|
Introduction
The major medical
privacy regulation in the United States is scheduled for compliance on
April 14, 2003. As the White House coordinator for the proposed rule in 1999
and the final rule in 2000, I worked on this topic in great detail. Now, as
a consultant to the law firm of
Morrison & Foerster LLP (subject to University rules about consulting),
I am working with clients to comply with the new legal requirements. I speak
and write frequently on medical privacy topics.
In this page, I will give a chronology of how we have gotten to the current
situation. This page provides links to my own work on medical privacy, as
well as to major medical privacy documents and sites.
After many years of proposals for federal medical privacy legislation, the
Health Insurance Portability and Accountability Act ("HIPAA") was passed
in 1996. The political history is interesting. Most people at the time knew
of the proposal as the "Kennedy-Kassebaum" bill, which most prominently
stated that individuals could not be denied new employment based on
pre-existing medical conditions. As momentum grew for the bill, industry
representatives sought cost savings to offset the costs of the new
regulation. Thus was born the
"administrative simplification" part of HIPAA. As of 1996, the payments
system for health insurance was a mess a hospital or medical device
manufacturer might need to submit medical claims in literally thousands of
different formats. Under "administrative simplification," the major goals
were to make payments: (1) electronic; and (2) in just a few standard
formats. When these
administrative simplification rules were released in 2000, the
Department of Health and Human Services (HHS) estimated cost savings to
industry of $29 billion over ten years.
What is the connection to privacy? Well, during consideration of Kennedy-Kassenbaum
there was extensive debate about how to build medical privacy protections
into the bill itself. After all, as medical records shifted to electronic
format, many people realized it was important to provide confidentiality and
security for those new electronic records. None of the legislative proposals
passed. Instead, Congress set itself a deadline of August, 1999 to write
detailed medical privacy legislation. If Congress did not meet that
deadline, then HHS was required by HIPAA to issue a medical privacy
regulation.
To assist Congress in drafting medical privacy legislation, HHS Secretary
Donna Shalala issued detailed
privacy recommendations in 1997. Congressional committees worked
extensively on the issue, but no bill even emerged from subcommittee in
either the Senate or House. HHS thus took over responsibility for drafting
the regulation in August, 1999.
I became Chief Counselor for Privacy, in the Office of Management and
Budget, in March, 1999. That spring, we got experience with medical privacy
issues when there was a problem with a federal home health survey called
OASIS. After an inter-agency process, HHS testimony explained a set of
privacy protections that would henceforth apply to the survey. During this
time, we were also working with HHS and the Congress to see whether
legislation could pass before the August deadline.
As the summer of 1999 progressed, it became apparent that legislation was
unlikely and that we would issue a proposed rule in the fall. The proposed
rule drew on Secretary Shalala's 1997 recommendations, the work of numerous
inter-agency task forces on specific issues (medical research, law
enforcement, public health, etc.), and late-into-the-night work at HHS led
by the unsung hero and leader of the process, then Deputy Assistant
Secretary Gary Claxton. Our role at OMB was to work with HHS on major issues
and especially to coordinate the issues that involved agencies other than
HHS, including health care in the Veterans Administration and Defense
Department, law enforcement and other issues at Justice, and dozens of other
issues involving over 15 different federal agencies.
The proposed rule was announced by President Clinton in the Oval Office on
October 30, 1999. You can read the proposed
rule, as well as
the
President's speech and
accompanying materials. We asked for public comments in 60 days, with
the time later extended an additional 45 days at the request of both
industry and privacy advocates.
Then the comments arrived by the February, 2000 deadline. Over 52,000 of
them. In speeches during the period, I used to ask for volunteers to help
read them. Not many people raised their hands. Instead, we assembled a group
of approximately 70 federal employees, from about 15 agencies, to read and
respond to the comments. In addition to written comments, there was an
extensive and open process to meet with individuals and groups who were
knowledgeable about the issues.
The final rule was announced by President Clinton and Secretary Shalala at
HHS on December 20, 2000. You can read the
rule,
as well as the
President's speech, the
White House press release,
the HHS press release, and a
press briefing. I think the opening pages of the
preamble do
a good job of explaining the basis and purpose of the rule. The rule also
contained the first full
cost/benefit
analysis of any federal privacy regulation. A key point in that analysis
is the importance of the "baseline" for costs and benefits; we should not
assume that every measure taken to protect confidentiality is a cost of the
rule, because many of those precautions should and would have been taken in
any event.
Some critics claimed that the December rule was a "last minute" rush to
regulate. My own view is that people in the process worked diligently after
February, 2000 to read and understand the numerous comments and respond to
them in a reasoned and workable way. Some critics also complained about the
length of the rule. In fact, the rule took a total of 30 pages in the
Federal Register, with the other materials (including responses to all those
comments and the cost/benefit analysis) totaling 330 pages.
When President Bush entered office in January, 2001 there was a major
lobbying and public relations campaign to cancel the medical privacy rule.
My own view is that many of the claims made during this campaign were
overstated. Jan Lori Goldman and the
Health Privacy
Project,issued an excellent paper called
"Myths and Facts About the
Federal Medical Privacy Regulation" that took quotations from the PR
campaign and showed how they were different from what the rule itself said.
HHS asked for public comments by March 30, 2001 and received over 24,000 new
comments.
I submitted detailed comments for the March deadline. My overall
recommendation was that the final rule from December, 2000 should go forward
but that HHS should propose specific, priority changes where appropriate. Despite press reports that the rule was going to be cancelled
(see
"White House Plans to Revise New Medical Privacy Rules," by Robert Pear)
the Administration
ultimately decided to go forward with the rule and propose specific
changes, similar to the course advocated in my comments.
Since that time, HHS issued
Guidance on various medical privacy issues in June, 2001. Congress
decided to
extend the compliance date for other Administrative Simplification rules (House
Bill 3323, and Senate Bill
1684) at the end of 2001, but specifically decided not to extend the
date for medical privacy compliance.
In March, 2002 HHS issued its first
proposed changes to the medical privacy rule. Many of the provisions of
the December, 2000 final rule remain intact or have had only technical
amendments. The greatest public concern was about the shift from prior
patient consent for some data use to patient acknowledgement after the fact.
A bigger change, in my opinion, was to the provisions about marketing. I
think the marketing issue is a difficult one, but there was a disconnect on
the issue between the Administration's statements that they had toughened
the rule and the actual effect of the proposal which would be to permit a
broader range of marketing activities without patient consent than
previously. Although I do not agree with all of the group's policy
positions, an especially clear description of the proposed marketing changes
is available in the
Health Privacy Project's comments on the proposed rule.
On behalf of Privacy Council, I submitted comments in April, 2002 on the
proposed rule. (Here are my
comments
and other comments from
Privacy Council) The comments strongly support the use of short,
plain-language notices under HIPAA. We found with the financial privacy law
that too many notices to consumers were too long, too much in legalese, and
generally incomprehensible. (I discuss the problems with these financial
privacy notices in a recent
law review article.)
To give good notice to patients of privacy practices, and avoid a public
outcry next April, HHS should support the use of short and clear notices
wherever possible.
Another recent article examines the interaction of privacy and security in
health care in the wake of the events of September 11. This
article makes a
number of points, about public health, the USA-PATRIOT Act, and other
issues. Perhaps its most important point, though, is that it is essential to
build good privacy into systems at the time they are being upgraded for
tighter security. HIPAA is based on the idea that electronic transactions,
computer security, and privacy should be built together. More generally, we
should build good data practices for both privacy and security as we upgrade
our systems in the future. This article was written for the Minnesota Law
Review with Lauren Steinfeld, who worked with me at OMB and now is Chief
Privacy Officer at the University of
Pennsylvania and a consultant with me to
Morrison & Foerster LLP.
That brings us up to date as of this writing in the summer of 2002. HHS
issued its revised final privacy rule on August 9, 2002.
Here is a
summmary of the changes to the rule. The HIPAA medical security rule, which
I had expected to be issued in early 2001, has not yet been issued.
Relevant Publications
|
