HIPAA PRIVACY RULE PROCEEDS WITHOUT SIGNIFICANT CHANGES

A roller coaster of speculation about the survival of federal health privacy standards has come to an abrupt end. The controversial standards, mandated by the Health Insurance Portability & Accountability Act of 1996 (�HIPAA�) and adopted by the U.S. Department of Health and Human Services (�HHS�) on December 28, 2000 (see Statlaw, Vol.IX, No.9 and Vol.X, No. 1), are applicable to individually identifiable health information created or received by a covered entity (including health care providers who transmit claims electronically). They define the circumstances in which an entity may use and disclose covered health information; establish individual rights with respect to the information; and require covered entities to adopt safeguards to protect the confidentiality of the information, with civil and criminal penalties for noncompliance. HHS Secretary Thompson announced April 12 that President Bush will not delay or significantly change the rules, which were reopened for a thirty-day comment period ending March 30, resulting in more than 24,000 written comments. Thompson announced that HHS will immediately begin the process of implementing the patient privacy rule while keeping in mind the comments received as it continues to �make sure patients receive the highest quality care and begin the process of issuing guidelines on how this rule should be implemented.� Thompson says such guidelines will allow clarification of some of the confusion regarding the impact the rule might have on health care delivery and access and that HHS will consider necessary modifications to ensure that quality of care does not suffer inadvertently from the rule. In particular, the guidelines or modifications will ensure that: doctors and hospitals will have access to necessary medical information about a patient they are treating and will be able to consult with other physicians and specialists regarding a patient's care; patient care will be delivered in a timely and efficient manner and not unduly hampered by the confusing requirements surrounding consent forms; and parents will have access to information about the health and well-being of their children, including information about mental health, substance abuse or abortion.

The standards do not preempt more stringent state laws. The 2003 compliance date, in fact, will be moved up under New Jersey�s HINT law (see Statlaw, Vol.X, No. 3), which requires the New Jersey Department of Banking and Insurance (�the Department�) to propose rules establishing uniform health care enrollment and claim forms and requiring that information and materials obtained or used by health care payers, providers, and their agents and vendors, for the administration of health care transactions comply with the practices and requirements of New Jersey�s Insurance Information Privacy Act. Now that the federal rules are final, the Department will have to re-visit the privacy provisions of its proposed rule.

In practical terms, physician practices must take specific steps to comply with the federal rule, including designating a �privacy officer� responsible for the development and implementation of privacy protection policies and procedures; safeguard and limit access to protected health information; train staff on privacy rules; establish sanctions for staff who break the rules; maintain a log of disclosures; adopt a complaint process that identifies a contact person for complaints; develop procedures to permit individuals to inspect, copy and/or amend their own records; furnish patients with notice of privacy practices and patient rights; and execute or revise contracts with business associates to obtain assurance of their compliance with the regulations. Kern Augustine�s ProACT Compliance Services� can assist practices with their privacy compliance needs, as well as compliance with the OIG�s Compliance Program Guidance for Individual and Small Group Physician Practices.