates. Both analyses used conservative projections and acknowledged the real price tag could be considerably higher.

For example, in a fiscal impact statement accompanying the privacy rule, HHS did not include costs for several provisions that would impose new procedures in the health care industry.

These include the requirement that provider and payer organizations monitor their business partners to ensure compliance with the privacy rule and designate a privacy official.

HHS acknowledges its cost estimate is rough and says implementation costs will range between $1.8 billion and $6.3 billion during five years. But the agency also expects cost savings resulting from individuals getting treated faster for medical conditions because of higher confidence that their medical records will remain private.

For example, the nation could save $208 million to $1.67 billion annually due to early treatment of mental health disorders, according to the fiscal impact statement. The department also expects substantial savings as more individuals undergo screening procedures for cancer and other diseases knowing they will not be subject to possible discrimination by their employer or insurer.

Wrong Way Thinkers

Despite the cost to implement, the proposed ruling is considered by many to be a step in the right direction. However, since the current regulations will only apply to electronic records, the electronic medical record software industry may be dealt a blow by health care providers that refrain from moving forward with computerized charts in order to avoid any threat of legal action.

Hopefully, these types of anti-technology concerns will be short lived, and the health care professional will continue to see the value in automation over the manual process despite the additional security issues. Issues that have been long over due to be addressed at the federal level.

Home Health Products, Vol. 8, No. 4, p. 11

This article originally appeared in the April 2000 issue of HME Business.

HME Business Podcast