Introduction

The major medical privacy regulation in the United States is scheduled for compliance on April 14, 2003. As the White House coordinator for the proposed rule in 1999 and the final rule in 2000, I worked on this topic in great detail. Now, as a consultant to the law firm of Morrison & Foerster LLP (subject to University rules about consulting), I am working with clients to comply with the new legal requirements. I speak and write frequently on medical privacy topics.

In this page, I will give a chronology of how we have gotten to the current situation. This page provides links to my own work on medical privacy, as well as to major medical privacy documents and sites.

After many years of proposals for federal medical privacy legislation, the Health Insurance Portability and Accountability Act (“HIPAA”) was passed in 1996. The political history is interesting. Most people at the time knew of the proposal as the “Kennedy-Kassebaum” bill, which most prominently stated that individuals could not be denied new employment based on pre-existing medical conditions. As momentum grew for the bill, industry representatives sought cost savings to offset the costs of the new regulation. Thus was born the “administrative simplification” part of HIPAA. As of 1996, the payments system for health insurance was a mess a hospital or medical device manufacturer might need to submit medical claims in literally thousands of different formats. Under “administrative simplification,” the major goals were to make payments: (1) electronic; and (2) in just a few standard formats. When these administrative simplification rules were released in 2000, the Department of Health and Human Services (HHS) estimated cost savings to industry of $29 billion over ten years.

What is the connection to privacy? Well, during consideration of Kennedy-Kassenbaum there was extensive debate about how to build medical privacy protections into the bill itself. After all, as medical records shifted to electronic format, many people realized it was important to provide confidentiality and security for those new electronic records. None of the legislative proposals passed. Instead, Congress set itself a deadline of August, 1999 to write detailed medical privacy legislation. If Congress did not meet that deadline, then HHS was required by HIPAA to issue a medical privacy regulation.

To assist Congress in drafting medical privacy legislation, HHS Secretary Donna Shalala issued detailed privacy recommendations in 1997. Congressional committees worked extensively on the issue, but no bill even emerged from subcommittee in either the Senate or House. HHS thus took over responsibility for drafting the regulation in August, 1999.

I became Chief Counselor for Privacy, in the Office of Management and Budget, in March, 1999. That spring, we got experience with medical privacy issues when there was a problem with a federal home health survey called OASIS. After an inter-agency process, HHS testimony explained a set of privacy protections that would henceforth apply to the survey. During this time, we were also working with HHS and the Congress to see whether legislation could pass before the August deadline.

As the summer of 1999 progressed, it became apparent that legislation was unlikely and that we would issue a proposed rule in the fall. The proposed rule drew on Secretary Shalala’s 1997 recommendations, the work of numerous inter-agency task forces on specific issues (medical research, law enforcement, public health, etc.), and late-into-the-night work at HHS led by the unsung hero and leader of the process, then Deputy Assistant Secretary Gary Claxton. Our role at OMB was to work with HHS on major issues and especially to coordinate the issues that involved agencies other than HHS, including health care in the Veterans Administration and Defense Department, law enforcement and other issues at Justice, and dozens of other issues involving over 15 different federal agencies.

The proposed rule was announced by President Clinton in the Oval Office on October 30, 1999. You can read the proposedrule, as well as the President’s speech and accompanying materials. We asked for public comments in 60 days, with the time later extended an additional 45 days at the request of both industry and privacy advocates.

Then the comments arrived by the February, 2000 deadline. Over 52,000 of them. In speeches during the period, I used to ask for volunteers to help read them. Not many people raised their hands. Instead, we assembled a group of approximately 70 federal employees, from about 15 agencies, to read and respond to the comments. In addition to written comments, there was an extensive and open process to meet with individuals and groups who were knowledgeable about the issues.

The final rule was announced by President Clinton and Secretary Shalala at HHS on December 20, 2000. You can read therule, as well as the President’s speech, the White House press release, the HHS press release, and a press briefing. I think the opening pages of the preamble do a good job of explaining the basis and purpose of the rule. The rule also contained the first full cost/benefit analysis of any federal privacy regulation. A key point in that analysis is the importance of the “baseline” for costs and benefits; we should not assume that every measure taken to protect confidentiality is a cost of the rule, because many of those precautions should and would have been taken in any event.

Some critics claimed that the December rule was a “last minute” rush to regulate. My own view is that people in the process worked diligently after February, 2000 to read and understand the numerous comments and respond to them in a reasoned and workable way. Some critics also complained about the length of the rule. In fact, the rule took a total of 30 pages in the Federal Register, with the other materials (including responses to all those comments and the cost/benefit analysis) totaling 330 pages.

When President Bush entered office in January, 2001 there was a major lobbying and public relations campaign to cancel the medical privacy rule. My own view is that many of the claims made during this campaign were overstated. Jan Lori Goldman and the Health Privacy Project,issued an excellent paper called “Myths and Facts About the Federal Medical Privacy Regulation” that took quotations from the PR campaign and showed how they were different from what the rule itself said. HHS asked for public comments by March 30, 2001 and received over 24,000 new comments.

I submitted detailed comments for the March deadline. My overall recommendation was that the final rule from December, 2000 should go forward but that HHS should propose specific, priority changes where appropriate. Despite press reports that the rule was going to be cancelled (see “White House Plans to Revise New Medical Privacy Rules,” by Robert Pear) the Administration ultimately decided to go forward with the rule and propose specific changes, similar to the course advocated in my comments.

Since that time, HHS issued Guidance on various medical privacy issues in June, 2001. Congress decided to extend the compliance date for other Administrative Simplification rules (House Bill 3323, and Senate Bill 1684) at the end of 2001, but specifically decided not to extend the date for medical privacy compliance.

In March, 2002 HHS issued its first proposed changes to the medical privacy rule. Many of the provisions of the December, 2000 final rule remain intact or have had only technical amendments. The greatest public concern was about the shift from prior patient consent for some data use to patient acknowledgement after the fact. A bigger change, in my opinion, was to the provisions about marketing. I think the marketing issue is a difficult one, but there was a disconnect on the issue between the Administration’s statements that they had toughened the rule and the actual effect of the proposal which would be to permit a broader range of marketing activities without patient consent than previously. Although I do not agree with all of the group’s policy positions, an especially clear description of the proposed marketing changes is available in theHealth Privacy Project’s comments on the proposed rule.

On behalf of Privacy Council, I submitted comments in April, 2002 on the proposed rule. (Here are my comments and othercomments from Privacy Council) The comments strongly support the use of short, plain-language notices under HIPAA. We found with the financial privacy law that too many notices to consumers were too long, too much in legalese, and generally incomprehensible. (I discuss the problems with these financial privacy notices in a recent law review article.) To give good notice to patients of privacy practices, and avoid a public outcry next April, HHS should support the use of short and clear notices wherever possible.

Another recent article examines the interaction of privacy and security in health care in the wake of the events of September 11. This article makes a number of points, about public health, the USA-PATRIOT Act, and other issues. Perhaps its most important point, though, is that it is essential to build good privacy into systems at the time they are being upgraded for tighter security. HIPAA is based on the idea that electronic transactions, computer security, and privacy should be built together. More generally, we should build good data practices for both privacy and security as we upgrade our systems in the future. This article was written for the Minnesota Law Review with Lauren Steinfeld, who worked with me at OMB and now is Chief Privacy Officer at the University of Pennsylvania and a consultant with me to Morrison & Foerster LLP.

That brings us up to date as of this writing in the summer of 2002. HHS issued its revised final privacy rule on August 9, 2002. Here is a summmary of the changes to the rule. The HIPAA medical security rule, which I had expected to be issued in early 2001, has not yet been issued.

Relevant Publications