It turns out that HIPAA's privacy regulations are not as onerous as some doctors had originally feared and will allow them, for example, to phone in prescriptions before obtaining a patient's consent, according to a guidance from HHS.
The guidance, issued July 6, is part of an ongoing process to help doctors and other providers come into compliance by June 2003, when the privacy section of the Health Insurance Portability and Accountability Act regulations goes into effect.
HHS Secretary Tommy Thompson, in a prepared statement, called the guidance "an opening step in helping physicians, healthcare providers and health plans understand their obligations to patients under the rule."
Providers had asked HHS for direction on a variety of issues. Among other things, the guidance explicitly allows:
- Phoned-in prescriptions. Pharmacists will be able to fill prescriptions phoned in by doctors before they obtain a patient's written consent.
- Referral appointments. A change will permit direct treatment by providers receiving a first-time patient referral to schedule appointments, surgery or other procedures before obtaining the patient's signed consent.
- Allowable communications. Providers are free to engage in whatever communications are required for quick, effective, high-quality healthcare, including routine oral communications with family members, treatment discussions with staff involved in coordination of patient care and use of patient names to locate them in waiting areas.
- Disclosure in emergencies. Providers are free to use a patient's name in an emergency situation without prior consent.
Robert Gellman, a Washington-based privacy consultant, says the regulations were not designed to be onerous and won't be much of a headache for small providers.
"The truth is that the smaller your office is, the easier it is to comply," Gellman says.
But not everyone agrees.
Capers Hiott, M.D., of Sumter, S.C., cites a government estimate that HIPAA compliance will cost doctors $20,000 each with "no way to recoup anything" from Medicare or private payers.
Hiott, an otolaryngologist in solo practice, complains that despite the guidance, privacy regulations remain vague. Meanwhile, many states have strong laws protecting privacy, which makes the federal rules unnecessary, he says.
Hiott is a member of the South Carolina Medical Association, which is suing HHS to wipe out the HIPAA privacy rules. The association argues that the rules are unconstitutional since the force of the law came from rules promulgated by the executive branch of the government rather than by Congress.
"What we want to do is get an injunction on and get it (HIPAA) back to Congress, where we'll have meaningful input," Hiott says. "We are behind patient privacy 100%; we just want it done right."
For many physicians, the guidance is moot, says Lloyd Van Winkle, M.D., a solo family practitioner and associate clinical professor at the University of Texas Health Science Center in San Antonio. Doctors are either unaware of or unconcerned about the privacy regulations in the first place, says Van Winkle, a member of the American Academy of Family Physicians.
On a scale of 1 to 10, the "level of awareness is a 3," Van Winkle says.
"They've heard the term HIPAA, they know it has something to do with privacy . . . most of them think it's only going to apply to electronic transmissions." Van Winkle says that most physicians protect privacy in their normal business dealings. If anything, HIPAA regulations will increase the awareness of patients to the privacy efforts made by physicians on their behalf.
As for his own practice, Van Winkle says it may take him a day to develop a confidentiality document or make minor changes to his office layout. Van Winkle says the medical records software he uses will be automatically updated by his software vendor to include privacy regulation compliance as part of his service agreement.
While small organizations may have an easy time of it, larger ones may not, says Tobi Tanzer, compliance officer at HealthPartners, a Minneapolis-based integrated health plan that has 600,000 enrollees. The problem will come in complying not only with HIPAA by itself but also in conjunction with state privacy laws and Gramm-Leach-Bliley. The latter is a law sponsored by Sen. Phil Gramm (R-Texas), Rep. Jim Leach (R-Iowa) and former Rep. Thomas Bliley (R-Va.) that covers privacy issues for financial institutions, including health insurers. A key question, for example, is which law pre-empts the others, Tanzer says.
"The privacy regulations are so complex we are still trying to slog through how all these things fit together," Tanzer says. "We are in the midst of our implementation efforts, but that midst is early on."
At this point, Bell says, clients are asking his firm to prepare assessments of their practices to see how much they need to do to get into compliance.
"They are asking us, 'Where do we start and what should we be doing now?'" Bell says. One way is to develop flow charts, which map out where patient information is coming from and going to and how it is being used along each step of the way.
The assessments, when complete, will then create a work plan, he says.
Jeff Blair, vice president of the Medical Records Institute in Newton, Mass., agrees that providers are just now beginning to look seriously at implementing the privacy regulations, since they were held up by Thompson and only given final approval in April.
"After April, people got serious about moving forward," Blair says. "There's a lot of up-front investment going on right now," including implementing risk assessments.
Many organizations are helping providers comply, including law firms, consulting firms, specialty societies and start-ups. For example, The Compliance Co. in Columbia, Md., will start walking doctors through the compliance process on its Web site, scheduled to go live later this month.
The company specializes in risk assessment and mitigation and provides updates on HIPAA. It plans to charge $750 for a complete compliance package, compared with $1,500 and up per day for consultants, says general manager Louis Lorton.
Moreover, HHS will provide technical assistance and further guidance to healthcare providers and other covered entities to help them comply. The department also may make more changes to the regulations.