The deliberate deluge has begun. Several national hospital groups are encouraging their members to flood HHS with comments on the recently delayed patient privacy regulations in hopes of delaying them further, pruning them back or even scuttling them altogether.
"Quality comments matter, but so does quantity," said Herb Kuhn, vice president of advocacy at the Premier hospital alliance.
In February, HHS delayed the effective date of the controversial patient-privacy regulations, which impose new medical information handling requirements on healthcare providers, to April 14 from Feb. 26. HHS Secretary Tommy Thompson used the opportunity to open a second public comment period and give both the industry and patient rights advocates another chance to chime in.
In the first public comment period, HHS fielded some 52,000 comments from November 1999 to February 2000. The current comment period opened Feb. 28, and HHS has received more than 1,300 comments in the three weeks since, the agency said.
"Hospitals are urged to comment on the issues that will impact healthcare providers the most," San Diego-based Premier said in a letter it sent to 1,800 member hospitals on March 6. Premier also called major integrated delivery networks reminding them to submit comments.
In its letter, Premier described components of the privacy regulation around which hospitals should consider basing their comments.
Premier argued, for instance, that the final privacy regulations published in the Dec. 28, 2000, Federal Register went too far when the regulations expanded the scope of protected patient information from electronic data to any form of information, including oral communications.
"HHS officials exceeded the scope of authority granted to the agency in the (Health Insurance Portability and Accountability Act of 1996) in pushing through this expansion," the letter said.
In a similar bulletin the American Hospital Association sent to its members, the association echoed Premier's call for comments on the expansion of protected health information. The AHA also recommended that hospitals voice their objections to other controversial pieces of the privacy regulation, including one that requires providers to obtain written consent from patients before using their health information for even the most routine administrative and clinical purposes.
The Healthcare Leadership Council, a Washington-based organization that represents providers, insurers and pharmaceutical companies, also wants HHS to withdraw the consent requirement.
"We want to make sure the department hears from as many people as possible, with specific examples" of how the final regulation will affect them, said Healthcare Leadership Council President Mary Grealy.
"(HHS) Secretary Thompson invited us to apprise him of the unintended consequences of these rules," said Melinda Hatton, the AHA's Washington counsel. "We are taking his invitation very seriously."
So is the St. Louis-based Catholic Health Association. "We are committed to privacy," said the Rev. Michael Place, the CHA's president and chief executive officer. "We just don't want regulations to get in the way of protecting privacy or patient care."
In its call for comments, the AHA listed five major problem areas within HIPAA's privacy regulation. "If (hospitals) add to and embellish upon those concerns, we're delighted," Hatton said.
Many providers said they support the concept of privacy but not some of the nitty-gritty requirements.
"We are fully on board with what HHS is trying to do," said Rita Aikins, information security and privacy officer for the Oregon region of Seattle-based Providence Health System. "We don't want to say we think this is a bad idea. It's just that there are some cumbersome pieces."
Among the cumbersome pieces, according to critics, is the "minimum necessary" rule, which limits the amount of information about a patient that hospital departments and staff can share with other departments and staff, except in the context of caregivers providing treatment. For instance, before a physician sends a claim to the hospital billing department, the physician must determine what is the minimum amount of patient information that department needs to pay the claim. However, the minimum necessary rule does not apply when a physician must share information with other caregivers to provide treatment to the patient.
Providence's comments to HHS, Aikins said, will suggest that HHS revisit the deadlines for compliance with HIPAA's various regulations. "Staggered release of regulations will compromise our ability to effectively implement the goals expressed in HIPAA," she said.
"The (privacy) regulation is one that is certainly much more challenging and its benefit to the organization much less," said Blake Jensen, senior vice president and chief information officer of Burlington, Vt.-based Fletcher Allen Health Care. Fletcher Allen plans to submit comments to HHS before the March 30 deadline.
How much the new comments will alter the privacy regulation is unclear. If the regulation changes in fundamental ways, HHS said, it might be unreasonable to start the compliance clock ticking as now planned.
Some believe all the delays and public comment periods are creating confusion in the industry as to when compliance is required and what it entails.
"The sooner we get these rules finalized and moving forward, the better off we'll be," said Chris Weirz, vice president and HIPAA practice leader at Phoenix Health Systems, a Montgomery Village, Md.-based consulting firm. "The industry doesn't have an opportunity to keep resources on hold until the rule is done."
-With Jonathan Gardner