HIPAA experts counsel calm during political turbulence

In the wake of a week that saw the Health Insurance Portability and Accountability Act first scuttled, then resurrected, experts are advising their clients to steer a steady course.

On Monday, April 9, HIPAA faced an uncertain future. That day, four HIPAA news items surfaced:

• The New York Times reported the Bush administration had concluded that the federal standards to protect the privacy of medical records, adopted with much fanfare during the last weeks of the Clinton administration, were unworkable and must be revised.

• Majority leader Dick Armey sent a strongly worded letter to House lawmakers warning them of the pitfalls involved in privacy legislation.

• The Health Privacy Project urged that HIPAA's effective date not be delayed, that these privacy standards are long overdue, have already have been thoroughly debated, and should be put into effect promptly.

• The Government Accounting Office issued a report on HIPAA consent, stating the privacy regulation's consent requirement will be more of a departure from current practice for some providers than others.

Hospital information technology managers and HIPAA security officers could perhaps be forgiven for any confusion they may have felt. Even the experts seemed befuddled. Some adopted a wait-and-see attitude, while others advised clients to slow down HIPAA compliance efforts.

Then, on Thursday, April 12, the Bush administration reversed course, deciding to let the rules written by the Clinton administration go ahead and take effect over the Easter weekend with no delay, meaning the compliance date of April 14, 2003, remains in effect for most covered entities. Only those healthcare plans with less than $5 million in annual income have until 2004.

Behind the on-again, off-again discussion of the HIPAA rules has been a fairly intense debate about their impact. The rules have come under fire from hospitals, insurance companies, drug companies, and several medical organizations for being too complicated and expensive to implement. As a result, Health and Human Services Secretary Tommy Thompson put a 60-day hold on implementing the rules, during which time HHS received 24,000 written comments.

Although HHS has decided to go ahead with the original mid-April deadline, it has left open the door to changes over the next several months. In addition, HHS will issue guidelines to clarify confusion about the regulations. These guidelines will recognize that doctors and hospitals must have access to medical information about their patients and be able to consult with other physicians and specialists regarding a patient's care; that patient care will not be unduly hampered by confusing requirements surrounding consent forms; and that parents will have access to information about the health of their children.

Experts are advising their clients to maintain an even keel despite this political turbulence.

"While changes may be made, thus altering the details of implementation, the goal of the privacy rule will remain the same," said Kristen K. Hughes, a healthcare attorney associated with SG&A Consulting. "The tumultuous climate surrounding the privacy rule should not delay reasonable efforts toward compliance. While changes to specific provisions of the rule may be seen over time, the issues addressed by HIPAA's privacy and security regulations will remain."

Douglas Orr, president of J&M Group, a healthcare consulting firm in Connecticut, offers similar advice.

"Privacy and security of patient data is of critical importance, irrespective of the national legislation that mandates such plans and policies," he said. "It's acceptable to continue forward with current action plans for the benefit of the institution and to continue monitoring any potential changes."

Further information about HIPAA is available at these Web sites:

Heath Care Financing Administration home page

HIPAA Online

HIPAA Advisory (Phoenix Health Systems)

HIPAA News (Phoenix Health Systems)

HIPAA Central (Siemens)

HIPAA Standards (American Hospital Association)

HIPAA Installation Guides