In a decision that surprised many in the healthcare industry, the Bush administration allowed the privacy standards of the 1996 Health Insurance Portability and Accountability Act (HIPAA) to take effect as planned on April 14, 2001. Because the Bush administration and Congress had delayed or repealed several other regulations issued near the end of the Clinton administration that were considered unfavorable to business interests, speculation was rampant that the privacy rule's effective date would be postponed, as well. This speculation intensified when HHS Secretary Tommy Thompson reopened the rule's comment period during March.
The decision not to delay the rule's effective date means that healthcare financial managers should forge ahead aggressively with plans to bring their entities into full compliance with the rule by April 2003. (Small health plans have an additional year to comply.) Among the many implementation requirements, healthcare entities must adopt written privacy policies and procedures that define how they intend to abide by the highly complex regulation and protect individually identifiable health information. Each entity also must ensure that all staff who may be required to handle HIPAA-protected health information receive training on the entity's policies and procedures and understand the consequences of noncompliance. In addition, each organization must designate a privacy officer to implement and enforce its privacy policies, as well as a contact person to handle complaints.
Despite the decision not to delay the effective date of the rule, President Bush said he shared some of the concerns expressed by the rule's critics. Under current law, once the standards have been in place for a year, HHS can make modifications to them. At Bush's request, Secretary Thompson said he will 'consider any necessary modifications that will ensure the quality of care does not suffer inadvertently.'
One provision that is likely to be modified deals with how information is communicated orally. This provision is thought to inhibit physicians' ability to share essential information with each other, clinical teams, nurses, and, to some extent, their patients. Other provisions that may be modified are those dealing with patient consents and authorizations. These provisions require physicians to obtain a patient's consent before releasing personally identifiable information for treatment or routine administrative purposes and the patient's authorization before releasing such information for nonroutine purposes. The provisions also limit the amount of information that can be disclosed.
Another controversial provision of the final rule that may be modified requires that healthcare providers ensure their business associates also agree to comply with the privacy standards. This requirement could create serious difficulties for healthcare providers that have contracts with multiple business associates in that it will force providers to rework each contract affected by the standards. Thompson further indicated that modifications might be made to allow parents easier access to health information about their children. Notably, this access includes information about substance abuse, abortion, and mental health.
During his April 1 2, 2001, announcement of the decision to move forward with the privacy rule, Thompson pledged to issue implementation guidelines to clarify some of the confusion regarding the rule's impact on healthcare delivery and access. Further, in testimony before the House of Representatives' Energy and Commerce Committee on April 26, 2001, Thompson stated that he would provide covered entities with clarification of the regulation sometime in May. (At press time, HHS had not yet released the clarification of the rule.) To read Thompson's testimony, go to http://energycommerce.house.gov/107/hearings/04262001 Hearing 195/Thompson249.htm.
The final privacy rule was published in the December 28, 2000, Federal Register. It originally was slated to take effect February 26, 2001, but the effective date was delayed until April 14, 2001, due to an administrative error.
