Re: Standards for Privacy of Individually Identifiable Health Information; Proposed Rule (67 Federal Register 14776), March 27, 2002
Liberty Place, Suite 700
325 Seventh Street, NW
Washington, DC 20004-2802
(202) 638-1100 Phone
Thursday, April 25th 2002
Honorable Tommy Thompson
U.S. Department of Health and Human Services
Office of Civil Rights
Attention: Privacy 2
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, DC 20201
Dear Secretary Thompson:
On behalf of our nearly 5,000 member hospitals, health systems, networks and other providers of care, the American Hospital Association (AHA) welcomes the opportunity to comment on the proposed rule to modify certain standards in the rule entitled "Standards for the Privacy of Individually Identifiable Health Information" known as the "medical privacy" rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Ensuring the privacy of patients' medical information is a responsibility that America's hospitals have always taken seriously. The medical privacy rule is intended to give patients more control over their personal medical information, and hospitals remain committed to making it work. The Administration has acknowledged repeatedly, however, that the rule is seriously flawed and could, unless repaired, have "negative unintended effects" on patient care and essential hospital operations. The AHA has been steadfast in calling upon the Department of Health and Human Services (HHS) to move quickly and decisively to fix those portions of the medical privacy rule that threaten patient care and essential hospital operations.
The AHA is pleased that the Department has heard this message and responded to many of the concerns that hospitals have raised about the privacy rule by publishing proposed changes in a Notice of Proposed Rulemaking (NPRM) in the Federal Register on March 27, 2002. The AHA appreciates the opportunity to submit the attached detailed comments on these proposed changes.
The AHA believes that the modifications proposed would improve the workability of the rule for both patients and providers. The changes will allow hospitals to continue to fulfill their commitment to protecting the privacy of their patients' medical information without crippling their ability to provide high quality care to patients and imposing unnecessary paperwork burdens on both patients and hospitals. One noteworthy example is HHS' proposal to replace the current redundant written consent requirement with written acknowledgment that the patient received the hospital's privacy notice. This change eliminates the barriers to care created by the previous requirement while retaining strong patient protections for non-routine uses of information, such as marketing and research. It also ensures that patients will understand what those protections are and will have ready access to them. Finally, the new requirement assures that time spent in a hospital will be spent on patient care - not filling out unnecessary and redundant paperwork, which is a serious concern for patients and providers alike.
Research with more than 900 consumers in April 2002 conducted by an independent research firm, Market Strategies, shows that consumers support elimination of the unnecessary paperwork hassle created by the written consent requirement. We have attached to our comments a fact sheet summarizing what consumers said about the mandatory written consent form in this recent poll and a brief Q&A that explains why written acknowledgement is better for both patients and providers. The AHA strongly encourages HHS to adopt this proposed improvement as well as others that we identify in the attached detailed comments.
We also believe that the Department can - and must - go farther in a number of areas to build on the considerable improvements it has already proposed. We appreciate and urge adoption of, for example, HHS' clarification that sharing age-specific information among hospitals is permitted under the medical privacy rule's de-identification safe harbor. But the Department should improve upon its proposal by also allowing hospitals to share other non-facially identifiable information, such as zip codes and dates of service, for important purposes such as improving the quality of care for their patients, detecting outbreaks of disease and identifying the need for new and improved community health services. And, although we believe that HHS' suggested compromise that would allow a special limited data set of non-facially identifiable information to be shared among hospitals when accompanied by a data use agreement is not necessary to ensure the proper use of information, it is a significant improvement over the current rule and we urge that it be adopted in the final rule.
We also urge HHS to adopt its proposal to extend to April 14, 2004 renegotiation of existing business associate agreements to reduce the burdens associated with these requirements and appreciate inclusion of model business associate contract provisions in the proposed modifications. However, HHS should reduce further the complexity and cumbersome nature of the business associate requirements by: (1) eliminating the requirement that covered entities enter into business associate contracts with one another; (2) developing a certification program for suppliers that would eliminate the need for many business associate contracts altogether; and (3) creating an "incidental disclosure" safe harbor that would clearly eliminate concerns that a business associate contract would be needed with organizations where contact with protected information would result inadvertently (if at all) e.g., janitorial services, or from stealth behavior. In addition, HHS should revise the model business associate contract provisions to make them consistent with the requirements of the privacy rule.
We also remain concerned about the short deadline for complying with the medical privacy rule and urge HHS to phase it in on a more reasonable schedule. As HHS has seemingly acknowledged by extending the compliance date for renegotiating business agreements, many aspects of the medical privacy rule are confusing, burdensome and costly to implement. Some examples include training for all hospital employees and medical staff; developing and implementing policies and procedures to comply with the "minimum necessary" and other restrictions; and conducting a preemption analysis with regard to state medical privacy laws and integrating the results of that analysis with policies and procedures required by the federal medical privacy rules for one or more states. In addition, the delay in finalizing the security rules has added to the confusion and burden of implementing the medical privacy rule because the two are intertwined. This failure to finalize the security rule further contributes to the need to phase in the privacy rule on a more reasonable schedule.
Thank you for responding to a number of priority issues for America's hospitals in the proposed modifications to the medical privacy rule in the March 27 NPRM and for the opportunity to submit the attached detailed comments containing recommendations for further change to enhance these proposed modifications. We look forward to working with you to make sure the HIPAA privacy rule works for patients and hospitals alike. If you have any questions about these remarks, please call me at (202) 626-4625, or feel free to contact Melinda Hatton, vice president and chief Washington counsel at (202) 626-2336 or Lawrence Hughes, director, member relations at (312) 422-3328.
Executive Vice President
|Attachment:||Detailed Comments on the Standards for Privacy of Individually Identifiable Health Information; Proposed Rule (67 Federal Register 14776), March 27, 2002|