The Clinton administration's proposals to protect patients' electronic medical records fall far short of what is needed and do little in terms of setting national standards for dealing with confidential information, critics say.
"It only covers information that is electronic and (the proposal) is narrower than pending congressional bills," says Kathleen Frawley, vice president of legislative and public policy at the American Health Information Management Association, which represents 40,000 medical record and health information management professionals.
The regulations also may hurt patients, says Karen Ignagni, president of the American Association of Health Plans. "We are concerned that certain provisions may have adverse unintended consequences for patients," Ignagni said in a statement.
In proposing the regulations, HHS Secretary Donna Shalala said at an Oct. 29 press conference that the "standards are an important step forward in protecting the privacy of some of our most personal information."
Shalala developed the regulations after Congress failed to meet provisions of the Health Insurance Portability and Accountability Act of 1996, which called for enactment of comprehensive national medical record privacy standards by Aug. 21, 1999. Congress' failure to meet that deadline triggered a HIPAA provision that requires the secretary of HHS to issue final regulations by Feb. 21, 2000.
In making the announcement, Shalala said providers and others would have 90 days to comment, a period that would allow publication of final regulations within the time required by law.
HHS has estimated the five-year cost of compliance with the regulations at $3.8 billion. That figure doesn't include costs associated with complaints, sanctions and enforcement.
Among key provisions of the proposed regulations are:
- Providers and health plans would be required to give patients a clear written explanation of how they would use, keep and disclose information.
- Patients would be able to see and get copies of their records and request corrections.
- A history of most disclosures would have to be maintained and be made accessible to patients.
- A provider or payer generally would not be able to put conditions on treatment, payment or coverage based on a patient's decision whether or not to disclose health information for other purposes. They could not, for example, levy higher charges on patients who fail to agree to disclosure.
- Patients would have the right to restrict uses of their information.
- Patient information could be used by a health plan, provider or clearinghouse only for purposes of treatment, payment, operations and some limited public policy priorities. All disclosures of information would be limited to the minimum necessary for the purpose of the disclosure.
- Disclosures with patient authorization would have to meet standards that would ensure that the authorization is truly informed and voluntary.
- Health plans, providers and clearinghouses that violate these standards would be subject to civil liability and federal criminal penalties.
In terms of the impact the regulations will have, AHIMA's Frawley says that while most large providers have policies in place to protect confidentiality, smaller providers are going to find the regulations "burdensome" because they must establish policies and safeguards to protect the data, something that few of them have the time or expertise to implement.
The regulations will also have a big impact on employers, insurers, payers and databanks, which also haven't been as aggressive in implementing safeguards as hospitals and other large providers, says Claire Dixon-Lee, senior consultant at QuadraMed in Kalamazoo, Mich.
She describes the regulation as "a floor" offering minimum protections. She also noted that the regulation doesn't address state pre-emption, a failure that will allow for a patchwork approach to privacy by different states. QuadraMed is a large medical records management company headquartered in Richmond, Calif.
Frawley said that providers large and small have yet to set up policies and procedures to notify patients about what is being done with their records.
Providers also most likely haven't designated a privacy officer, which is a requirement of the regulations, she says.
Although the administration is moving forward with its regulations, Clinton urged the Republican-led Congress to draw up comprehensive legislation. Though Congress has been slow to act, Sen. James Jeffords (R-Vt.), chairman of the Senate Health, Education, Labor and Pensions Committee, has indicated that he will hold hearings in February 2000 on the regulations. This may help to get momentum going on Capitol Hill for passage of at least one of eight bills on the matter, Frawley says.
Congress hasn't acted up until now for two reasons. First, members of Congress can't decide to what extent federal legislation should pre-empt state legislation. Second, Capitol Hill can't make a decision regarding the private right of action, or the ability to sue for having one's medical records compromised, Frawley says.