Plenty of Feedback on HIPAA ChangesRegulators Get Detailed Comments on Proposed Modifications
The Department of Health and Human Services' Office for Civil Rights received thousands of pages of comments from hundreds of organizations by the Sept. 13 deadline. Now, the office will spend the coming weeks fine-tuning the proposal issued in July.
Here's a sampling of some of the important points made in the letters, all of which are available on a federal website.
Restricting InformationAs we previously reported, the American Health Information Management Association , in one of the most detailed comment letters submitted, outlined its concerns about the cost and impracticality of enabling patients to restrict certain information held by their healthcare providers from being shared with their insurer. Many other commenters shared this concern.
It is no longer necessary to require business associate agreements that recite the HIPAA rules as a vehicle to manage privacy and security compliance.
Like AHIMA, the College of Healthcare Information Management Executives, which represents CIOs, cites concerns about the capabilities of current technologies to handle such restrictions. "CHIME does not believe it would be practical to expect the prescribing provider to inform the pharmacy of any privacy restrictions or that the technology for doing so currently exists," its letter states.
CHIME also argues that insurers, and not hospitals and other healthcare providers, should be required to discuss the data access restriction provision with patients -- if the provision is included in the final rule.
The Medical Group Management Association, which represents clinic administrators, says it "does not support requiring a covered entity to inform other healthcare providers of the requested restriction and believes the responsibility for such a request should remain with the patient."
And the National Association of Chain Drug Stores says the restriction provision is workable "only if a request to restrict disclosure to a health plan is as specific as reasonably possible."
The HITECH Act mandated that patients be offered the ability to restrict health plans' access to certain data when they pay out of their own pockets for services. So we'll be watching to see how the HHS Office for Civil Rights addresses commenters' concerns while carrying out the mandate. Perhaps regulators will delay final guidelines on this topic pending further study.
Business Associate AgreementsThe proposed HIPAA modifications make it crystal clear that business associates, and even their subcontractors, must comply with the privacy and security rules. And that's a provision that appears to have widespread support.
The rule, however, says covered entities, such as hospitals, clinics and insurers, must modify their business associate agreements to reflect all the latest HIPAA modifications. And that requirement triggered protests.
For example, the Healthcare Information and Management Systems Society, which represents IT executives, questions why covered entities need to modify business associate agreements to make them even more complex.
Given that the HIPAA modifications spell out business associates' responsibilities, "It is no longer necessary to require business associate agreements that recite the HIPAA rules as a vehicle to manage privacy and security compliance," HIMSS argues. "Requiring covered entities and business associates to affirmatively amend their business associate agreements under the HITECH Act places an undue burden on the healthcare industry."
HIMSS suggests that instead of drafting even more complex agreements, covered entities should just include in their contracts with business associates "a simple statement affirming that the BA agrees to comply with the provisions of the HIPAA privacy and security rules." CHIME also voiced support for this position.
State Law ConflictsMGMA asks federal regulators to work with the states to eliminate any state laws that conflict with the modified HIPAA rules.
The association calls on federal regulators to "urge states to conform their inconsistent or conflicting laws with HIPAA privacy and security requirements."
And that sounds like a reasonable request. Complying with the complex HIPAA privacy and security rules is difficult enough without having to keep track of conflicting states rules as well.
Risk AssessmentsHIPAA requires organizations to conduct risk assessments and then address the risks identified. This is also a requirement under the "meaningful use" rule for the Medicare and Medicaid electronic health record incentive program. HIMSS asks regulators to provide more specifics on the frequency and scope of such assessments.
This echoes a theme that risk management expert Mac McMillan stressed in a recent interview, when he called for regulators to specify how often risk assessments should be conducted.
Regulators would do everyone in healthcare a favor if they eliminated as many "gray areas" as possible in the HIPAA modifications, such as by providing more guidance on the risk assessment requirement.
Compliance DeadlineOf course, whenever those who are regulated are asked to comment on new rules, they're going to ask for more time to comply, and the HIPAA modifications are no exception. The proposal to modify HIPAA would give those affected 180 days beyond the effective date of the final rule to comply with most provisions.
MGMA says that should be extended to at least one year. "This added time is necessary to give practices an opportunity to fully evaluate and make the needed modifications to their privacy and security policies," its letter states.
How long organizations need to get ready to comply is debatable. First, let's hope regulators write a final version of the HIPAA modifications that addresses major concerns in simple, precise language. That way, compliance will be far easier to achieve.