HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAAdvisor Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAAdvisor: Q & A with Steve Fox

*** The New Comment Period's Impact ***

QUESTION: What impact, if any, does the new comment period have on the implementation of the final privacy rule?

ANSWER: It is unclear what effect the new comment period will have on the implementation deadline for the privacy rule. Currently, most covered entities are required to be in compliance with the rule by April 14, 2003.

On February 28th, the Department of Health and Human Services ("DHHS") announced that it was re-opening the public comment period on the final privacy rule (the "privacy rule" or "rule") for thirty (30) days. This announcement followed the discovery that the rule had not been sent to Congress for a sixty (60) day review period as required by law. Because major regulatory rules, like HIPAA, do not become effective until expiration of the congressional review period, the effective date of the privacy rule has been delayed until April 14, 2001. With some exception, covered entities must be in compliance with the rule by April 14, 2003, two (2) years after it goes into effect. The administration's position is that the delay in the effective date presents the perfect opportunity to solicit additional public comment in order to make a determination about whether certain provisions of the rule exceed DHHS' authority, as well as to examine potentially adverse and unintended consequences of the rule.

DHHS approximates that it has received one thousand (1,000) inquiries about the impact and operation of the rule since it was published in December 2000. Apparently, many of these inquires demonstrate that there is substantial confusion about the procedures mandated by the rule, as well as concern about its complexity and feasibility. Re- opening the comment period appears to be the administration's way of acknowledging these inquiries and the widespread public debate about the rule since its publication.

When looking for clues about the impact of the new comment period, it is important to note that this new comment period does not delay the rule's April 14 effective date. Although DHHS has indicated that it intends to review the comments it receives in order to determine whether changes to the final rule are warranted, Secretary Thompson has not wavered from his initial comments about the administration's commitment to ensuring the privacy and security of individually identifiable health information. Should DHHS decide to make modifications to the rule, there are any number of ways that these modifications could be implemented. Among countless other possibilities, DHHS could extend the implementation period for the rule by delaying the compliance date, suspend the rule pending additional review and/or revision, or make modifications to the rule effective sometime after the current April 14, 2003 compliance date.

As there has not been any public comment to the contrary, it is reasonable to assume that there are certain underlying principles and policies inherent in the rule that would remain intact even if the rule is modified. For example, the idea that patients should have the right to consent to certain uses of their medical information is not likely to be challenged. However, the mechanism for ensuring that patients are able to exercise this right could potentially be modified.

Other HIPAA regulations could potentially be affected if the privacy rule is suspended or delayed. The electronic transaction standards were developed in conjunction with the final privacy rule with the hope that compliance with both standards would be required at approximately the same time. DHHS has indicated that it will seriously consider suspending the application of the transaction standards or take action to withdraw them entirely if the privacy rule is substantially delayed.

Remember, the compliance deadline for the privacy rule has not been changed. Accordingly, it is probably a good idea for covered entities to continue ongoing preparations for compliance with the privacy rule.

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner in the Washington, D.C. office of Pepper Hamilton LLP. Pepper Hamilton LLP is a multi-practice law firm with more than 400 lawyers in ten offices. A specialist in healthcare, Steve is a frequent writer and speaker on healthcare information management and technology issues. www.pepperlaw.com/

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.