Liberty Place, Suite 700
325 Seventh Street, NW
Washington, DC 20004-2802
(202) 638-1100 Phone
Wednesday, April 14th 2004
The Honorable Tommy Thompson
Department of Health and Human Services
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, DC 20201
Dear Secretary Tommy Thompson
On the one year anniversary of the Health Insurance Portability and Accountability Act's (HIPAA) medical privacy rule, the American Hospital Association (AHA) is writing to thank you for your leadership on this very important issue. We also want to share our member hospitals' perspectives on the implementation of the rule and suggest some changes that would eliminate problems with the rule that interfere with essential hospital operations. As you know, America's hospitals take their commitment to ensuring the privacy of patients' medical information very seriously and are strongly committed to ensuring that the HIPAA medical privacy rule works for both patients and hospitals.
Hospitals' experiences with compliance over the past year have shown that the changes that your administration spearheaded in the medical privacy regulations effectively eliminated major barriers to timely and effective care while strongly protecting patients' medical privacy rights. These changes removed some of the unnecessary burdens involved in implementing the rule, making it more workable for patients and hospitals alike. Despite some confusion about certain complex aspects of the rule, the inevitable and continuing need to adjust compliance efforts, and initial concerns about enforcement policies, hospitals' efforts to implement the rule continue to proceed smoothly.
Much of this initial success can be attributed to the Department of Health and Human Services (HHS) flexible and reasonable approach to enforcement of the rule and its efforts to provide guidance and assistance to hospitals in complying with the rule. One solid example of HHS' effort to assist hospitals is the 223 Frequently Asked Questions (FAQs) available on the department's Web site. These questions signal both the obvious complexity of the HIPAA medical privacy rule and also the responsiveness that HHS under your leadership has shown to concerns raised by patients and hospitals. The AHA applauds these efforts and supports the continuation of HHS' flexible and reasonable approach to enforcement and urges the department to continue supplying guidance and other assistance to enhance hospitals' understanding and compliance with the rule.
Hospitals' initial experiences with compliance also suggest, however, that there are some aspects of the rule that are confusing and harmful to essential hospital operations. For example, the AHA has heard from hospitals about the need for guidance around the release of patient information to law enforcement and pursuant to an administrative subpoena. To meet that need, we are working with a national law enforcement association to develop guidance to help clear up confusion in this area. We anticipate joint issuance of a document similar to our February 2003 release Updated Guidelines for Releasing Information on the Condition of Patients that focused on how and when to release patient information to the media and contained advice about releasing information to family members, other hospitals, relief agencies and the media in everyday and disaster situations. But materials like the AHA's Updated Guidelines can only go so far in assisting hospitals with the remaining problematic aspects of the HIPAA medical privacy rule.. The AHA urges HHS to quickly adopt the recommendations related to accounting of disclosures, business associate agreements and other aspects of compliance discussed at length in the attached document.
The AHA thanks you for your leadership on this very important issue and looks forward to continuing a dialogue with HHS about ways to enhance the rule's workability for both hospitals and their patients and how HHS can best assist hospitals in further improving' their compliance efforts. If you have any questions about the recommendations attached, please contact Melinda Hatton, vice president and chief Washington counsel at (202) 626-2336; Kristin Welsh, senior associate director, executive branch relations at (202) 626- 2322; or Lawrence Hughes, regulatory counsel and director, member relations at (312) 422-3328.
Recommendations for Further Improvements to the
HIPAA Medical Privacy Rule for Hospitals
Eliminating the Paperwork Burden of the Accounting of Disclosures Requirement.
Hospitals support efforts to enable patients to learn more about the information that hospitals must report to America's trusted public health officials. The method that the HIPAA medical privacy rule uses to ensure that patients obtain such information imposes an unnecessary burden upon hospitals, however. The rule's requirements for accounting of disclosures, as currently drafted and interpreted, require that hospitals maintain a complex paperwork system to account for the numerous and frequent disclosures of information for critically important health-related purposes, .such :as tracking births, deaths, cancer patterns, child abuse, and defects in medical devices. Moreover; hospitals bear this enormous paperwork burden even if no patient ever requests an accounting of disclosures.
Significant existing regulatory paperwork burdens. on hospitals already consume 30 minutes to one hour for every hour ,of patient care,and the HIPAA,accounting requirement unnecessarily diverts additional resources and expenditures away from patient care. Further, the requirement could have a chilling effect on hospital participation in important new public health initiatives, including reporting initiatives to detect potential bioterrorism related outbreaks and measure and improve patient safety.
The AHA requests HHS to modify the HIPAA medical privacy rule's regulatory language to eliminate the unjustifiable paperwork burden that the current accounting requirement imposes. We call HHS' attention to a proposed solution to this accounting burden that is an effective but less burdensome compromise. In addition, this solution achieves the specific policy objectives that HHS' Office of Civil Rights (OCR) has informed us underlie the accounting requirement. The AHA's solution, which has been shared previously with OCR officials, would ensure that a patient receives a detailed accounting of any disclosures of the patient's records the hospital makes that could affect directly the individual's public or private legal interests or other obligations of that specific patient while limiting the paperwork associated with other disclosures made for more general public health or oversight purposes. The proposal describes the distinct categories of disclosures that should be excluded entirely from the accounting requirements or for which an alternative simplified form of accounting should be allowed as well as those limited few instances that would remain subject to the full individualized accounting of disclosures requirements. The AHA again urges OCR to issue promptly the specific Q&A included in the proposal as guidance for hospitals and other covered entities to follow in implementing the accounting requirements in order to grant immediate relief to hospitals already overburdened with regulatory paperwork.
Reducing the Burdens Associated with the Business Associate Requirements.
Requiring a business associate agreement between covered entities is a superfluous and burdensome administrative requirement that offers no additional protections for patient privacy. The purpose of the business associate agreement is to regulate indirectly entities not otherwise within the reach of the privacy rule. Covered entities, however, are already bound by the rule with respect to any protected health information they create or receive.
In explaining why the business associate agreement between covered entities was retained in the August 2002 final rule, HHS suggested the requirement is necessary to clarify the limited uses and disclosures of protected health information the covered entity-business associate may make. However, this objective can be achieved in a less burdensome way.
Instead of requiring covered entities to negotiate and enter into business associate agreements,with other covered entities, HHS should adopt an approach that accomplishes its stated objective by, for example, prohibiting a covered entity from using or disclosing protected health information it creates or receives as a business associate other than to perform the services or functions that make it a business associate and for its proper management,administration and " legal obligations. HHS also should require covered entity-business associates to comply with the other business associate agreement requirements(e.g., to provide information necessary for the, covered entity's compliance with individual rights' obligations). This accomplishes HHS' goals of limiting or restricting the uses and disclosures of protected health information by the covered; entity-business associate without imposing the unnecessary paperwork burdens of entering into and tracking the status of business associate agreements.
Moreover, there is continuing confusion about who qualifies as a business associate and when business associate agreements are really necessary. Many third-parties who do not fit the definition of a "business associate," for example, continue to insist that covered entities enter into business associate agreements with them, mistakenly believing that a business associate relationship would enable the third-party to use protected health information in an unrestricted, manner. The burden of educating these third parties about the business associate requirements falls directly upon hospitals and other covered entities that receive these requests. The AHA urges HHS to issue guidance and other educational materials to provide greater clarity about the circumstances creating the need for a business associate agreement that is aimed at these third parties. Such guidance and materials would be of great benefit in reducing a significant ' administrative burden for hospitals and other covered entities.
The AHA also believe that HHS could - and should - go further to streamline the business associate process by eliminating the burden on hospitals of negotiating hundreds or thousands of business associate agreements by designating private entities to certify business associates as HIPAA compliant. The AHA has provided comments to HHS on such a proposal before and we refer HHS to our prior comments. We urge HHS to reconsider adopting the AHA's previous certification proposal or some effective alternative certification mechanism.
In going forward, the AHA encourages HHS to share with hospitals any findings of violations, proposed solutions and good practices in a form that does not identify the violator. This information will allow hospitals and other covered entities to understand how OCR interprets and applies the HIPAA medical privacy regulations in specific situations and will encourage remediation of problems and violations that are discovered through the enforcement process. Covered entities will gain a better sense of the types of problems entities are encountering and the misunderstandings that exist regarding the application of HIPAA regulations.
In addition, the AHA encourages HHS to expand beyond its current method of issuing FAQs to provide technical assistance about the rule's requirements. Hospitals need more specific, operational-level information that would provide greater clarification of the rule's requirements and identify appropriately scalable best practices for compliance with them. Information should be integrated for specific purposes, targeted to specific audiences, issued in a more user-friendly format, and widely distributed to all covered entities. The AHA would be pleased to use its various publications and communications vehicles to assist HHS in getting such valuable information directly to the hospital audience.