Medical Privacy
 |
|
|
Related Resources
This page contains documents in Portable Document Format (PDF).
The Adobe Acrobat® Reader® is required to view PDF documents. Download
Acrobat® Reader®.
Also on Government Affairs
AAMC Documents
- April
11, 2002 AAMC Comment Letter on Privacy NPRM
- February
11, 2002, Letter to OMB
- August
22, 2001, Testimony before the National Committee
on Vital and Health Statistics Subcommittee on Privacy
and Confidentiality
- February
8, 2001, Testimony on Final HHS Privacy Regulation
- March
1, 2000, Statement on Standards for Privacy of Individually
Identifiable Health Information
- March
30, 2001, Comment Letter on Final Rule on "Standards
for the Privacy of Individually Identifiable Health
Information"
- May
19, 1998, Testimony on Medical Records' Confidentiality
Legislation
|
|
Background: Privacy
The Health Insurance Portability and Accountability Act (HIPAA),
which became law on August 21, 1996, authorized the Secretary
of HHS to promulgate regulations on standards for the privacy
of individually identifiable health information if Congress
did not enact health care privacy legislation by August 21,
1999. HIPAA also required the Secretary of HHS to provide
Congress with recommendations for protecting the confidentiality
of health care information. The Secretary submitted recommendations
to Congress on September 11, 1997.
As Congress did not enact legislation regarding the privacy
of individually identifiable health information prior to August
21, 1999, HHS published a proposed Rule setting forth such
standards on November 3, 1999. The Department received more
than 52,000 public comments in response to the proposal. After
reviewing and considering the public comments, HHS issued
a final Rule on December 28, 2000, establishing “Standards
for Privacy of Individually Identifiable Health Information.”
After publication of the final privacy rule, HHS received
many inquiries and unsolicited comments through telephone
calls, e-mails, letters, and other contacts about the impact
and operation of the privacy rule on numerous sectors of the
health care industry. Many of these commenters exhibited substantial
confusion over how the privacy rule will operate; others expressed
great concern over the complexity of the privacy rule. In
response to these communications and to ensure that the provisions
of the privacy rule would protect patients' privacy without
creating unanticipated consequences that might harm patients'
access to health care or quality of health care, the Secretary
of HHS requested comment on the privacy rule in March 2001.
After an expedited review of the comments by the Department,
the Secretary decided that it was appropriate for the privacy
rule to become effective on April 14, 2001, as scheduled.
HHS issued “the first in a series of guidance materials,”
which “explains and clarifies key provisions” of
the rule on July 6, 2001. The guidance addressed a number
of issues, including consent, the “minimum necessary”
standard, oral communications, business associates, parents
and minors, health-related communications and marketing, research,
restrictions on government access to health information, and
payment. HHS anticipated “there will be many questions
that will arise on an ongoing basis” that will need to
be answered in future guidance. In addition, HHS stated it
would issue proposed modifications to the rule as necessary
to address problems arising from unintended effects of the
Privacy Rule on health care delivery and access.
On August 14, 2001, the AAMC joined with 14 other organizations
in a letter to Secretary of Health and Human Services Tommy
Thompson indicating concern that the final HHS rule, “unless
substantially amended, will harm patients and scientific innovation
by creating significant obstacles to the conduct of biomedical,
epidemiologic, health services, and other research.”
Jennifer Kulynych, J.D., Ph.D., director in the AAMC's Division
of Biomedical and Health Sciences Research, testified August
21, 2001, before the National Committee on Vital and Health
Statistics' Subcommittee on Privacy and Confidentiality -
an advisory body to the Secretary of Health and Human Services
– on the association's objections to certain provisions
in the final rule. Dr. Kulynych stated that while the AAMC
strongly supports measures to protect the privacy rights of
research participants, it believes that some of the standards
outlined in the HIPAA rule would constrict researchers' access
to essential medical information, creating significant obstacles
to the conduct of research. A primary concern with the rule
is its imposition of civil and criminal liability upon hospitals,
health plans, and providers who use or disclose data for research
purposes, even when such actions have been approved by institutional
review boards.
The AAMC joined nearly 200 research universities, medical
schools, teaching and community hospitals, medical specialty
and scientific societies, and other associations in a November
20, 2001, letter to Secretary Thompson requesting that the
department re-open rulemaking for the "Standards for
Privacy of Individually Identifiable Health Information."
Citing "the growing consensus within our community that
the rule must be amended to avoid the harm that will result
when covered entities and research companies in private industry
begin their implementation efforts," the letter states,
"[T]he rule's restrictions on the use and disclosure
of protected health information for research purposes, and
limits on the retention of research data, will seriously impair
our ability to conduct clinical trials, clinico-pathological
studies of the natural history and therapeutic responsiveness
of disease, epidemiologic and health outcome studies, and
genetic research."
On February 11, 2002, the AAMC asked the Office of Management
and Budget (OMB) to examine the rule's research provisions
closely. "Problems [pertaining to the medical privacy
rule] of regulatory burden, redundancy, ambiguity, workability
. . . are all matters of concern for regulatory policy that
fall within the OMB's expertise and purview," wrote AAMC
President Jordan Cohen, M.D.
In a February 7, 2002 letter to Secretary Thompson, Senators
Judd Gregg (R-N.H.) and Bill Frist (R-Tenn.), ranking Republicans
on the full Senate Committee on Health, Education, Labor,
and Pensions and the Public Health Subcommittee, respectively,
support modifications to the new federal medical-privacy rule,
specifically addressing concerns for the rule's potentially
deleterious impact on medical research and innovation in health
care.
Representatives Bill Thomas (R-Calif.) and Nancy Johnson
(R-Conn.), chairs of the full House Ways and Means Committee
and the Health Subcommittee, respectively, wrote a letter
on February 26, 2002 to Secretary Thompson and OMB Director
Mitch Daniels calling on the Administration to address research-related
issues before any final medical privacy rule is published.
In response to ongoing concerns expressed by a number of
organizations, including the AAMC, on March 27, 2002, the
Department of Health and Human Services (HHS) Office of Civil
Rights published a proposed rule to modify portions of the
privacy regulations mandated under the Health Insurance Portability
and Accountability Act (HIPAA), Public Law 104-91. The proposal
was issued with a 30-day comment period that expired on April
26, 2002. In a statement issued April 4, 2002, the AAMC strongly
endorsed the proposed changes while noting “additional progress
is needed if the privacy rule is to become a truly workable
standard that does not unduly impair patient care and research.
AAMC Memorandum #02-13 summarizes the major modifications
and clarifications being proposed as well as the AAMC’s continued
concerns with the de-identification standard and the fund
raising provisions as well the rule’s burdensome accounting
requirements. AAMC also has prepared a draft comment letter.
On August 14, the Department of Health and Human Services
published final modifications to the Medical Privacy Rule,
based on the more than 11,000 public comments received on
the March 27 notice of proposed rulemaking. The Standards
for Privacy of Individually Identifiable Health Information
(the Privacy Rule) took effect on April 14, 2001. The Privacy
Rule creates national standards to protect individuals' personal
health information and gives patients increased access to
their medical records. As required by the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), the Privacy
Rule covers health plans, health care clearinghouses, and
those health care providers who conduct certain financial
and administrative transactions electronically. The privacy
rule regulates how these "covered entities" may use and disclose
identifiable health information for routine (e.g., treatment,
payment) and non-routine (e.g., research, marketing) purposes.
Most covered entities must comply with the Privacy Rule by
April 14, 2003. Small health plans have until April 14, 2004
to comply with the Rule.
Background: Transaction Standard
The HIPAA statute required the Secretary of HHS to adopt
standards from among those already approved by private standards
developing organizations for certain electronic health transactions,
including claims, enrollment, eligibility, payment and coordination
of benefits. A final rule was published in the Federal Register
on August 17, 2000. On December 27, 2001, President Bush signed
a law that delays the compliance date for one year to October
16, 2003. A covered entity will not receive the extension
unless it submits a compliance plan to HHS by October 15,
2002. The CMS web site has a form can be completed and submitted
to fulfill this requirement.
Background: Security Standard
HHS also was required by HIPAA to promulgate standards for
the security of individual health information and electronic
signature use by health plans, health care clearinghouses,
and health care providers. A rule was proposed on August 12,
1998. It has not yet been made final.
|
