Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The federal law giving privacy protection to medical records has been seven years in the making. Plenty of time, one would think, to get ready for it. Yet now that the April 14 deadline has passed, many companies subject to the law are still worlds away from meeting its requirements, if they are even aware that it applies to them. “It’s too hard, too confusing, and there are too many open issues,” says Kirk Nahra, a partner in the D.C. office of Wiley Rein & Fielding, a leading firm in the privacy arena. Nahra echoes a widespread observation among those grappling with the law, known as the 1996 Health Insurance Portability and Accountability Act, or HIPAA, which sets rules for safeguarding the privacy of people’s medical records. A recent survey by the trade publication Modern Healthcare found that at the end of 2002, health care providers were still well behind the eight ball. For instance, the survey found that only 30 percent had completed a list of all “business associates” that are privy to patient information. And only 17 percent had finalized the required business-associate contracts to ensure the confidential treatment of that patient data. The study found similar levels of procrastination for other privacy-related duties, with one exception: Nearly everyone had hired or designated a chief privacy officer, the easiest and often first thing companies can do. Nahra says that of the health care providers, insurers were in the best shape, having spent “millions of dollars” to get into compliance. Large hospitals were also doing OK, he says. Findings by the National Committee on Vital and Health Statistics, a quasi-governmental body advising the agency charged with administering HIPAA, back Nahra’s perception. It estimated that at the end of 2002, “well below half of all small providers have made any effort to comply with the privacy rule, and some have no intent to do so.” The advisory body has predicted “widespread disruption of the health care system.” MANY COMPANIES UNAWARE Even worse off than medical providers are companies with health insurance plans, many of whom do not even know that the law applies to them. Under HIPAA, any employer with a health insurance plan with more than $5 million in annual receipts is expected to meet last week’s deadline. Smaller plans have until April 14, 2004. Employers will have to appoint a privacy officer, create a “fire wall” between people who handle health benefits and other employees, keep health data in protected areas, and prepare written policies and procedures on how employee health records are handled. Many companies, however, are under the mistaken impression that HIPAA applies only to the health care industry. “I sat down with my firm’s human resources people to explain the requirements to them, and it was as if I was speaking Martian,” Nahra says. But even among those companies that know about HIPAA, “many are not sure what they’re supposed to be doing,” says David Spanier, a benefits partner in the New York office of Greenberg Traurig. Alternatively, they are doing too much. A cottage industry has sprung up that too often creates an unnecessary administrative burden for employers, he says. “I hate to tell clients that they’ve wasted their time and money paying for these services,” Spanier says. Yet health care providers and others covered by the rule ignore it at their peril. HIPAA’s remedies border on the draconian: A violation is punishable by a fine of up to $250,000 and 10 years in jail. The U.S. Department of Health and Human Services (HHS) has publicly stated that it plans to go easy on enforcement, which will be handled by its Office of Civil Rights. According to a spokesman, the agency has no intention of coming after inadvertent violators, at least initially. Rather, enforcement will be prompted by complaints and intentional violations. The concept behind HIPAA’s privacy rules is simple enough: Medical records should be private and should not be disclosed except in certain limited circumstances or when authorized by the patient. The law attempts to accomplish this by giving patients the right to control their own health information. Thus, patients have the right to withhold medical information about themselves, even from family members. They also have the right to see their medical files, insert information into the files, or review a log detailing who has seen the file. Yet somewhere along the way, simplicity gave way to a morass of thousands of pages of regulations, conflicting and ambiguous guidelines, and a wealth of misinformation from the mushrooming industry selling HIPAA “expertise” that has sprung up around the new rules. A major part of the problem stems from the manner in which HIPAA came into being, experts say. The law had its genesis in the 1990s as a way to standardize electronic billing and claims in the health care industry. Congress saw HIPAA as playing a unifying role in a notoriously complex industry, saving providers billions of dollars in the process. PROBLEMATIC RULES But HIPAA has since ballooned, mostly in the form of regulations promulgated by HHS after Congress failed to come up with a privacy scheme for medical records. “Congress couldn’t agree on what the scope of privacy should be,” explains Mitchell Olejko, a partner in the San Francisco office of Morrison & Foerster, “so they left it up to the agency.” HHS met the challenge with a thousand pages’ worth of regulations, which after several iterations, were finalized in August 2002. As it turned out, the regulations raised more questions than they answered. “They just missed a whole bunch of stuff,” Olejko says. “They don’t deal with how people work in the real world.” For instance, the regulations required that spouses have written authorization to pick up a prescription for their husband or wife, he says. The agency has since amended this particular requirement, but many other problematic rules still remain, he says. Olejko points to medical research as one such potential problem area. Secondary analysis of the data, for example, could force a researcher to go back and get each subject to reauthorize the research, he says. Another area of controversy revolves around how the federal law relates to the myriad state laws protecting medical information. HIPAA pre-empts only state laws that are less stringent. “But who knows what that means,” Olejko says. Wiley Rein’s Nahra says HHS had not done much better in its attempts at guidance. He says that, for instance, in the “Frequently Asked Questions” section of its Web site, answers that turned out to be wrong “would just disappear” without any explanation. Some lawyers predicted that the deadline will create a whole new rush of activity. “I think there are lots of people who are going to be scrambling after they read all the articles,” Olejko says. This article was distributed by the American Lawyer Media News Service. Tamara Loomis is a staff reporter at the New York Law Journal.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.