Changes in the privacy requirements of HIPAA may be afoot.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 enforces standards for privacy and security for health care-related data. The privacy provisions are set to take affect in April 2003. But this week, the US Department of Health and Human Services unveiled some proposed changes to those provisions.
Health and Human Services has proposed allowing users of patient information such as physicians and insurers more latitude when sharing data so not to interfere with treatment. A proposed extension for health care organizations obtaining business-associate contracts is also on the table.
The latter change is a bright spot for health care companies concerned about their information technology, said Glenn Fields, HIPAA service line director for Covansys. Health care organizations need to sign contracts with all companies that may come in contact with patient information to ensure HIPAA privacy requirements are enforced at all levels. Obvious examples of this are lab services and insurance companies.
But HIPAA goes one step further requiring such contracts with server vendors who may have access to machines for maintenance or upgrades. Even janitorial services would fall under these criteria, Fields said.
The extension gives health care organizations more time to negotiate the contracts. HIPAA provisions could be included in annual contracts up for renewal. Some companies have had problems because they had to renegotiate their existing contracts to add HIPAA items. "Any lawyer will tell you that when you renegotiate one thing, everything is on the table," Fields said.
As for the first part of the proposed changes, the way the rules are currently written, a physician would need to get a patient's consent to call a specialist to discuss treatment, said Fields. Even just calling a specialist to set up an appointment for a patient would require consent if any medical related information is shared, he said.
The proposed change would allow that same physician to share medical information with a specialist or with others involved with the health care of the patient. However, that patient would need to sign a form that outlines all the ways their health care data can be shared, Fields said.
"These are common-sense revisions that eliminate serious obstacles to patients getting needed care and services quickly while continuing to protect patients' privacy," said Health and Human Services Secretary Tommy G. Thompson in a statement. "For example, sick patients will not be forced to visit the pharmacy themselves to pick up prescriptions -- and could send a family member or friend instead."
Under the current rules, a patient may have been required to visit a pharmacy to sign a form before the pharmacist could fill a prescription.
There is a 30-day comment period for the proposed changes. When the privacy rules were proposed there was a tremendous response from privacy groups, physicians and others, Fields said. It took awhile for all the responses to be digested. No telling how long it will take for action on the proposed changes, Fields said.
"If I was forced to bet, I would assume there will be additional changes downstream," he said. "The law will get better as it evolves."