HIPAA News

AAHP: Industry Needs Transactions Rule Soon
(July 18, 2002) The American Association of Health Plans has joined other industry groups in urging the Department of Health and Human Services to quickly publish final rules modifying the HIPAA transactions and code sets rule. HHS on May 31 published two notices of proposed rules making changes, or NPRMs, to the transactions and code sets rule. Standards maintenance organizations and industry groups suggested the changes. But unless the changes are finalized soon, covered entities will find it difficult to comply with the transactions rule, even by the extended Oct. 16, 2003, compliance date, says Washington-based AAHP in its formal comments on the modifications.
"Many software vendors have indicated that they will not have 'HIPAA compliant' products available before the final changes to the electronic transactions rule outlined in the NPRMs are adopted," according to the comment letter. "In addition, it will be difficult for health plans to begin testing with their business payers until the NPRMs are finalized. Health plans may require six months or more of testing the new transaction standards before implementing them into their business operations. AAHP strongly recommends that the modifications to the electronic transactions rule be finalized as soon as possible."

The Association for Electronic Health Care Transactions recently told HHS final transactions rules must be published by Feb. 16, 2003, in order to give covered entities enough development and testing time before the compliance date.

Arguments Expected on Privacy Lawsuit
(July 18, 2002) Two state medical societies a year ago filed suit in U.S. District Court in Columbia, S.C., challenging the constitutionality of the medical privacy rule. Now, oral arguments in the case are expected in early August, says Terry Richardson, attorney for the plaintiffs. Regardless of the final ruling, the case likely will land in the 4th Circuit Court of Appeals, predicts Richardson, partner in the Barnwell, S.C.-based law firm Richardson, Patrick, Westbrook & Brickman LLC.
The South Carolina Medical Society, its Physicians Care Network PPO subsidiary, six individual South Carolina physicians and the Louisiana State Medical Society filed suit against the Department of Health and Human Services on July 16, 2001. No other plaintiffs have joined the suit, but many state medical societies and hundreds of physicians have expressed support, according to Richardson. He expects some societies to file supporting briefs at the appellate level.

Court arguments come as HHS prepares in August to publish a final rule modifying the privacy rule, which was published in late 2000. The privacy rule--including pending modifications--has an April 14, 2003, compliance date. The lawsuit, available at www.healthdatamanagement.com/html/news/compliant.doc, challenges the privacy rule on three grounds:

* Section 264 of the Health Insurance Portability and Accountability Act, under which Congress authorized HHS to promulgate privacy regulations if lawmakers did not enact a privacy law, violates the separation of powers clause of the U.S. Constitution, plaintiffs allege. "The statute allowed HHS, an executive agency, to act as federal legislators in drafting and enacting the executive regulations," according to the suit. "As enacted by Congress, Section 264 contains no intelligible principle to guide or limit HHS in the drafting of the regulations."

* The rule's state preemption clause is so vague it violates the due process guarantee of the Fifth Amendment, according to the lawsuit. "As drafted, the preemption clause of Section 264 is impermissibly vague because a person of ordinary intelligence is unable to determine whether state privacy protections are 'more stringent' than the HHS Privacy Regulations," the suit contends.

* Even if the Court upholds the constitutionality of Section 264, the regulations promulgated thereby are unconstitutional because HHS did not have the constitutional authority to expand the privacy rule to include all communications, not just electronic transactions governed under HIPAA, according to the suit.

The South Carolina lawsuit is separate from another suit--dismissed in June--that challenged the privacy rule. The Association of American Physicians and Surgeons, Tucson, Ariz., and four citizens filed their suit last August. The suit alleged the privacy rule violates the First and Fourth Amendments by requiring physicians to allow government access to medical records without a warrant and authorizing government construction of a centralized database of medical records with personal health identifiers.

The suit further alleged the privacy rule violates the Tenth Amendment governing intrastate activities by physicians in using and maintaining medical records for patients. U.S. District Court Judge Sim Lake in Houston dismissed the suit, agreeing with HHS that plaintiffs had not shown injury from the rule. Furthermore, claims the privacy rule will cause injury are premature because the rule has not gone into effect, Lake ruled. The plaintiffs say they will appeal the dismissal.

AFEHCT: Timetable Tight for Transactions Rule
(July 16, 2002) The Department of Health and Human Services in late May published proposed modifications to the HIPAA transactions and code sets rule. The existing rule has a compliance date of Oct. 16, 2003. To meet HIPAA requirements for giving providers and payers enough time to implement changes by the deadline date, a final rule making modifications must be published by Feb. 16, 2003.
In comments recently submitted to HHS, the Association for Electronic Health Care Transactions implores the department to publish the final rule by February, but acknowledges that might be difficult. That's because of potentially lengthy processes for standards development organizations to tweak existing standards and implementation guides, and for federal agencies to approve a final rule for publication.

"Some people in the vendor community believe HHS can meet this timetable," according to the AFEHCT letter. "Others believe this timetable is impossible to meet. If HHS fails to publish these final rules in time, covered entities seeking to be in compliance would be forced to implement standards that won't work."

In its comments, Washington-based AFEHCT asks HHS Secretary Tommy Thompson to use his leadership capabilities to ensure that all parties involved in the rules process perform their duties in a timely manner.

HHS Sets New Schedule for HIPAA Rules
(May 13, 2002) The Department of Health and Human Services on May 13 published its semi-annual regulatory agenda in the Federal Register, showing when it expects to publish HIPAA rules. It should be noted that HHS has consistently missed its own timetables for rules publication.
According to the agenda, HHS will publish the final employer identifier rule in June and the final data security rule in August. It expects to publish proposed modifications to the final transactions rule in June, and the proposed health plan identifier and claims attachment rules in August.

The department has not yet set dates for publishing the final provider identifier rule, or a proposed rule explaining how it will enforce HIPAA.

HHS Outlines Changes to Privacy Rule
(March 21, 2002) The U.S. Department of Health and Human Services will publish a proposed rule on March 27 to modify the final medical privacy rule. In addition, leaders of the House Ways and Means Committee have sent a letter to members of the appropriations subcommittee responsible for the HHS budget asking for $44.2 million in funds to help the department administer and enforce HIPAA provisions. The recently enacted legislation to extend by one year the deadline for the final transactions and code sets rule authorized the money, but appropriations committees in the House and Senate make final decisions on funding issues.
HHS on March 21 issued a fact sheet summarizing proposed changes to the rule, which it will publish in the Federal Register. Following are the contents of the fact sheet.

Consent and Notice: The proposal would promote access to care by removing the consent requirements that would potentially interfere with the efficient delivery of health care, while strengthening requirements for providers to notify patients about their privacy rights and practices. Specifically, the Department received comments that the consent requirements in the current rule interfere with pharmacists filling prescriptions, referrals to specialists and hospitals, providing treatment over the telephone, and emergency medical providers. Under, the proposal, patients would be asked to acknowledge receipt of the notice of privacy rights and practices. This change would give patients the opportunity to consider a provider's privacy policies before making health care decisions while eliminating barriers that could delay or block patients' access to care. This change to consent only applies to uses and disclosures for treatment, payment and health care operations (TPO) purposes. Patient authorizations are still required to use and disclose information for non-TPO purposes.

Minimum Necessary and Oral Communications: The "minimum necessary" provision is an essential element in the privacy protections for individual health information. This provision requires covered entities to make reasonable efforts to limit the use and disclosure of and request for protected health information to the minimum necessary to accomplish the intended purpose. The proposal would retain both the oral communication and "minimum necessary" requirements, but it would make clear that a doctor could discuss a patient's treatment with other doctors and professionals involved in the patient's care without fear of violating the rule if they are overheard. As long as a covered entity met the minimum necessary standards and took reasonable safeguards to protect personal health information, incidental disclosures--such as another patient overhearing a fragment of conversation--would not be an impermissible disclosure.

Business Associates: The current rule requires covered entities--health plans, health care providers and clearinghouses--to have contracts with their business associates to ensure the business associates protect the privacy of the information. The proposal includes model business associate contract provisions to make it easier and less costly for covered entities to implement the requirements. The changes also would give covered entities (except for small health plans) up to an additional year to change existing contracts, easing the burden of renegotiating contracts all at once.

Marketing: Based on consumer concerns that the marketing provisions in the current rule does not protect individuals' privacy, the proposal would explicitly require covered entities to first obtain the individual's specific authorization before sending them any marketing materials. At the same time, the proposal would permit doctors and other covered entities to communicate freely with patients about treatment options and other health-related information, including disease-management programs.

Parents and Minors: The current rule may have unintentionally limited a parent's access to their child's medical records. The proposal clarifies that state law governs disclosures to parents. In cases where state law is silent or unclear, the revisions would preserve state law and professional practice by permitting a health care provider to use discretion to provide or deny a parent access to such records as long as that decision is consistent with state or other law.

Uses and Disclosures for Research Purposes: The proposal would eliminate the need for researchers to use multiple consent forms--one for informed consent to the research and one or more related to information privacy rights. Instead, researchers could use a single combined form to accomplish both purposes. The proposal would also simplify other provisions so that the existing rule more closely follows the requirements of the "Common Rule," which governs federally funded research. The provisions include privacy-specific criteria and apply equally to publicly and privately funded research.

Request for Comments on an Alternative Approach to De-Identification: The Department received comments from the research community on the need for an alternative approach to de-identification of data. HHS shares these concerns but still believes identifiable information should have strong protections. Therefore, HHS is seeking comments on establishing a limited data set that does not include directly identifiable information but in which certain identifiers remain. In addition, to further protect privacy, the Department proposes to condition the disclosure of the limited data set on a covered entity's obtaining from the recipient a data use or similar agreement in which the recipient would agree to limit the use of the data set to the purposes for which it was given as well as agree not to re-identify the information or use it to contact any individual.

Uses and Disclosures for which Authorizations Are Required: The proposal would allow the use of a single type of authorization form to get a patient's permission for a specific use or disclosure that otherwise would not be permitted under the Privacy Rule. Patients would still need to grant permission in advance for each type of use or disclosure, but the proposal would eliminate the need for covered entities to use different types of forms to obtain that advance permission.

Other Provisions: The Department also proposes the following modifications: * Sale of Business: The proposal would clarify that the rule permits disclosures in certain circumstances for the sale of a covered entity's business.

* Group Health Plans: The proposal would clarify that a group health plan or health insurance issuer can disclose enrollment or disenrollment information to a plan sponsor without amending plan documents.

* Accounting of Disclosures of Protected Health Information: The proposal would not require the covered entity to account for disclosures for which the individual provided written authorization.

* Disclosures for Treatment, Payment, or Health Care Operations of Another Entity: The proposal would clarify that covered entities can disclose protected health information for the treatment, payment and certain health care activities of another covered entity or health care provider. The proposal would carefully limit the expansion of sharing of information for health care operations to protect the privacy expectations of individuals.

* Uses and Disclosures Regarding FDA-Regulated Products and Activities: The proposal would assure that the rule permits covered entities to continue to disclose information to non-government entities subject to FDA jurisdiction about the quality, safety and effectiveness of FDA-regulated products and activities--such as reporting adverse events related to prescription drug use.

* Hybrid Entity: The proposal would permit any entity that performs covered and non-covered functions to elect to use the hybrid entity provisions and would provide the entity additional discretion in designating its health care component. The proposal would clarify that protected health information does not include employment records.

The proposal also includes a list of technical corrections and additional clarifications related to various sections of the existing rule. The proposed modifications collectively are designed to ensure that protections for patient privacy are implemented in a manner that maximizes privacy while not compromising either the availability or the quality of medical care.

September 04, 2001 Physician Group Officially Files its Privacy Suit
One month after saying it would challenge the constitutionality of the medical privacy rule, the Association of American Physicians and Surgeons filed a lawsuit on Aug. 30. The Tucson, Ariz.-based organization originally announced the filing on July 31, but actually held off to enable other groups and individuals to join. Four citizens joined the association's suit as plaintiffs: Congressman Ron Paul (R-Texas); Dawn Richardson and Rebecca Rex, leaders of the Texas-based group Patients Requesting Open Vaccine Education, which opposes mandated immunizations; and Darrell McCormick of Gainesville, Fla., former billing manager at Shands Healthcare System at the University of Florida.
Rep. Paul in March introduced a joint resolution to disapprove the medical privacy rule, but Congress took no action. A practicing physician, Paul is a vocal proponent of individual freedoms and ran for president in 1988 on the Libertarian Party ticket. He fears the privacy rule will require health care providers to disclose health information to the federal government for purposes of creating a national database of medical records.

The association's lawsuit, filed in U.S. District Court in Houston and available at www.aapsonline.org, contends the privacy rule:

* Violates the First and Fourth Amendments by requiring physicians to allow government access to medical records without a warrant and authorizing government construction of a centralized database of medical records with personal health identifiers.

* Violates the Tenth Amendment governing intrastate activities by physicians in using and maintaining medical records for patients, and disrupts state laws.

* Violates the Health Insurance Portability and Accountability Act, which authorized the privacy rule, by including medical records other than electronic transactions, which are covered under HIPAA.

* Violates the Paperwork Reduction Act and the Regulatory Flexibility Act by imposing "an immense and unjustified regulatory burden on small medical practices."

The Association of American Physicians and Surgeons, representing 7,000 physicians, works to preserve private medicine, traditional medical ethics and the sanctity of the patient-physician relationship from intrusion of third parties. The association believes the privacy rule permits the imprisonment of physicians for using a patient's medical history to treat the patient, according to information on its Web site. The association also believes HIPAA's mandated provider and patient identifiers will provide the infrastructure for the complete government takeover of medicine. The Clinton Administration placed establishment of a national patient identifier on indefinite hold pending consensus on what the identifier should be.

The AAPS lawsuit is separate from a suit filed against the privacy rule by two other organizations representing physicians. The South Carolina Medical Association and Louisiana State Medical Society filed suit on July 16 challenging the authority of Congress to permit the Department of Health and Human Services to promulgate the privacy rule. The suit also alleges the rule violates the Fifth Amendment's due process guarantee because of a vague state preemption clause. Furthermore, the suit alleges HHS did not have constitutional authority to include all medical communications under the privacy rule. The national American Medical Association is not a party to the suit.

August 28, 2001 Congress to Examine HIPAA Issues

The House Government Reform Committee will hold a hearing on Oct. 1 in Indianapolis to examine issues related to complying with provisions of the Health Insurance Portability and Accountability Act. The committee expects to receive an update from federal officials on the status of implementing the HIPAA final transactions and code sets rule and the final privacy rule. It also expects to hear testimony from industry representatives on implementation challenges. Rep. Daniel Burton (R-Ind.), chair of the committee, will release additional information on the hearing within days, according to an aide.

August 27, 2001 Governors Ask Congress for HIPAA Delay

The National Governor's Association is asking Congress for a longer, more structured timetable to implement administrative simplification provisions of the Health Insurance Portability and Accountability Act. The association on August 22 sent a letter to Sens. Max Baucus and Charles Grassley, leaders of the Senate Finance Committee; and Reps. Billy Tauzin and John Dingell, leaders of the House Energy and Commerce Committee. The governors endorse legislation before Congress--H.R. 1975 and S. 836--to establish a uniform compliance date for HIPAA provisions following publication of all final rules. Gov. Don Sundquist, chair of the NGA human resources committee, and Gov. Frank O'Bannon, vice chair, signed the letter. Read the article from Health Data Management here.

August 20, 2001 Researchers: Privacy Rule Creates Obstacles, Needs Fixing. Fourteen organizations representing medical researchers have signed a letter to U.S. Health and Human Services Secretary Tommy Thompson asking for modifications to the medical privacy rule. The organizations believe the rule, "unless substantially amended," creates significant obstacles to research. Furthermore, the government's recently issued privacy rule guidance document does not address most concerns research organizations have raised, according to the letter. Read the article from Health Data Management here.

August 20, 2001 Government Officials to Participate in HIPAA Town Meeting
Five government officials with jurisdiction over HIPAA's privacy and security rules will participate in a town meeting during the Third National HIPAA Summit, Oct. 24-26, in Washington, D.C. The officials will provide regulatory updates and respond to questions and comments. Read the article from Health Data Management here.
August 13, Does HIPAA affect satisfaction queries?
Under the HIPAA, can a hospital conduct surveys or questionnaires of patients to learn whether they were satisfied with the care they received and, if so, what requirements or limitations are there on such activities? Can a hospital hire a vendor to conduct the surveys? Read the article from the American Hospital Association here.

August 10, 2001 Getting Answers to HIPAA Questions.
Health care organizations implementing the HIPAA final transactions and code sets rule often find progress stalled because they can't figure out a nuance in the rule. For instance, payers wishing to phase in compliance activities may want to know if they can require providers to use certain transactions standards prior to the Oct. 16, 2002, deadline (Yes). Or, a provider may wonder if faxed claim forms are subject to the claims transactions standard (No). Federal officials that wrote the transactions and code sets rule accept e-mailed questions and post the answers on the Department of Health and Human Services' official HIPAA Web site, http://aspe.hhs.gov/admnsimp. It can take several weeks or longer between the time a question is submitted and an answer posted. However, some 60 questions regarding applicability, code sets, compliance dates, data content, direct data entry, operational issues, paper forms and real-time transactions already are posted with the answers on the site.

August 9, 2001 Health Industry Group Calls on DHHS to Speed Revision of Privacy Rules The Healthcare Leadership Council (HLC), a health industry group representing more than 80 organizations, sent a letter to DHHS Secretary Tommy Thompsonon Monday asking for "swift action to complete and publish modifications to new federal rules on medical privacy." In the letter, HLC urges DHHS to "speed"efforts to publish modifications to the rule." Last minute modifications pose real problems for America's health care system," the letter said. Read the letter.

August 7, 2001 Gartner Report: Consumers Want Privacy and Security Online According to Business Wire, a new report from Gartner advises companies to use and promote privacy and security protections in order to capture the yet untapped consumer base of Web shoppers with low confidence in the privacy and security of Web transactions. The report finds that over 80 percent of online American adults are very concerned about the security of bank and brokerage account numbers, as well as their Social Security and credit card numbers when doing online transactions. The report also indicates that approximately 60 percent of online adults say security and privacy concerns stop them from doing business on the Web. Full Story.

August 3, 2001 CHIP Outlines Transactions' Impact on Small Providers
Wednesday, the Coalition for Health Information Policy (CHIP) sent a letter to DHHS outlining the impact of the HIPAA Transactions Rule on small providers. CHIP supports the timely implementation of HIPAA and stated that small providers' compliance burden will be eased considerably by the assistance of professional associations and software updates from established vendors. The letter was sent in response to a DHHS request for this information. Read the letter.

August 1, 2001 URAC Releases Health Web Site Accreditation Standards
On July 27, the URAC Board of Directors granted final approval to the standards URAC will use for its Health Web Site Accreditation Program. The standards, which were released yesterday, are designed for consumer-oriented, online health
resources, and address a number of important concerns, including privacy and security. Read more.

July 31, 2001 AAPS Files Lawsuit in Attempt to Stop HIPAA Privacy Regs The Association of American Physicians and Surgeons (AAPS) announced details of a new lawsuit to be filed to halt implementation of the HIPAA privacy regulations. Also to be released are the results of a national survey of physicians showing almost unanimous opposition to the new rules. Read more.

July 30, 2001 DHHS Reaffirms Plans on Security and E-Signatures Rules
Senior DHHS Advisor on Health Information Policy Bill Braithwaite reaffirmed Friday that the final Security Rule is unlikely to differ substantially from the proposed Security Rule provisions: "The basic philosophy of the final security rule is unchanged from the NPRM." Braithwaite noted that "redundancies and excessive micromanagement have been reduced." He also commented that the electronic signature standard would not be included in the final Security, but "will be addressed later (a year or so) in another rule." Braithwaite forwarded this report to Phoenix Health Systems in response to an inquiry regarding the current status of the final Security Rule. The proposed Security Rule, including a proposed Electronic Signature Standard, was published by DHHS in August, 1998.

July 30, 2001 AFEHCT Issues Report Assessing the Case for HIPAA Delay
The Association For Electronic Health Care Transactions (AFEHCT) has issued a report written by The Moran Company entitled "Implementing the Administrative Simplification Requirements of HIPAA: Assessing the Case for Delay." The report, which AFEHCT is using in its lobbying efforts, reviews the history and rationales behind the enactment of the 'administrative simplification' provisions of HIPAA, discusses the newly identified direct and collateral benefits of standardization, reviews the technical feasibility of implementing the administrative simplification standards, and assesses the arguments "for" and "against" the "delay" in the implementation of the "administrative simplification" standards. Read the report (Word format).

July 30, 2001 Blues Exert Pressure on Congress for HIPAA Delay
There are signs of Congressional movement on the Blues' HIPAA "delay" proposals. According to AFEHCT, the Blues are exerting pressure for Congressional action before the August Congressional recess which begins August 3. Action, if any, will take place first in the Senate. Read more.

July 24, 2001 U.S. Looks to Web To Boost Healthcare Customer Service
Sen. Ron Wyden (D-OR), chair of the Science, Technology, and Space Subcommittee of the Senate Commerce Committee, has issued a call for increased use of Internet and e-commerce tools to improve customer service in America's healthcare industry. On Monday, the subcommittee held a hearing titled "E-Health and Consumer Empowerment: How Consumers Can Use Technology Today and in the Future to Improve Their Health." According to witnesses at the hearing, there is a need for hospitals and physicians to share Web-based patient data. Full Story.

July 23, 2001 Bush Calls for Computer Security Board
The White House is setting up a panel to determine the best way to fend off attacks on government systems and protect "critical" private-sector computer networks. The effort is outlined in the final draft of an executive order, called "Infrastructure Protection in the Information Age," which President Bush is expected to sign and issue within two weeks. Full Story.

July 23, 2001 Medicare Prepares for HIPAA Testing
According to Health Data Management, the Centers for Medicare and Medicaid Services, formerly HCFA, has sent a memorandum to Medicare carriers and intermediaries outlining testing requirements in compliance with the HIPAA transactions and code sets final rule. The memorandum, titled Transmittal AB-01-96, contains valuable information for hospitals and other provider organizations that want to get an early start on testing with their Medicare contractor. Read the memorandum (PDF file).

July 20, 2001 Lawmakers Urge HIPAA Fix
The American Hospital Association reports that earlier this week a bipartisan group of 15 senators wrote DHHS Secretary Tommy Thompson, urging the administration to fix and help fund HIPAA's medical privacy rule. The Senate letter followed last week's identical call for changes from 165 representatives.
Read more.