A long, arduous and occasionally harrowing seven-year journey from legislation to regulation reached its destination Monday, as the HIPAA rules governing the privacy of personal healthcare information officially took effect--but not without a few last-minute twists.
"This is clearly a beginning, but it is a momentous beginning," says Janlori Goldman, director of the Washington, D.C.-based patient advocacy group Health Privacy Project and longtime champion of patient privacy initiatives.
The official line from the Bush administration comes in the form of a Friday statement from HHS Secretary Tommy Thompson.
"The rules will help to ensure appropriate privacy safeguards are in place as we harness information technologies to improve the quality of care provided to patients," Thompson says. "The new protections give patients greater access to their own medical records and more control over how their personal information is used by their health plans, and healthcare providers."
The enforcement deadline follows a last-minute flurry of activity.
Responding in part to the outbreak of Severe Acute Respiratory Syndrome, the mysterious disease that has killed more than 100 people outside the United States, the Centers for Disease Control and Prevention on Friday issued a late guidance on HIPAA privacy to public health officials nationwide.
The guidance, which appears in the CDC's Morbidity and Mortality Weekly Report, includes sample language that public health agencies can follow in requesting protected health information from healthcare entities for public health reporting purposes. The August 2002 modifications to the HIPAA privacy rule allow for transfer of personal information to public health agencies in limited cases.
Also on Friday, the HHS Office of Civil Rights, which has responsibility for enforcing civil provisions of the privacy regulations, published directions and forms for the public to file complaints. HHS has said that enforcement will be driven by complaints rather than regular compliance audits.
In addition, OCR posted a 25-page summary of the privacy rule on its Web site Friday.
On Thursday, several patient advocacy organizations and a group of psychiatrists sued in federal court in Philadelphia to block several aspects of the HIPAA regulations.
James Pyles, an attorney for the plaintiffs, says that his clients are not seeking an immediate injunction to halt enforcement of the rules right away. "We're expecting to have the case fully briefed and argued before the district court," Pyles says.