---

Press the print button on your browser.
Click here to return to the previous page.

Federal Privacy Legislation (HIPAA)

Federal privacy legislation will affect each of the HIPAA standards adopted. Members of Congress continue to be concerned about the privacy of health records and information. In particular, Congress has attributed the increasing risk to several trends, including the availability of information gathered from genetic testing, the growing use of information technologies in health care, and structural changes in health care delivery and payment systems.

The passage of HIPAA placed the pressure of a deadline on Congress. HIPAA required that DHHS make recommendations to Congress on ways to protect individually identifiable information and to establish penalties for wrongful disclosure for health care transactions. The DHHS presented those recommendations on September 11, 1997. Congress had until August 1999 to enact a privacy law; otherwise, HIPAA required DHHS to promulgate regulations on privacy within six months thereafter.

With no comprehensive medical records confidentiality legislation passed in 1998, the issue was expected to receive more attention by Congress as it was forced to deal with the August 1999 deadline. Congress had a number of options, including the actual passage of suitable legislation, and was predicted to pass a provision to extend the August 1999 deadline.

Congress failed to enact legislation governing standards with respect to the privacy of individually identifiable health information by this August 21, 1999 deadline. Therefore, HIPAA required the Secretary of Health and Human Services to promulgate such standards by regulation. Proposed regulations, based generally on the above recommendations to Congress, were published in the November 3, 1999 Federal Register. On December 10, 1999, an additional 45-day extension was granted to the original 60-day comment period, allowing respondents a deadline of February 17, 2000.

AMA comments regarding the proposed Standards for Privacy of Individually Identifiable Health Information (PDF, 194KB, requires Adobe® Reader®) included a multitude of recommendations. However, the following points represent the AMA's overarching concerns:

That patients' confidential information could be disclosed without their consent for a broad array of purposes unrelated to the patient's individual treatment or payment and extending far beyond the necessary disclosures and uses patients would expect when they seek health care;

That many holders of patient information who may misuse such information would not be held accountable under the proposed regulation, despite attempts to bring them within regulatory reach by compelling physicians and other covered entities to, in effect, "police" them;

That physicians will be held liable for the uncontrollable misdeeds of their "business partners," although the physicians themselves are in compliance with the regulation's provisions;

That the administrative burden and costs of implementing the proposed regulation have not been adequately calculated, and would have a disproportionate impact on small physician offices; and

That the proposed rule contradicts the intention of its legislative directive under HIPAA to "simplify" health care administration and reduce costs, and does not improve patients' expectation of privacy in the health care system.

---