HIPAA Compliance Strategies

National Review of HIPAA Compliance Finds Rampant Confusion, Mistakes

Reprinted from the May 2007 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

Four years after the privacy rule went into effect, hospitals and other covered entities (CEs) are struggling with basic concepts that underlie compliance, such as what the "minimum necessary" standard means. Mistrust among CEs is rampant, and many have implemented business practices in the name of privacy and security that have no basis in law.

That's one of the take-home messages from a two-year, $11.5 million study of privacy and security compliance funded by the Agency for Healthcare Research and Quality (AHRQ) under HHS.

The project, designed to show gaps that might make a national health information network difficult, also is the first large-scale look at compliance in the hinterlands. Privacy and security practices were examined in Puerto Rico and 33 states; findings were presented late last month, although a final report is due this summer.

In addition to misapplying minimum necessary to treatment, the study also documents pervasive confusion about how state laws dovetail with HIPAA, particularly in the area of substance abuse and mental health treatments, and overlapping and conflicting practices concerning patient consent policies and procedures.

These problems shouldn't be occurring, and demand attention now — regardless of any possible national health information network, said Mark Rothstein, chairman of a subcommittee that advises HHS on HIPAA. Rothstein has argued for years that HHS did not properly educate providers about the rule and that it has a virtually non-functioning enforcement system.

"Four years after the compliance date is too long to have such widespread misunderstanding," said Rothstein, chairman of the privacy subcommittee of the National Committee on Vital and Health Statistics. "The [recent] report seems to underscore the importance of comprehensive education and outreach efforts to covered entities and the public to eliminate or reduce confusion."

The project involved Puerto Rico and 33 states that together are called the Health Information Security and Privacy Collaboration (HISPC). RTI International of Research Triangle, N.C., is the prime contractor on HISPC, which is also being supported by the National Governors Association. On April 26, AHRQ held a Webcast with RTI to discuss findings to date and explain next steps.

The work was carried out in each state by a steering committee and workgroups. For example, a legal work group "was charged with identifying legal and regulatory drivers of those policies and whether there was a true connection between the laws and regulations and the business policies and business practices that people have followed," Loft said.

The groups reviewed real-world scenarios to determine where there were variations in privacy and security policies, so they looked at information exchanges that occurred for purposes such as treatment, payment, research and law enforcement, among others. Data were collected from a variety of CEs, including hospitals, health plans, physicians, pharmacies and others.

'Astounding' Array of Interpretations

In comparing the states last October and November, the RTI researchers found that "there was quite an astounding array of different ways of interpreting these privacy laws," John Loft, RTI's senior advisor for assessment methodology, explained at the Web conference.

"At the end of this, we had a set of business practices that were seen as barriers to health information exchange, or had no effect on it, or indeed might encourage it," Loft said. "The legal work group reviewed those barriers in order to determine whether or not there was a legal basis for the practice and, in some cases, there was not; that is, people often invented - or entities often invented - business practices and policies that had no legal basis for a variety of reasons."

But Barbara Massoudi, an RTI senior research scientist who also spoke at the Web conference, said finding such variation was not surprising. "Some of those variations were due to the flexibility that was built into the rules, and some was due to misunderstandings about how and when the rule applied," she said. "The approach that the stakeholders' organization takes in compliance becomes even more variable when you layer in the federal regulations that afford special protections for certain types of protected health information, such as health information associated with substance-abuse or mental-health treatment," Massoudi added.

The report documented pervasive confusion over the concept of minimum necessary.

"One of the issues surrounding the minimum necessary is the widespread belief that it applies to disclosures to providers for treatment purposes, even though the HIPAA privacy rule explicitly exempts this specific purpose from the minimum necessary requirement," Massoudi said. She added that when CEs do invoke minimum necessary, they do so based on their own unique definitions, and some even apply minimum necessary within their own organizations, while others do not.

CEs told RTI that complying with the standard is onerous and time consuming, and technology is no help. In fact, CEs with sophisticated EHRs are bypassing them entirely.

Some state teams reported the existing technology cannot limit disclosures to the minimum necessary, so the process that could be electronic must be manual, Massoudi said. "For organizations that use paper records, sifting through the records to make sure that the minimum necessary is exchanged is seen as time consuming and onerous, and in practice ends up resulting in variable disclosures," she said.

"So, for example, some stakeholders indicated they were required to print out copies of records from EHRs and redact especially sensitive health information or information that could not be disclosed because the EHR did not accommodate segregation of certain types of data," Massoudi said. "The current business practice is you print a paper copy, redact the information, and fax the redacted copy of the record to the intended recipient."

For Rothstein, these problem areas as revealed by a study that did not even have this purpose means that more must be done. "The report...supports the need for an evaluation component to HIPAA," he tells AIS. "Systematic efforts to assess compliance issues and determine problem areas will help focus efforts on the most pressing subjects."

He also thought that the findings should prompt policymakers to abandon the idea that HIPAA is a useful foundation for a future national network. "Perhaps more than anything, the report strongly suggests that in the rollout of the nationwide health information network, it would be a mistake to put too much reliance on the existing regulatory framework of the Privacy Rule," he said. "New approaches will be needed to deal with the increased scope of health record networks and the interoperability of health records."

Possible Solutions and Next Steps

RTI's report this summer will formally specify proposed solutions to the variety of issues identified to be problems within the states. Also, most states are working on plans to keep their activities going once the formal project is over. The interim report contains a number of suggested recommendations for changes at national and state levels, including:

• A national or state-specific definition of minimum necessary, or the elimination of minimum necessary altogether — a proposal sure to meet with resistance from privacy advocates;
• Standardized business associate agreements because the model agreement in the rule is insufficient;
• Standardized model consent forms that would apply to treatment and disclosures of information, and would clarify the difference between "consent" and "authorization;"
• A "national oversight body," a recommendation that the RTI officials did not explain, but which indicates the state teams do not feel the current enforcement by OCR is adequate;
• The establishment of "safe harbors" so that CEs are protected from liability for inadvertent or mistaken disclosures of PHI; and
• Guidance on how to comply with federal provisions on substance-abuse and mental-health records, HIPAA, and with state laws addressing these records.

Advertise With AIS

Privacy

Site Map