The Bush administration says it will change some of the HIPAA privacy standards before the end of the year as it braces for an expected flurry of lawsuits challenging various parts of the HIPAA transaction and privacy rules.
Donna Eden, senior attorney in the HHS Office of General Counsel, last month said the department would issue unspecified modifications to the privacy rules in November or December. Input from the medical community and the prospects of litigation have prompted HHS to clarify the regulations, she says.
In July, HHS Secretary Tommy Thompson issued the first of an expected series of guidances on the privacy rules. Eden, speaking at an Aug. 21 conference on HIPAA and healthcare technology at Harvard University in Cambridge, Mass., confirmed that there will be additional clarifications to the massive, complex set of privacy rules that became final April 12.
"It's not a static process," Eden says. "It will be ongoing."
She suggests that future enforcement of civil provisions within the HIPAA rules will depend on the motives of those being regulated. "Common sense and reasonable behavior can take you a long way."
According to Alan Goldberg, a professor at Suffolk University Law School in Boston, the privacy regulations contain numerous ambiguities and curious quirks.
He says, for example, that a front-view photograph can compromise an individual's privacy, but HHS does not consider photos taken from the side to be individually identifiable information for HIPAA purposes.
Eden says HHS expects some parties to mount court challenges to various HIPAA requirements before the rules take effect. Lawsuits already filed by physician groups in South Carolina and Arizona claim that the HIPAA privacy regulations are unconstitutional.
Several bills pending in Congress would repeal the HIPAA directive for HHS to develop national identifier rules for health plans, but Eden says that lawmakers have put that issue on hold until the privacy standards take effect. According to Eden, congressional leaders want to see how federal officials enforce the privacy regulations before taking further legislative action.
Eden notes that the HIPAA transaction regulations address 460 different types of healthcare claims, a situation that presents ample opportunity for lawsuits.
Because of all the uncertainties, Eden says the current effective dates--October 2002 for transaction standards and June 2003 for the privacy regulations--are "no more or less realistic than any other regulatory deadline."
The privacy regulations will not pre-empt existing state laws that are more stringent than the federal rules, according to Eden. "No one knows what 'more stringent' is going to mean," she says. "This is one of those issues that we fully expect to be litigated."
Eden also says rules governing personal healthcare information reported by whistleblowers "will certainly be tested, challenged in court."
Another gray area may be the application of HIPAA standards to certain "hybrid" entities. Eden says this classification includes companies or institutions with some nonprimary business components that handle protected patient information, such as firms with employee health clinics or schools that run infirmaries.