Privacy And Patients: Having Patience With Change

Successful analysis of the rule will require time and attention from staff in virtually all departments in a health care organization that handle identifiable medical information. Because of its scope, the rule will affect virtually all areas in an organization. That’s because the rule requires the development of privacy protection procedures and the training of all employees to comply with the procedures.

HHS officials issued the proposed privacy rule because Congress failed to enact a national privacy law, authorized under the Health Insurance Portability and Accountability Act of 1996. The proposed rule governs only the confidentiality of identifiable electronic health information and paper-based information printed from electronic sources. HIPAA gives only Congress the authority to enact a privacy law that covers all medical records.


HHS faces a Feb. 21, 2000, deadline for publishing a final privacy rule, which would go into force 26 months after publication for most health care organizations. But few industry observers expect the department to meet that deadline.

Congress can at any time enact a privacy law that would supersede the rule. Sen. James Jeffords (R-Vt.), chair of the Senate Health, Education, Labor and Pensions Committee, has vowed to continue working toward passage of a bill, but lawmakers are far from reaching the consensus necessary for approval of such a bill.

The proposed privacy rule is separate from a final federal rule, also mandated by HIPAA and expected to be published this month, to ensure the security of all electronic health data. The privacy rule-or a privacy law enacted by Congress-will govern how patient-identifiable health information is used and disclosed. The security rule, on the other hand, will govern how confidentiality is protected by ensuring the security and integrity of electronic health data.

Confusion reigns

The core principles behind the proposed privacy rule are three provisions common to virtually all privacy bills before Congress. These are: the requirement of informed patient consent to release identifiable information beyond what is necessary for payment, treatment and health plan operations; the right of patients to examine their medical records and request corrections; and requirements to track information disclosures.

Some provisions in the proposed rule are quite clear, such as the definition of what constitutes “electronic information. Many provisions in the rule, however, are vague and confusing.

For instance, the definition of “health plan operations” is quite broad. Health plan operations are oversight activities, such as case management and outcomes analysis, that payer organizations say are necessary to increase the quality of care while keeping costs in line.

But Donald Palmisano, M.D., a New Orleans surgeon and trustee of the Chicago-based American Medical Association, calls the definition “a dangerous catch-all” that may permit banks and insurance companies to share medical information without patient consent.

Legislation awaiting President Clinton’s signature would permit financial institutions and insurers to merge. Clinton has said he will sign the bill.

The proposed privacy rule is confusing in how it seeks to ensure that business partners of providers and payers protect patient confidentiality. One section requires business partners-including attorneys, auditors, consultants, clearinghouses and billing firms-to sign contracts agreeing to comply with the privacy rule. But another section indicates there are no restrictions on business partners.

The proposed privacy rule includes a fiscal impact analysis that estimates implementation will cost between $1.8 billion and $6.3 billion over five years.

That’s far below a $43 billion implementation price tag resulting from a recent analysis for the Blue Cross and Blue Shield Association. Both analyses used conservative projections and acknowledge that the real price tag could be considerably higher.

Saving money

But the department’s analysis also calls for cost savings resulting from individuals getting treated faster for medical conditions because of higher confidence that their medical records will remain private. For instance, the nation could save $208 million to $1.67 billion annually due to early treatment of mental health disorders, according to the analysis.

“Confidentiality is a key component of trust between patients and providers, and some studies indicate that a lack of privacy may deter patients from obtaining preventive care and treatment,” according to the HHS analysis. “For these reasons, traditional approaches to estimating the value of a commodity cannot fully capture the value of personal privacy.”

Proposed Privacy Rule Provisions

Covers identifiable medical records created by health care providers, insurers and claims clearinghouses that are either transmitted or maintained electronically. Paper printouts created from these electronic records also are covered under the rule.

Requires covered entities to disclose only the amount of information necessary for the intended purpose.

Permits a covered entity to use and disclose information stripped of identifiers in any way, as long as it does not disclose the key or other mechanism that would enable the information to be reidentified. A covered entity could use or disclose a key only as it could use or disclose the underlying information.

Preserves state privacy laws that are more stringent and enables states to enact stronger laws in the future. Leaves intact state laws governing parental rights to health information about minor children.

Prohibits conditioning treatment, health plan enrollment or payment on a requirement that an individual authorize use and disclosure of their psychotherapy notes.

Specifies procedures law enforcement agencies must take to obtain identifiable health information. Previous recommendations from the Clinton Administration included no restraint on law enforcement access to information.

Requires all researchers-public and private-to receive approval from an institutional review board before using identifiable information. This expands the Common Rule-which governs how federally funded research projects must protect the confidentiality of identifiable information- to also govern privately funded research.

Permits provider and payer organizations to disclose to financial institutions, without patient authorization, identifiable information necessary for processing payments for health care and health care premiums. Financial institutions offering specialized services to the health care industry, such as claims management and billing support, must comply with the privacy provisions.

Defining Electronic Information

“Electronically transmitted information” includes information exchanged with a computer using electronic media, such as the movement of information from one location to another by magnetic or optical media, or by transmissions over the Internet, extranets, leased lines, dial-up lines, private networks, telephone voice response and faxback systems.

“Electronically maintained information” means information stored by a computer or on any electronic medium from which information may be retrieved by a computer, such as electronic memory chips, magnetic tape, magnetic disk or compact disc optical media.

The definitions do not include paper-to-paper faxes, person-to-person telephone calls, video teleconferencing or voice mail messages. The key concept that determines if a transmission meets the definitions is whether the source or the target of the transmission is a computer.

Leave a Comment