HIPAA news
HIPAA advisory
HIPAAdvisory > HIPAAnews > Current News Phoenix Health Systems
news
regs
action
tech
views
wares
alert
live
notes
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

CHIP Comment on HIPAA Privacy Rule

March 30, 2001

Tommy G. Thompson
Secretary, U.S. Department of Health and Human Services
Attention: Privacy I
Room 801, Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington, DC  20201

Re:  45 CFR Parts 160 and 164 (Final Rule)

Dear Secretary Thompson:

The Coalition for Health Information Policy (CHIP) represents a broad array of professionals and organizations involved in the development, use, management, and security of health information systems, across all sectors of the healthcare industry.  While CHIP recognizes the need to modify some provisions of the Privacy Rule (as published at 65FR82462-82829), we strongly support the timely implementation of the information standards called for by Sec. 262 and Sec. 264 of the Health Insurance Portability and Accountability Act (HIPAA) and urge you to maintain the announced effective date for the Privacy Rule – April 14, 2001.

Summary

The members of CHIP recognize that the Department of Health and Human Services (HHS) may receive thousands of comments regarding the effective date of the Privacy Rule, as well as recommendations concerning the standards and implementation specifications established by the rule.  With this letter, CHIP, representing the American Health Information Management Association (AHIMA), the American Medical Informatics Association (AMIA), the Center for Health Information Management (CHIM) and the Healthcare Information and Management Systems Society (HIMSS) wishes to make the following comments (with detailed explanation to follow, below):

Effective date – As noted above, CHIP recommends that the effective date of April 14, 2001 be maintained.  The final Privacy Rule contains a complex and interlocking set of standards, but the Health Insurance Portability and Accountability Act (HIPAA) does provide for modification, and CHIP believes that the modifications we recommend below can be effected in sufficient time to make the Privacy Rule more workable within the period established by law.  To delay the effective date has the potential of throwing out years of work on the part of the public, the healthcare industry, and your department, and leaving us at ground zero.  While CHIP will advocate for additional privacy legislation needed to fill the gaps in the privacy rule created by HIPAA, we note that the Congress has tried for four years and for numerous reasons has been unsuccessful in adopting any legislation further than HIPAA to date.

Preemption – CHIP understands the limitations imposed by HIPAA with regard to developing regulations that will provide an appropriate, workable and effective floor of privacy protections.  However, we believe that without full preemption of state laws, the patchwork of state laws will continue to impede full protection of health information.  CHIP will work with members of Congress to seek further legislation in this regard, and we hope that you and the Administration will work with us to support passage of clear, uniform and enforceable federal standards.  We do suggest, however, that the preemption appeals process specified in the Privacy Rule be modified to allow public and industry comment as you make your decision on such appeals.

Right to request restrictions – CHIP has significant concerns with the healthcare industry’s ability to meet the Privacy Rule standard for an individual to request additional restrictions on the use and disclosure of personal health information.  We believe the standard conflicts with the healthcare provider’s medical, ethical, and legal obligations to maintain accurate and complete medical records.

Minimum necessary – CHIP has been a strong supporter of the concept of “minimum necessary use and disclosure” as central to the protection of medical records confidentiality.  However, we have two concerns with regard to the final Privacy Rule’s requirements in this regard.  First, we believe that a covered entity should be permitted to use its professional judgment and request additional justification for the amount of protected health information requested by another covered entity under some circumstances, and should be permitted to receive an assurance that the amount of protected health information requested by another covered entity is the minimum necessary for the stated purpose.  Second, we believe that covered entities should be deemed in compliance if they use a computer-based patient record system (CPR) that contains appropriate safeguard mechanisms and complies with the forthcoming HIPAA security regulation.

CHIP appreciates the opportunity to submit these comments and thanks HHS for consideration of the clarifications and modifications to the Privacy Rule we suggest in the appendix attached here.  We look forward to working with you and your department to ensure a workable and fully functional regulation.  A detailed discussion of our recommendations follows.

Respectfully submitted,

Linda L. Kloss, Vice President/CEO
AHIMA

Dennis Reynolds, Executive Director
AMIA

Carla Smith, CEO
CHIM

H Stephen Lieber, President/CEO
HIMSS

 

Appendix
The Coalition for Health Information Policy
Recommendations for Modifications to the Final Privacy Rule:
45 CFR Parts 160 and 164

Introduction

The membership of the Coalition for Health Information Policy (CHIP) includes:

  • the American Health Information Management Association (AHIMA) – 41,000 professionals who manage health records;
  • the American Medical Informatics Association (AMIA) – 3,700 information systems developers and academic physicians;
  • the Center for Healthcare Information Management (CHIM) – 140 healthcare information technology companies; and
  • the Healthcare Information and Management Systems Society (HIMSS) – with more than 43 chapters and 12,000 members who are healthcare professionals working in healthcare organizations worldwide.

Effective Date

The Secretary has the authority to make modifications to the Privacy Rule (see §160.104).  The final rule contains a complex and interlocking set of standards and implementation specifications that will impact the operations of covered entities, and their business associates, to varying degrees.  As a result, some stakeholders argue that the rule’s April 14, 2001 effective date should be delayed or extended, thereby delaying the current April 14, 2003 (or April 14, 2004 in the case of small health plans) date by which covered entities must comply with the applicable requirements of the rule.  CHIP does not agree with this position.  Further, we suggest that delay of a rule that has been developed within the context of more than four years of consultations between HHS and interested parties will be counterproductive to the task of instilling confidence in our patients that real safeguards are in place to protect their right to privacy and the confidentiality of personal health information.

While we will indeed have our work cut out for us during the two-year compliance period, we note that the rule specifically provides [at 160.104(b)] that the Secretary may adopt a modification to any standard or implementation specification that has been adopted at any time during the first year after such adoption, if “the modification is necessary to permit compliance with the standard or implementation specification.”  In our view this provides the Secretary with broad authority to make such modifications to the standards and implementation specifications of the final Privacy Rule as may be justified by the public comments received by March 30, 2001, to the extent that such modifications are “necessary to permit compliance” within two years on the part of covered entities.  Further, under 160.104(c) the Secretary must “establish the [new] compliance date for any standard or implementation specification modified” under this authority, and under 160.104(c)(2) “may consider the extent of the modification and the time needed to comply,” which would permit a compliance period of greater than two years if the Secretary determines that is appropriate.

We note that Sec. 264(d) of HIPAA requires that the Secretary consult with the National Committee on Vital and Health Statistics (NCVHS) and the Attorney General in carrying out the development of regulations establishing standards for the privacy of individually identifiable health information, and determining whether such standards shall supersede contrary provisions of state law.  CHIP recommends that, at a minimum, the same consultation process should be followed as the Secretary makes modifications during the first year [under 160.104(b)] or each year thereafter [under 160.104(a)].

With appropriate consultation in place, CHIP believes that the Department can work with the public and the healthcare industry to make the corrections necessary to ensure that the first national standards for privacy are meaningful, efficient, effective, and continue to evolve to meet the changing needs of our patients and the healthcare system.

Preemption

Over the past decade, individually and together, the organizations of CHIP have strongly advocated for the enactment of comprehensive federal legislation to protect the confidentiality of medical records and the privacy of patients.  Representatives of our associations have shared their expertise on numerous occasions with Congressional leaders as they have attempted to craft such legislation, and with the staff of your Department as they have worked to develop the series of administrative simplification standards called for in HIPAA.

CHIP’s statement of principles notes:

“The enormous potential of computer and communications technologies to improve health care delivery, quality and access, while also reducing costs, cannot be realized unless individuals, and society, are confident that safeguards are in place to protect the confidentiality of personal health information.  Federal legislation should preempt [emphasis added] the current patchwork of federal, state and local laws and regulations, and delineate fair information practices governing the collection, use, and disclosure of personal health information.  These uniform national standards should protect identifiable personal health information, while allowing effective and efficient management and delivery of healthcare services, and fostering advances in medical and health services research and promotion of the public health.”

CHIP recognizes that HIPAA imposes certain statutory limitations on the Department’s authority to establish national health information standards that supersede state laws.  Nevertheless, we must point out that the delivery of healthcare is increasingly an interstate activity, and that conflicting and inconsistent local laws provide little realistic guidance regarding either rights or responsibilities to patients, providers or health plans.  Further, we strongly believe that an individual’s state of residence (or of service delivery) should not have a substantial impact on his/her exercise of rights in regard to health information, and that enactment of at least some new state laws intended to be “more protective” of privacy will be frustrated by ERISA preemption.  Simply, we are concerned that the lengthy list of exceptions to the federal privacy protections promulgated in the final rule may encourage states to rush to enact “more stringent” privacy laws that will have little positive effect.  Thus, the Coalition for Health Information Policy will continue to encourage both Congress and the Administration to support passage of clear, uniform and enforceable federal standards to protect the confidentiality of individually identifiable health information.

The right to request restrictions

As noted in our principles for the confidentiality of health information, CHIP strongly believes that all health information should be accorded the same high level of privacy protection.  Segregating or requiring special procedures for certain subsets of the individual health record is ill-advised both clinically and administratively.  HHS itself articulated the crucial importance of maintaining a complete and integrated clinical record:

“The maintenance and exchange of individually identifiable health information is an integral component of the delivery of quality health care.  In order to receive accurate and reliable diagnosis and treatment, patients must provide health care professionals with accurate, detailed information about their personal health, behavior and other aspects of their lives.  Health care providers, health plans and health care clearinghouses also rely on the provision of such information to accurately and promptly process claims for payment and for other administrative functions that directly affect a patient’s ability to receive needed care, the quality of that care, and the efficiency with which it is delivered.”  [FR 64 (212) 59919]

From a clinical perspective, suggesting that individuals should restrict “how protected health information is used or disclosed to carry out treatment, payment, or health care operations” [164.506(c)(4)(i)] may affect future care decisions in ways that were not intended by the patient.  For instance, a patient might request that information relating to his/her diagnosis of diabetes not be available to anyone other than a single physician.  However, the same patient might want to receive preventive care reminders, aspects of which could be directly affected by the diagnosis of diabetes.  In such a situation, both the information used to treat the patient, and the information provided to the patient for his/her overall care, would be incomplete.

Operationally, while it is possible to maintain separate payment records, as may be done when individuals choose to self-pay for health care, the idea that individuals should have a right to request restrictions or limitations on specified uses/disclosures of protected health information to carry out treatment and health care operations as well, assumes the ability to partition information into discrete “pieces” according to some unspecified rule set.  For example, one patient may request that all information connected to a healthcare visit on a specific date be protected, while another patient may request that all information relating to his/her HIV test be specially protected.  Allowing such partitioning is contrary to the medical, ethical and legal obligations that require providers to maintain accurate and complete medical records.  Indeed, ‘blanking out’ certain pieces of a medical record could create a safety hazard to the patient.  Further, it conflicts with the construction of an integrated medical record that facilitates fully informed decision-making by both provider and patient.

Although our members have enormous experience in creating health information systems, we know of no clinical data repository, whether paper-based or electronic, that can consistently and accurately tag, and control access to pieces of information within the medical record.  Indeed, we know of no commercial database management system that is able to control access to data at the field level, which this kind of protection would require.  In short, CHIP believes that a requirement that every patient be offered a “right to restrict” pieces of health data is not only clinical ill-advised but logistically and technically impractical.

While there are indeed occasions – such as when an individual patient is a public figure – when it makes sense for a covered entity to impose specific and unique restrictions on a given medical record for otherwise routine uses and disclosures, these instances are relatively uncommon and are appropriately handled on a case-by- case basis.  If a provider or other covered entity is willing to agree to patient-specified restrictions on how protected health information is used or disclosed for treatment, payment or healthcare operations, we believe they should be allowed to do so.  But CHIP strongly objects to requiring that every covered entity offer every patient the “right” to request such restrictions, especially since the fact that covered entities would not be required to agree to such restrictions [164.506(c)(4)(ii)] makes this “right” an illusory one.

Based on the preceding comments, CHIP recommends the following modifications to the final Privacy Rule:

Sec. 164.520  Notice of privacy practices for protected health information

Delete – 164.520(b)(1)(iv)(A) and

Amend – 164.520(b)(2)(i) to read:  “In addition to the information required by paragraph (b)(1) of this section, a covered entity may include in its Notice a description of a right to request restrictions on certain uses and disclosures of protected health information as provided by 164.522(a), including a statement that the covered entity is not required to agree to a requested restriction; and if a covered entity elects to limit the uses or disclosures that it is permitted to make under this subpart, the covered entity may describe its more limited uses or disclosures in its notice, provided that the covered entity may not include in its notice a limitation affecting its right to make a use or disclosure that is required by law or permitted by 164.512(j)(1)(i).”

Sec. 164.506  Consent for uses or disclosures to carry out treatment, payment, or health care operations

Renumber – 164.506(c)(5) as 164.506(c)(4)

Renumber – 164.506(c)(4) as 164.506(c)(5) and insertThe covered entity may state that: (i) The individual has the right to request that the covered entity restrict how protected health information is used or disclosed to carry out treatment, payment, or health care operations;”

Sec. 164.522.1      Rights to request privacy protection for protected health information

Leave unchanged the permission for an individual to request restrictions provided by the standard at 164.522(a).

Minimum necessary use, disclosure and request

In our comments on the proposed privacy rule (NPRM), the Coalition for Health Information Policy and its members offered strong support for the concept of “minimum necessary use and disclosure” as central to the protection of medical records confidentiality.  However, we noted that implementation of the minimum necessary principle is difficult, and CHIP suggested: 1) that the final rule should more clearly encourage the deployment of computer-base record systems (CPR) as an important approach, and 2) that HHS articulate a “good faith” standard under which covered entities could engage in reasonable decision-making about what amount of information is reasonable to meet the needs of the requestor.

In regard to crafting privacy standards that will be consistent with HIPAA’s objective of facilitating the development of the electronic health information environment, we noted: “[G]iven the experience of our members with both paper and computer-based record (CPR) systems, we must point out that the [“minimum necessary”] principle is difficult to effect with consistency and clarity in paper-based systems, and in fact may slow the handling and transmission of clinical health information without producing significant improvements in security and confidentiality [emphasis added].  In fact, implementation of the “minimum necessary” requirement is one compelling reason for our support of the CPR and for fostering the migration of patient records to the electronic environment.”

While the final rule offers meaningful improvements in a number of the implementation specifications relating to “minimum necessary” uses, disclosures and requests, especially in establishing a “reasonable effort” standard, we continue to believe that computer-based patient record systems have significant practical advantages over most existing paper record systems.  For instance, CPRs commonly have provisions to limit access to patient data based on user security permissions, professional roles, the existence of a professional relationship, and “need to know” filters that apply to particular uses or disclosures.  We urge the Department to work with the National Committee on Vital and Health Statistics (NCVHS), the Workgroup on Electronic Data Interchange (WEDI), and expert groups such as CHIP to produce relevant guidances that will encourage covered entities to transition appropriately to electronic information systems whose design includes privacy, security and safety considerations.

The final rule appropriately establishes a ‘good faith’ standard for “minimum necessary” at 164.502(b)(1): “When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts [emphasis added] to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”  At 164.514(d) the rule outlines a series of such reasonable efforts to appropriately limit uses, disclosures, and requests, including: identification of access standards by role or responsibility within the workforce; criteria for the assessment of the amount of protected health information reasonably necessary to accomplish the purpose of both routine and non-routine disclosures; policies and procedures to limit both routine and non-routine requests; and the like.  In order to encourage covered entities to take advantage of the opportunity to ‘build in’ such “reasonable efforts” into their health information systems, CHIP recommends that covered entities should be deemed in compliance with the “minimum necessary” standard with regard to internal uses and disclosures if their computer-based patient record system contains appropriate safeguard mechanisms and complies with the forthcoming HIPAA security regulation.

In regard to ensuring “minimum necessary” disclosures by covered entities, at 164.514(d)(3) the rule establishes that a covered entity must implement policies and procedures for making routine and recurring disclosures of protected health information and develop criteria for reviewing other disclosures.  164.514(d)(3)(iii)(B) further stipulates that when “the information is requested by another covered entity” the disclosing covered entity may rely on an assurance that the requested disclosure in fact is limited to the minimum necessary information for the stated purpose.  Similarly, 164.514(d)(4) requires that the requesting covered entity have in place policies, procedures and review criteria to limit its requests for PHI to the amount that is minimally necessary to accomplish the stated purpose.  While we applaud the establishment here of requirements for both requesters and disclosers, and the essential obligation of requesters to provide an assurance that can be relied upon by a covered entity that discloses protected health information for either routine or non-routine purposes, CHIP recommends the following additions to further clarify the relationship between covered entities as requesters and disclosers of protected health information:

Sec. 164.514  Other requirements relating to uses and disclosures of protected health information

Insert – 164.514(d)(3)(iv) to read: “A covered entity may, in the exercise of its professional judgment, request additional justification for the amount of protected health information requested by another covered entity when making a disclosure of protected health information on a routine and recurring basis or for other disclosures.

Insert – 164.514(d)(4)(iv) to read: “Provide an assurance that the amount of protected health information requested of another covered entity is the minimum necessary for the stated purpose.

Insert – 164.514(d)(4)(v) to read: “Respond to a request for additional justification regarding the protected health information requested of another covered entity, if such request is made under 164.514(d)(3)(iv).

Go to TOP