HHS Secretary Tommy Thompson's announcement that the HIPAA privacy regulations are final but subject to tinkering has medical executives wondering how they can comply with a moving target.
Thompson announced the final regulations April 13. The privacy regulations are the second leg of the three-legged stool that is the Health Insurance Portability and Accountability Act.
Earlier this year Thompson reopened the regulations, once thought to be final, to another 30-day comment period. However, Thompson decided to let the regulations stand as written but reserved the right to adjust them as time passed.
The decision has left physicians and others who handle patient information wondering how they can comply with regulations that could change at any time.
HIPAA makes it a federal offense to release any patient identifiable information to anyone not specifically authorized to know it.
Medical organizations now face not only figuring out how to prepare for the final regulations issued by former President Clinton in the waning days of his administration but also the likelihood of more changes over the coming year.
Within days of issuing regulations, officials with health plans and physician organizations said they were concerned about the scope, or lack thereof, of the regulations.
AMA officials wrote to Thompson asking that the government provide more time to implement the regulations and address closing some of the loopholes that allow marketing of some patient information, says AMA trustee Donald Palmisano, M.D.
The organization is concerned that the regulations put the onus on physicians to not only protect patient information but also to police business partners who have access to that information.
"We would like Congress to extend the reach to everyone who comes in contact with all medical information," Palmisano says. "We've asked that the implementation of the regulations be withheld until two years after all portions of HIPAA are (finalized)."
The Medical Group Management Association's main concern is the major technological system upgrading that will be required to become HIPAA-compliant, says Robert Tennant, government affairs manager for MGMA, which represents 7,000 provider groups.
Since some of the requirements for transaction code sets, including provider numbers, haven't been finalized, adhering to the October 2002 compliance deadline will be difficult, Tennant says.
"Do you upgrade to be in compliance or do you wait until all the standards are out before you move in that direction?" he says. "I don't know how difficult it's going to be . . . or what types of costs it's going to entail."
HCFA could face hundreds if not thousands of changes in the privacy regulations, he says. "Some of them are going to be minor spelling errors . . . and some are going to be major."
The only concrete thing that finalizing privacy regulations did was reinforce "that HIPAA is actually going to happen. There was the potential that if privacy was pulled, all of HIPAA would fall," Tennant says.