Federal panel cites compliance confusion: Government falls short on HIPAA help

Physicians are still not sure what they must do to meet requirements of the medical records privacy law.

By Joel B. Finkelstein, amednews staff. Dec. 16, 2002.

Washington -- The deadline for complying with rules protecting patients' privacy is looming, and the government isn't doing enough to get the message out, according to a federal advisory panel.

Recent letters from the National Committee on Vital and Health Statistics laid out Dept. of Health and Human Services shortcomings that are undermining the push to physician compliance with the privacy rules.

Privacy paperwork
Links
Topic: HIPAA

"There is an extremely high level of confusion, misunderstanding, frustration, anxiety, fear and anger as the April 14, 2003, compliance date nears," the committee wrote in a November letter to HHS Secretary Tommy Thompson.

The privacy rules are part of the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996. They require all doctors' offices, including small practices, that use electronic billing to follow standardized rules to protect their patients' personal and medical information.

"Physicians in large practices and academic centers are well on their way" toward compliance, said Mark Rothstein, chair of the NCVHS subcommittee on privacy and confidentiality, which has held nationwide public meetings to assess readiness among solo physicians, large medical practices and everything in between.

"The problem is, small practices -- especially rural doctors -- don't have the resources, expertise or time to comply," he said.

HIPAA rules will not preempt state laws if state requirements are more restrictive.

Even some larger practices are unlikely to be ready by the April deadline, said Ryan O'Connor of the American Medical Group Assn. "I don't want to say they are in denial, but they are almost acting that way."

For many groups, the substantial administrative costs of implementing the rules are standing in the way, O'Connor said. The privacy law will make updating computer systems for Y2K look like a "drop in the bucket."

Many physicians are unaware of HIPAA, said one of its authors, William Braithwaite, MD, now a consultant at PricewaterhouseCoopers. Those who know about it are scared because they aren't sure what they need to do, and no one is telling them.

"The NCVHS has looked at this very closely, and this is a group that doesn't write a letter like that without having serious concerns," he said.

The panel's concerns and findings have remained consistent through several meetings in recent months. In a September letter to Thompson, the panel said it was "surprised and disturbed at the generally low level of implementation activities and the high levels of confusion and frustration."

The letter goes on to say: "While some professional societies and other groups have made laudable efforts to educate their members, many physicians, dentists, and other health care providers, especially those in small towns and rural areas, have never heard of HIPAA, do not think it applies to them, or confuse their obligations under the privacy rule with their duties regarding standards and security and claims attachments."

Further confusing these issues is the fact that the rules do not preempt state laws if state requirements are more restrictive. There is little guidance to help physicians determine when state regulations apply and when HIPAA rules do. Preemption analyses, done by private consultants, can be costly and complicated and are not binding on enforcement agencies.

Trying to comply

The AMA concurs with the committee's conclusions, said President-elect Donald J. Palmisano, MD.

"What we are looking for is a way to ensure privacy without creating unnecessary burdens and expenses for physicians," Dr. Palmisano said. Many doctors feel overwhelmed by the looming rules, he added.

The NCVHS has 22 recommendations to help physicians and others prepare for the privacy requirements.

"We want to be in compliance; we just want to know how," psychiatrist Michael Kalm, MD, testified at a recent NCVHS subcommittee hearing.

Small offices should have little difficulty in implementing physical requirements of the privacy regulations, such as positioning computer screens so that passers-by cannot see them or putting charts in backwards to hide patient information, Rothstein said. But more complex rules, such as creating and distributing confidentiality and authorization forms, are likely to prove more difficult and time-consuming.

The NCVHS said in its November letter that the government should do more to help physicians and others prepare for the privacy requirements. It offers 22 recommendations directed mainly at the Office of Civil Rights, which is in charge of ensuring compliance with the privacy rules.

The committee called for improved outreach, education and technical assistance to help covered entities learn what they need to do to come into compliance. The letter also recommends that the OCR better train its regional staff to serve as definitive resources for local groups.

The office also should create guidance documents and sample forms that doctors' offices could use as models for forms that they are supposed to hand out to patients.

But despite the confusion, HHS has done a lot of work, considering that Congress provided no money to help the agency pave the way for the rules, Dr. Braithwaite said. It has not been able to do much outreach, though, which prevents many doctors from receiving its message.

ADDITIONAL INFORMATION:

Privacy paperwork

HIPAA's privacy rules require doctors' offices to implement measures to ensure patient privacy. The rules also require physicians to document and inform their patients of these measures. New paperwork includes:

Notices informing all patients of office privacy policies and how they are accomplished.
Patient authorization forms for sharing information for nonroutine purposes, such as marketing.
Contracts with business associates, informing them of privacy practices and restrictions.