The federal government issued much-anticipated HIPAA privacy regulations days before Christmas, ending the yearlong guessing game of when providers would know what the law requires.
President Clinton held a press conference Dec. 20, the day the final regulations were issued, to trumpet his administration's efforts to safeguard patient information. The regulations are further reaching than initially proposed, covering not only electronic patient information but also oral and written communications. The arguably stiff penalties remained the same.
The security regulations are expected to be published this month. And at least one consultant doesn't expect major changes in that regulation.
"The security rule is a good, solid proposal," says Margret Amatayakul, a consultant in Schaumburg, Ill. "Anyone could live with it. The privacy was very controversial. It was difficult to implement. It's not so much the industry doesn't want to preserve confidentiality. It was the manner in which it was suggested it be done."
Security refers to technical means to protect all data, including paper, oral and electronic. Privacy relates to patients' rights to protect information about themselves. The privacy regulations would apply to healthcare providers, plans and clearinghouses and would cover all protected information. The regulation is intended to be flexible and scalable in which each covered entity asseses its own needs and implements policies to its information practices and business requirements.
Penalties for security violations include a maximum fine of $25,000 per year per violation. However, consultants have cautioned there are hundreds of ways to violate regulations so penalties could mount quickly. Privacy violations include up to 10 years in prison per violation.
There were thousands of comments on the proposed regulations, and many of them addressed the privacy rules. Providers, plans and others considered some of the requirements to be onerous.
In an interview days before the privacy rules were announced, Amatayakul said she expects "the rewritten regulations will assure patients that their information won't be used inappropriately but not hamstring (providers) to the point where we can't do any marketing or fundraising."
She said that patients still will have to give permission to transfer their records.
Many physicians were concerned about the extent to which patients have the rights to amend their records and personal information, she says. The proposed regulations guaranteed patients the right to add or delete any information from their records and control what information is added to the record. "They'll probably soften that," Amatayakul said.
The final proposed regulations for transaction code sets were published in August. As with other HIPAA regulations, entities have 26 months in which to become fully compliant.
HHS wound up with the task of writing the privacy and security regulations after Congress failed to act in 1999.
Amatayakul says that regardless of whether the security regulations loom on the horizon, healthcare businesses are realizing the importance of security. Several high profile cases of patient information being released either on purpose or inadvertently have driven home the need for increased security.
"The industry as a whole is recognizing that security is important, whether it's HIPAA or not," Amatayakul said. "We have got to beef up security."