For Your Eyes Only
HHS aims to protect patient confidentiality

What do you think?
Email us at editor@nurseweek.com
 

Related sites

Health Insurance Association of America

American Association of Preferred Provider Organizations

American Hospital Association
 

Coming up Short

The Department of Health and Human Services’ (HHS) proposed regulations for health records privacy provide "a clear and consistent set of privacy standards would improve the effectiveness and efficiency of the healthcare system."

More than 66,000 respondents to the proposal agree that a uniform standard is necessary. And though they may quibble on the amount of oversight required, most—including the HHS—agree that the proposed regulations are not enough.

"Our position has always been that [HHS] should establish a uniform standard with a very high bar," said Don Asmonga, government relations manager for the American Health Information Management Association. "There’s only so much HHS can do. There is still a pressing need for legislation from Congress."

Asmonga and others believe legislation is needed to address the proposal’s shortcomings. Among them:

  • The limited purview of the HHS. Shalala interpreted the Health Insurance Portability and Accountability Act (HIPAA) to limit the HHS’ role in the promulgation of new rules to include only electronic records. According to the American Nurses Association, this leaves wide gaps in coverage because "the vast majority of health information" is still on paper. Congress could legislate regulations that cover all health records.
  • Who is covered? The present regulations are intended to cover certain providers, health plans, and clearinghouses. The HHS acknowledges that marketing firms, contractors, and public health officials are among the many groups that also handle records, but limited its scope of coverage because of HIPAA. To circumvent this limitation, the HHS would attempt to mandate that "covered entities" apply the provisions to all agents and businesses they contract for service.
    Business leaders and health plans oppose this idea because they believe the HHS is exceeding its power to regulate business partnerships, and any attempt to do so puts "undue pressure" on businesses to regulate their contractors.
  • The role of minors. The rules maintain the generally accepted status quo with regard to the rights of minors seeking health care. Parents will be allowed access to health records if the child is old enough and was not seeking confidential care.
  • The "minimum amount" standard. Parties on all sides fear that the regulations’ rule of disclosing the minimum amount of personal health information is vague and could lead to patient injury.
  • The threat of pre-emption. Texas could stand to benefit from the regulations, but it is impossible to know for how long. The Texas Legislature has considered a number of health privacy bills during the current legislative session, but most have been left in committee. Taken together, the patchwork of two bills offered last year, HB 1928 and HB 3254, would exceed the proposed federal rules. "Industries across the board want [a law] to pre-empt state laws," said Zoe Hudson, policy analyst for the Health Privacy Project [HPP] at Georgetown University’s Institute for Health Care Research and Policy. "This offers very weak protection because it lowers the standard at the federal level."

Although Hudson said she is skeptical any legislation will be passed this year, HPP says the regulations should be "understood as interim." How long the interim will be is unknown. "It’s still pretty early in the process," Asmonga said. "What will survive and what won’t is anybody’s guess."

~ Chris Schreiber
 

By Chris Schreiber
April 3, 2000
Photo/Illustration: Photodisc/Comstock/William Jacoby

The technology that propelled the U.S. economic boom has inspired faith in the new electronic age. But many of the same technologies that have made investors rich also have made them scared. Public concern over the loss of personal privacy has soared to the point where many Americans, according to a survey conducted last year by the Wall Street Journal, now rank privacy as more worrisome than the threat of terrorism.

The concern isn’t new to the healthcare industry, which has always considered patient records confidential. But the specter of a medical-records Big Brother has fueled a renewed push to secure patient data in ways never before mandated by law.

By September, officials at the Department of Health and Human Services (HHS) expect to announce sweeping final regulations designed to protect all electronic patient records, said Lorrie McHugh, HHS spokeswoman. The pronouncement will mark the end of an arduous task that will be months overdue and is already considered awkward and insufficient by parties on all sides of the issue.

"It’s already clear the statute won’t be able to do everything it needs to do," said Stephanie Reed, RN, associate director of government affairs for the American Nurses Association. "We’re going to need comprehensive legislation, and everyone knows that."

Legislation isn’t expected. In fact, Congressional inaction is what prompted the HHS guidelines. In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), acknowledging the need for oversight of the healthcare industry’s handling of patient records. HIPAA granted Congress a three-year time frame to pass legislation, but also required HHS Secretary Donna Shalala to "promulgate health privacy regulations in lieu of timely action by the Congress."

The HHS took incremental steps in the ensuing years to address the issue before opening its preliminary regulations to a public comment period Nov. 3. Overwhelmed with interest, the HHS extended the comment period to Feb. 17, when the final regulations were supposed to be in place. The next six months will be spent sorting more than 66,000 comments the department received.

HHS officials are not allowed to comment on the regulations or potential changes. "It’s way too premature to even guess what they will be," McHugh said.

Comprehensive proposal

As they currently stand, the regulations will be expansive. The rules would apply to health plans, providers, and healthcare clearinghouses and include "all individual identifiable health information which is maintained or transmitted by covered entities and which is or has been in electronic form," according to the regulations.

The proposal deals with both security measures and privacy standards. The key distinction between the two is that security limits access to records, while privacy limits disclosure of the records’ content.

"The goal is not to inappropriately restrict access, but to restrict inappropriate access," said Jill Dennis, chair of the Legislative Committee of the American Health Information Management Association, and principal for Health Risk Advantage, a risk-management consulting firm in Colorado. "This is certainly not the only concern, but as we adopt technology, we all have to be concerned with who has access."

Patients normally sign a waiver that allows hospitals to determine who can and cannot access patient records. This can leave patients with no privacy protection at all, said Victor Eleftherakis, MSN, RN, senior clinical analyst at the City of Hope National Medical Center in Duarte, Calif., and president of the American Nursing Informatics Association. Eleftherakis said in hospitals where celebrities are treated, hospital personnel can look in patient records simply out of curiosity.

"That’s why access has evolved into a need-to-know basis," Eleftherakis said. "The ease with which information can be transmitted and disseminated has grown and this can be a real problem. Information leakage has always been a potential problem, but with the advent of rapid communication, it has really scared people."

The regulations attempt to address that fear. But the broad strokes the HHS has designed to alleviate that fear will have a significant but unknown fiscal impact. Hospitals could face big costs simply by installing password-sensitive software that protects records from unauthorized access.

"It’s going to be expensive," Dennis said. "But we’ll begin to see a return on that when some of our paper processes can be done on computers. "

Possible patient injury

Many groups, like the American Hospital Association, support security regulations and restricting unnecessary access to patient records, but they argue that the sweeping privacy regulations are too broadly drawn and may lead to patient injury.

"It’s more far-reaching than the [HIPAA] statute anticipated," said Karen Milgate, senior associate director for policy development for the American Hospital Association. "The statute anticipated information shared between providers and payers—billing information. But there are a lot of things that look like protections that just provide another layer of regulation. You don’t need to go this far to establish a solid privacy standard."

Milgate said tighter information restrictions could be harmful to patients. Conversations between providers might be limited so severely for the sake of privacy that important medical history could be excluded, she said. Even seemingly benign information, such as room information or addresses, could not be disclosed.

Others say prevention efforts could fall by the wayside if the regulations don’t change. "The regulations as currently drafted could interfere with the disease management programs which help identify high-risk people," said Richard Coorsh, spokesman for the Health Insurance Association of America.

Coorsh said many of the public’s fears about privacy are unfounded. "People hear about advances in medical technology and in record-keeping technology and they think those advances put their medical records at risk. That’s not the case."

"I’m not sure this isn’t an overreaction," said Karen Greenrose, RN, president of the American Association of Preferred Provider Organizations. "Many times regulations have been written for the exception and not the rule."

Whatever regulations are approved, tighter restrictions on security and privacy will trickle down to the bedside.

"It’s going to affect the scope of our practice," Eleftherakis said. "People want to control information, but to a great degree, there is a myth of privacy. Once you step into the electronic world, there is no turning back."