By: Michael J. Schoppmann, Esq.

A roller coaster of speculation about the survival of federal health privacy standards has come to an abrupt end. The controversial standards, mandated by the Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) and adopted by the U.S. Department of Health and Human Services (“HHS”) on December 28, 2000, are applicable to individually identifiable health information created or received by a covered entity (including health care providers who transmit claims electronically). They define the circumstances in which an entity may use and disclose covered health information; establish individual rights with respect to the information; and require covered entities to adopt safeguards to protect the confidentiality of the information, with civil and criminal penalties for noncompliance. HHS Secretary Thompson announced that President Bush will not delay or significantly change the rules, which were reopened for a thirty-day comment period ending March 30, resulting in more than 24,000 written comments.

Thompson announced that HHS will immediately begin the process of implementing the patient privacy rule while keeping in mind the comments received as it continues to “make sure patients receive the highest quality care and begin the process of issuing guidelines on how this rule should be implemented.” Thompson says such guidelines will allow clarification of some of the confusion regarding the impact the rule might have on health care delivery and access and that HHS will consider necessary modifications to ensure that quality of care does not suffer inadvertently from the rule.

In particular, the guidelines or modifications will ensure that: doctors an hospitals will have access to necessary medical information about a patient they are treating and will be able to consult with other physicians and specialists regarding a patient’s care; patient care will be delivered in a timely and efficient manner and not unduly hampered by the confusing requirements surrounding consent forms; and parents will have access to information about the health and well-being of their children, including information about mental health, substance abuse or abortion.

The standards do not preempt more stringent state laws. Most states, including New York have worked toward designing rules to establish uniform health care enrollment and claim forms and requiring that information and materials obtained or used by health care payers, providers, and their agents and vendors, for the administration of health care transactions comply with privacy requirements. Now that the federal rules are final, New York state will most probably seek to revisit the privacy provisions of any present or proposed rules.

In practical terms, physician practices must take specific steps to comply with the federal rule, including designating a “privacy officer” responsible for the development and implementation of privacy protection policies and procedures; safeguard and limit access to protected health information; train staff on privacy rules; establish sanctions for staff who break the rules; maintain a log of disclosures; adopt a complaint process that identifies a contact person for complaints; develop procedures to permit individuals to inspect, copy and/or amend their own records; furnish patients with notice of privacy practices and patient rights; and execute or revise contracts with business associates to obtain assurance of their compliance with the regulations. In consideration of the close interplay of the new HIPAA Privacy Regulations and the OIG Compliance Program for Individual and Small-Group Physician Practices, physicians should consider implementation of a singular, blended program which achieves both meeting the mandatory requirements of HIPAA while also providing the potential benefit from compliance as to issues of fraud and abuse.

Once the “guidelines” for the HIPAA Privacy Rules, so promised by HHS Secretary Thompson, are actually provided, additional information shall be provided to the DCMS membership immediately. In the interim, should any DCMS member have any questions, please feel free to contact Michael J. Schoppmann, Esq. at 1-516-326-1880.