The Health Insurance Portability and Accountability Act
April 14, 2003 was the launch date for the Health Insurance Portability and Accountability Act (HIPAA) administrative simplification provisions. Unfortunately, there is nothing simple about it. These provisions cover transactions and code sets, security and identifiers. The law requires most health plans, clearing houses and those providers that conduct certain transactions electronically to be compliant unless they have filed for a one year extension (to October 16, 2003.) Detailed information about the standards is available at www.cms.hhs.gov/hipaa. Bottom line: a great deal of individually-identifiable, private medical information will be widely disseminated and collected in massive databases that can be accessed by thousands of entities, without the prior consent or knowledge of patients.
The administrative simplification process is supposed to “streamline and standardize the electronic filing and processing of health insurance claims, save money and provide better service for providers, insurers and patients,” according to Tommy G. Thompson, Secretary of the U.S. Department of Health and Human Services (HHS.)
Perhaps the two most controversial portions of these regulations concern the assignment and use of personal identification numbers for consumers, and the loss of control by individuals over their medical records. The Centers for Medicare and Medicaid Services (CMS) is responsible for enforcing these and other provisions of HIPAA. In order to perform these duties, CMS is creating a new office to establish and operate enforcement processes, develop regulations related to HIPAA standards, and conduct outreach activities to HIPAA covered entities (physicians, hospitals, insurance companies and others affected by the new regulations.)
The enforcement process will be primarily complaint-driven, and will focus on obtaining voluntary compliance through technical assistance. Opportunities will be provided for covered entities to demonstrate compliance or to develop a corrective action plan.
At this point in time, the personal identification number has proven to be so problematic that it has not been finalized by Congress or HHS. In fact, Congress has approved language forbidding the expenditure of any funds to implement this section of the Social Security Act for the last five fiscal years. U.S. Rep. Ron Paul has requested that, rather than simply extend this prohibition for another year, that Congress repeal the authorization of the National medical ID. It is required under HIPAA, however, so you can be sure that this debate will rage on for months to come. We will continue to provide updates on this issue to our members.
The second issue, loss of privacy, is now a done deal. Individuals may now be required to authorize the sharing of their medical records prior to receiving treatment. In addition, practitioners need not request that permission until the patient next visits their office or clinic. In the meantime, that information may be shared with pharmacies, pharmaceutical manufacturers, law enforcement agencies, employers, insurance companies and other exempt entities, without patient consent or knowledge. In addition, individually-identifiable data may be share to such expected recipients as the Food and Drug Administration for post market surveillance and product recalls, the Centers for Disease Control and local governments to detect and track infectious disease outbreaks, social service agencies to respond to child abuse and neglect cases, and public health officials.
HHS has recognized another serious privacy problem: covered entities do not have to comply with the new security standards until 2005 or 2006. Covered entities will have regulatory permission to use and disclose identifiable health information during this time before they have to adopt basic security measures to protect the privacy of the information. The confidentiality of health information is threatened by the “risk of improper access to stored information” as well as by the “risk of interception during electronic transmission,” according to HHS. A covered entity that lacks adequate protections risks inadvertent disclosure of patient data, with the resulting loss of public trust and potential legal action. For example, a covered entity with poor facility access controls and procedures would be susceptible to hacking of its databases,” HHS noted. At this writing, however, no standard measures exist in the health care industry for the protection of identifiable health information.
The Office of Civil Rights within HHS is responsible for overseeing and enforcing the privacy regulations which, at this writing, have not even been drafted. The HHS website includes a list of 190 Frequently Asked Questions that physicians may browse to find answers to questions posed using key words. Click on www.hhs.gov/ocr/hipaa to access this and other helpful documents.
Legislation has been introduced by Rep. Markey that will roll back some of the more heinous provisions and restore a modicum of individual control over their medical records. While the bill does require patients to give their consent in advance of information being shared, it does nothing to prevent providers from withholding care if the patient refuses that consent. In essence, the consent becomes coercion. A law suit is also going to be filed by numerous plaintiffs, including AAHF, in an effort to force changes in the HIPAA regulations that violate patient privacy.
Information about the legislation, lawsuit and regulatory compliance will be posted on our web site as it becomes available. Please check back regularly for updates and helpful information.
Back to Resources
Copyright © 2001
American Association for Health Freedom
9912 Georgetown Pike Suite D-2 P.O. Box 458 Great Falls, Virginia 22066
800-230-2762 703-759-0662 Fax 703-759-6711