Ready or not, HIPAA is here

April 14, 2003

Ready or not, the April 14 Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy compliance deadline has arrived. Among other changes, as of today:* patients are to receive a "notice of information practices" from providers

Ready or not, the April 14 Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy compliance deadline has arrived.

Among other changes, as of today:
? patients are to receive a "notice of information practices" from providers explaining new patient rights and how their health information will be used;
? patients must be given access to their medical records on demand;
? healthcare providers and plans are barred from disclosing identifiable health information to employers;
? hospitals must give patients the chance to opt out of having both their name and health status publicly available in hospital directories; and
? law enforcement agents must pursue some form of legal process before they can obtain access to health information.

Under the rule, individual patients do not gain any additional rights to legal action. Instead, the privacy law stipulates that individuals may direct complaints to the Department of Health and Human Services' Office for Civil Rights (OCR), which has been granted authority to impose civil and criminal penalties if covered entities are determined to be in violation of HIPAA.

Since DHHS officials have indicated that enforcement will be driven largely by complaints and that voluntary compliance is the most effective way to protect personal health information, some wonder just how vigorously the agency will enforce the law.

The Health Privacy Project, a nonprofit group dedicated to protecting privacy in the healthcare arena, announced on April 10 that it intends to track the number and types of complaints filed with the OCR and will monitor how resolutely irregularities are investigated.

"We want to ensure that patients' rights will be safeguarded and that OCR lives up to its responsibility to enforce the HIPAA
privacy rule vigorously," said Janlori Goldman, director of the Health Privacy Project.

Given that HIPAA does not grant people the right to sue, individuals must rely on the Bush administration to represent their interests.

"Our monitoring initiative is intended to ensure that consumers' voices are heard," Goldman said.

The Health Privacy Project has posted a model complaint form on its Web site (http://www.healthprivacy.org/) and is asking the public to provide it with copies of complaints submitted to the OCR.