Government
One year later, mixed reviews for privacy rule
■ Some say there aren't enough protections; others complain of overzealous interpretation.
By Joel B. Finkelstein — Posted May 3, 2004
- WITH THIS STORY:
- » Related content
Washington -- One year after implementation, the federal health privacy rules are still generating controversy.
Privacy advocates say the government isn't doing enough to enforce the rule. Some experts argue that the regulation itself is a problem because it doesn't do enough to protect privacy, while still others say that the health care community is occasionally going too far and limiting legitimate access to patient information.
Despite these varying assessments, federal officials and many in the medical community say they are happy with the progress they have made toward full compliance with the rule.
At last count, the Dept. of Health and Human Services' Office of Civil Rights had received 5,350 complaints -- a steady flow of around 100 a week -- alleging infractions of the privacy rule.
Enforcement of the regulation, which was mandated as part of the Health Insurance Portability and Accountability Act, is complaint driven.
The office has managed to close about 47% of those cases, often with little more than a phone call explaining to the physician or other entity what the rule says and what they need to do to comply.
Physician practices top the of list of those named in privacy complaints, followed by hospitals, pharmacies and outpatient facilities, OCR said.
It's no coincidence that the top four are also the groups having "routine and direct contact" with patients, said OCR Director Richard Campanelli.
Types of complaints
The types of complaints have remained fairly consistent: impermissible use or disclosure of protected health information, a lack of adequate safeguards to protect identifiable information, refusal or failure to provide an individual with access to or a copy of his or her records, the disclosure of more information than is minimally necessary to satisfy a request, and failure to provide the individual with a notice of privacy practices.
Many of these infractions are based on simple misunderstandings of the law. More complex cases are still being processed by OCR, although none has resulted in penalties yet, Campanelli said.
Several dozen cases have been turned over to the Dept. of Justice for possible criminal prosecution. A Justice Dept. spokesman would not comment on their status.
The lack of civil or criminal charges in the rule's first year has some privacy advocates complaining that the government is taking too passive an approach to implementation.
The Washington, D.C.-based Health Privacy Project recently released a HIPAA privacy checkup that gives the Bush administration a failing grade because of "lax enforcement and minimal public education."
Campanelli responded to those allegations. "Our approach is to adopt the most efficient means to make sure that patients get their rights and protections," he said. "We anticipated, and it has proven true so far, that the most effective means of doing that is through voluntary compliance.
"If we feel like we have a problem and we can't get the cooperation of the covered entity in proceeding, those are cases where it's going to be more appropriate to proceed with penalties," he added.
For most doctors, compliance with the privacy rule has been "business as usual," said AMA Trustee Joseph Heyman, MD. The medical profession has always placed a very high priority on patient privacy, he said.
But for physicians in solo and small practices, posting and handing out the notice of privacy practices can be a time-consuming and costly administrative burden, he said.
Aside from that unfunded mandate, instances of overly aggressive interpretation of the privacy rule have caused trouble for some physicians. Stories about immediate family members being refused information about a sick relative's hospitalization or a doctor's inability to get critical medical information about a patient from another physician have appeared in various news media.
"Many in our profession may think that because it's a law, it means they have to do more than they do," Dr. Heyman said.
The rule is really little more than a validation of the privacy considerations that physicians have always embraced, he said. But it offers the benefit that business partners now are bound by the same high standards.
While HHS officials think implementation is going smoothly, they are keeping their ears to ground for problems. Changes to the rule can be made once a year.
Several groups are ready with suggestions. In their checkup, privacy project officials called for lawmakers to give patients an individual right to sue if they are not satisfied by remedial actions taken by the federal government. They point to federal officials' failure to impose civil penalties as one reason why individuals might not be satisfied with the current process.
Some doctors also question last-minute changes to the rule that removed the need to get patient consent to share protected health information among physicians and others.
The California Medical Assn. recently passed several resolutions supporting congressional legislation to restore patients' right to consent and to reaffirm the importance of protecting the confidentiality of not only individual patients but also groups of patients.
Those resolutions were, at least in part, motivated by attempts by the Justice Dept. to subpoena the health records of women who received late-term abortions from several physicians who have sued to stop a "partial-birth" abortion ban from going into effect, said Stephen J. Walsh, MD, an advocate for the measures.
"The [Bush] administration used the rule to say that they can see patients' health records," he said.
In requesting the subpoena, the Justice Dept. argued that "individuals no longer possess a reasonable expectation that their histories will remain completely confidential."
Physicians are concerned that patients no longer can opt out of information sharing with health plans, employers, pharmacists and others.
"Because of the rule, our health records can be accessed by all manner of people without our knowledge or consent," Dr. Walsh said.