Final privacy regs not likely before November

Senior HHS official disputes speculation that regulations will be released before presidential election

A senior official at the Department of Health and Human Services (HHS) is downplaying reports that the Clinton administration plans to release its final patient confidentiality regulations before the Nov. 7 presidential election. The reports, published last week in The New York Times, also claim that the administration plans to extend patient protections beyond what was originally proposed.

But Bill Braithwaite, a senior advisor on health information policy at HHS, throws cold water on those reports. "This is an incredibly difficult huge task," he asserts. "The dates on which they will come out are unknown at this point," he says. "At this point, I don’t know how they could predict anything like that."

Braithwaite notes that HHS is still working its way through more than 50,000 communications with three or more comments each that were received on HHS’ proposed privacy rule released last year as part of the Health Insurance Portability and Accountability Act (HIPAA). "We are talking about 150,000 to 200,000 comments [that] must be summarized and integrated and somehow made sense of before we can produce a final rule that works," he explains.

"It is a very controversial thing, and there is no right answer," he adds. "Putting all those things together under normal circumstances, it could take three or four years to get something out." But if the president says, "Make it so," Braithwaite says some way will be found to make that happen.

Several specialists in this area warn that even when the regulation is released, they are not at all certain what form it will take. "There are still a lot of unanswered questions," says Sandra Fuller, vice president for professional services at the American Health Information Management Association (AHIMA) in Chicago. "I don’t think anybody is certain what will come out between now and November, and the question nobody can answer is whether the rule will take the same form as the proposed rule issued last year."

Roy Bussewitz, vice president of managed care at the National Association of Chain Drug Stores in Alexandria, VA, says the other major issue yet to be answered is whether the HHS regulation will include federal pre-emption of state privacy requirements. So far, HHS maintained that it lacks the power to override state privacy regulations. Without such pre-emption, Bussewitz and others say the resulting tangle of requirements may be incomprehensible. He also questions whether a federal election is an appropriate deadline to complete such a wide-ranging regulation.

The administration’s announcement follows the Health Care Financing Administration’s (HCFA) release of final regulations Aug. 17 for electronic standards for health care transactions, including standard forms for administrative simplification. Fuller says AHIMA was glad to see the final rule, but is still in the process of evaluating the regulation.

She says hospital compliance officers should waste no time developing a thorough understanding of the new standards and performing an inventory on how those standards will apply to their internal operations. She says that includes an understanding of how many claims are moving through an electronic data interchange and other operational functions in order to understand the scope of the regulation and assign people to make sure procedures comply with the new regulation.

Alton Brantley, vice president and chief information officer for MedStar Health in Baltimore, says the transactions amount to a uniform tax code. "At least there is one standard now that everybody measures themselves against and bills to," he says. "It is actually the easiest part of the HIPAA regulation to understand."

But he cautions that the security standards are more problematic. "You have to meet certain levels of security and choose your own method of doing so," Brantley explains. He says one problem with that is that once providers start looking at all the people and processes that must be linked, there must be a common approach. "Until there is a mass acceptance of a particular way of doing things, you are going to have a variety of different solutions implemented, some of which are compatible and some of which are not."

The Chicago-based American Hospital Association pegs the cost of compliance with the new electronic standards and other administrative transactions for hospitals at $1.3 billion over the next three years. That figure is dwarfed by the $40 billion figure that an independent consulting firm hired by the BlueCross/BlueShield Association in Washington, DC estimates the privacy regulations will cost hospitals.

According to that analysis, retraining and recertifying employees, hiring privacy officials, upgrading systems, and making other changes in infrastructure will cost $23 billion while the requirement that health care providers must track all disclosures of information would by itself cost $9 billion.