President’s Privacy-Rule Review Creates Controversy, Confusion

Michael Levin-Epstein

Washington Watch

When President Bush decided to halt implementation of an array of regulations promulgated in the waning days of the Clinton administration, most business groups rejoiced and a cadre of advocacy and consumer groups began to mobilize in earnest. But of all the rules put on hold by the new administration, the final medical privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA) stand out in terms of controversy and confusion. The end game is still cast in doubt.


The Clinton administration issued the privacy rules on Dec. 28, ticketing them for a Feb. 26 effective date for compliance. There is a standard 60-day consideration period, however, from the time a rule is sent to Congress and the time it can be made effective, a fact overlooked by Clinton administration officials who neglected to send the rule to Congress — giving rise to a delay of the effective date. On Feb. 23, Bush’s Department of Health and Human Services opened a new 30-day public comment period on the final rules.

Critics immediately charged the Bush administration with attempting to dilute or eliminate privacy protections for patients. Health and Human Services Secretary Tommy Thompson countered that the department was merely “trying to ensure that the provisions of this final rule will indeed work as intended throughout the complex field of health care, without creating unanticipated consequences that might harm patients’ access to care or the quality of that care.”

Advocacy groups are, as Peter Finch said in the movie Network, “mad as hell and not going to take it any more.” Citizens for Sensible Safeguards — a coalition of consumer, environmental, labor, and public health groups — and the American Civil Liberties Union have launched intensive lobbying efforts to retain the Clinton rules, arguing that the rollback is part of a larger effort to halt patients rights initiatives in Congress and the states.

Ronald Weich, an ACLU legislative consultant in Washington, D.C., says the current battle over the HIPAA regulations is part of a larger dispute over health care quality and privacy issues. “The Clinton administration proposal was better than what we now have, which is essentially nothing,” he says. Weich is not at all sanguine about the chances of preventing the Bush administration from ultimately weakening privacy protections for consumers.

Meanwhile, Janlori Goldman, director of the Health Privacy Project at Georgetown University, says her organization has been urging members to write Thompson to resist those in the health care industry who “have been pressuring the secretary to delay and weaken the regulation.”

“The regulations should be strengthened, not weakened, ” echoes Weich. “The industry has succeeded in killing a lot of patients rights protections in Congress.”

AMA’s stance

Industry insiders have joined the debate. Donald Palmisano, M.D., a member of the AMA board of trustees and cochair of the AMA’s Task Force of Privacy and Confidentiality, asserts that the AMA is committed to working with the new administration to strengthen the rule.

Yet despite the controversy over the final privacy regulations, Goldman explains, “They provide a new federal right to see and correct our own health information.”

A core issue, according to Palmisano, is trust. “If patients believe their records will be subject to review by government agencies, police, and attorneys without their consent, their trust will diminish,” he says. “Patient privacy will not be fully protected until Congress passes legislation extending privacy requirements to all entities that use medical information,” he adds.

Health plans’ concerns

Mohit Ghose, spokesman for the American Association of Health Plans, says AAHP is concerned about new provisions in the final regulations and will be filing additional comments, most of which focus on the operational aspects of putting these regulations to use.

One prominent health care industry official understands Thompson’s concern about unanticipated consequences of the new rule. “Some states already have situations where a relative can’t pick up a prescription. Questions exist as to the reach of these privacy consent provisions, such as whether a doctor could bounce ideas about a case off his peers,” he says.

Several industry leaders argue that their portrayal as anticonsumer and antiprivacy is patently unfair. Mary R. Grealy, president of the Healthcare Leadership Council, in Washington, D.C., asserts that the health care industry doesn’t oppose efforts to strengthen patient privacy and, in fact, has urged Congress to enact national standards to protect patient confidentiality.

“The final rule offers some improvements,” Grealy says, “but new provisions have been added that could seriously disrupt patient care.” The key concerns, according to Grealy: obtaining prior, specific written consent to use or disclose identifiable information for treatment, payment, and health care operations. “There was no opportunity for groups to comment on this major new provision, because it was not in the proposed regulations.” Grealy says.

“The need for patient protection is paramount, as it is essential to care that patients impart the necessary information to their physicians,” Ghose asserts, “but we need clarification on some of these provisions. In other words, don’t preclude us from carrying out disease-management programs. Don’t keep us from targeting women over 50 for mammogram reminders.”

As Grealy points out, “The final regulation could require pages and pages of information about how information will be used and disclosed,” and would, by HHS estimates, increase health care costs by $17 billion over the next decade.

The Health Privacy Project wants to dispel the popular myths on this issue, Goldman reminds us. Worth considering: HHS estimates the cost of implementing the regulation will be offset greatly by the savings associated with HIPAA’s standards for electronic transmission of patient information if implemented together, as contemplated by Congress. Delay could actually be more costly, as industry would need to redesign the systems a second time.

Recognizing that delays could jeopardize the security of existing electronic records, HHS has been granted authority under HIPAA to modify a regulation after it takes effect to make changes that are “necessary in order to permit compliance.”

Serious study needed

Douglas Hastings, a partner with the Washington, D.C., law firm of Epstein Becker & Green and president-elect of the American Health Lawyers Association, says the new administration “recognizes a balance must be reached to reasonably protect privacy and also assure that the information can be used appropriately for quality purposes and delivery of care purposes.”

The ultimate compliance date is two years after the effective date of the regulations, so the delay at this point will not necessarily change the end result. Of course, in the nation’s capital, delay can, in effect, turn into dissolution.