March 28, 2000
U.S. Department of Health and Human Services
Attention: Privacy I
Room 801 Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, DC 20201
RE: Comments on Technical Amendment to Convert the Final Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 Through 164, 64 Fed. Reg 82462 (December 28, 2000) Back to a Rule with Request for Comments.
To whom it may concern:
On behalf of the American Urological Association (AUA) and its 8500 U.S. members, I appreciate the opportunity to provide comments regarding the final rule on patient privacy issued by the Secretary pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The AUA acknowledges the work by the Department of Health and Human Services (HHS) to create a regulation that meets the requirements of HIPAA and strives to accommodate both patient privacy and administrative simplification. Although the AUA believes that HHS made numerous significant improvements to the proposed rule (64 Fed. Reg. 59917), the final rule still fails to adequately protect patient confidentiality and privacy and substantially and unacceptably increases administrative burdens for physicians, potentially to the detriment of patient care. The AUA supports the idea of a Federal floor of privacy protections for patients, but only if the protections are adequate and the rules are workable. We therefore request a limited extension of the effective dates so that these and other comments can be evaluated and improvements to the rule can be made before the compliance period commences.
Applicability to a Limited Set of Health Care Entities
The AUA is pleased that the final rule will require health care providers to obtain consent prior to using or disclosing individually identifiable health information to carry out treatment, payment or health care operations. Most urologists and other health care providers already obtain patient consent and all providers typically have an ethical obligation to maintain patient confidentiality. The AUA firmly believes that patient information will not be fully protected until Congress acts to extend privacy requirements to all entities that maintain patient information. Exempting health plans from this requirement because, as explained in the preamble, they "did not maintain that they were ethically obligated to seek the consent of their patients" does not meet the spirit of HIPAA. Patient trust in the health care system can only be assured when all entities that maintain a patient's health information have an obligation to maintain the confidentiality of that information and when patients truly have control over decisions to disclose or retain their personal information. When confidential health information is used or disclosed without the approval of the patient, patient autonomy has been taken away and trust is lost. Omitting health plans from the requirement in the final rule to obtain consent is especially troublesome, given the overly broad definition of "health care operations" in the final rule. (Section 164.501) This means that health plans will not be required to seek consent from their enrollees for a broad array of activities that most patients do not expect or comprehend. Patients that seek health care are generally aware that their information will be used and disclosed for treatment, and to some degree for general administrative and payment purposes. However, most patients certainly do not contemplate that their information is used or disclosed for the breadth of allowable activities under "health care operations."
The AUA recommends application of the controlling rule that valid consent should be obtained before personally identifiable health information is used for any purpose. For those many functions or circumstances for which patient consent is not feasible, the information must either be de-identified before it is used, or the decision regarding its use without patient consent must be made by an objective, publicly-accountable process that weighs the risks against the benefits.
Creation of De-identified Information
We do not believe the correct balance has been struck in Section 164.514(a), regarding the de-identification of information. Although the intent is to encourage de-identification of records, the complexity and administrative burden of this section has the perverse result of discouraging de-identification. In addition, the lack of incentive to de-identify information is compounded by the multitude of uses and disclosures permitted without patient consent or authorization.
The AUA favors any provisions of the rule that would have the effect of creating incentives to "de-identify" medical information. However, Section 164.514(b), apparently intended to provide guidance in de-identifying records, actually would create a disincentive to de-identify information. It articulates eighteen different characteristics or fields that would need to be removed from a medical record before the record could be considered de-identified. In addition, the covered entity must be able to show that it has no knowledge that the information could be re-identified.
The AUA believes it would make much more sense to dramatically pare down the list of characteristics considered to be "identifying," and add a prohibition of the unauthorized linking of anonymous data with other lists that would reveal the identity of the individual. The linking for the purpose of identifying an otherwise unidentified individual would be a violation of the regulation, equivalent to the disclosure of identifiable information.
We believe our recommendation to revise the list of "identifiers" to be removed from records, combined with an explicit prohibition against "linking" or re-identifying without authorization, would provide entities with a greater incentive to de-identify records, while holding wrongdoers properly accountable.
Application to Business Associates (164.502(e), 164.504(e))
The business associate provisions in the final rule have been improved, but only to a degree. The AUA objects to the extension of the scope of the Secretary's authority through the "business associate" provisions of the final rule. We appreciate the limitations inherent in the Congressional grant of authority under HIPAA that constrain the Secretary from directly regulating secondary and "downstream" users of individually identifiable health information. The AUA also agrees with the Secretary that these users should be brought under the terms of comprehensive privacy rules. However, as a matter of fairness, covered entities should not be held responsible for action taken or inaction by separate entities simply because Congress did not include them in the legislative directive.
Individual Authorization (Section 164.508)
The AUA strongly supports a requirement that an individual must authorize most uses of his or her identifiable health information. Thus, we support not only the standard articulated in Section 164.508(a) for use and disclosure of individually identifiable information for any purpose outside of the regulation, but would advocate for a similar requirement for many disclosures and uses where the final rule has removed the requirement. However, we are opposed to and are deeply concerned by the removal of the proposed prohibitions on the use of individually identifiable health information for marketing and the disclosure of such health information for sale, rental or barter without patient authorization. These prohibitions should have remained in the final rule. The general rule in the final regulation prohibits a covered entity from using or disclosing individually identifiable health information for marketing without a specific authorization. However, three types of marketing communications are exempt from the requirement to obtain authorization. Exempt communications are those that occur in a face-to-face encounter with the patient; those concerning products or services of nominal value; or those concerning health related products or services of the covered entity or a third party if certain disclosures are on the communication. The AUA strenuously opposes the exemptions from the authorization requirement because they are unnecessary, overly broad and otherwise full of loopholes.
The AUA strongly recommends that HHS retain the general rule in Section 164.514(e)(1) that requires patient authorization for marketing purposes and delete the exemptions entirely.
Notice of Privacy Practices and Rights to Amendment
Patients generally enter a physician's office or a hospital believing that the information they provide will be used by the entity's health care providers and personnel solely for their individual care and payment. Therefore, we are concerned that because of the breadth of the term "health care operations" in the final rule, patients will not be fully informed of potential uses and disclosures of their personal health information for many non-routine purposes. We reiterate the need for a separate authorization for non-routine uses and disclosures that fall under the broad category of "health care operations" under the final rule.
The AUA believes that the right of patients to request restrictions could be improved with the addition of a good-faith provision. With such a provision, health care providers would be more likely to agree to feasible requests if they could agree to make their best efforts to restrict uses or disclosures. This would also keep patient expectations and discussions with their physicians more realistic. Physicians and other health care providers who attempt in good faith to accommodate reasonable requests for restrictions should not be penalized for inadvertent uses or disclosures. Otherwise, the threat of a violation of the rule and potential penalties will act as a deterrent to any agreements.
While we recognize that individuals should have a limited right to request that erroneous information be noted and corrected in their medical records, the AUA believes that this right must accommodate the need for clinically and legally accurate records. We also believe it is extremely important for the final rule to reflect explicitly that patients are not authorized to request changes in professional clinical judgments or treatment recommendations that they believe to be in error. Neither should individuals be able to add information about the type, duration or quality of treatment that individual believes they should have been provided.
Administrative Requirements (Section 164.530)
This provision sets out an extensive series of administrative requirements that physicians and other covered entities would have to incorporate into their practice or business. The AUA has significant concerns about the substantial administrative and financial burdens this might place on physician practices, particularly those smaller practices whose administrative personnel are already stretched to the limit with a multitude of governmental and health plan requirements. The AUA believes that the patient protections intended by these requirements are largely in place in most physicians' offices and strongly recommends that the flexibility/scalability in administration explicitly promoted by the Secretary be particularly applied in these instances. These provisions highlight, yet again, the distinction that separates physicians from other entities covered under this rule. Existing legal and ethical obligations require that physicians handle patient information confidentially, and these obligations are enforced through State law and State medical licensing boards. The addition of a federal superstructure of rules and regulations to achieve the same end is redundant and confusing.
We urge the Secretary to accommodate physicians' existing procedures and obligations to the extent possible in enforcing the administrative requirements under this proposed rule.
Transition Provisions (Section 164.532)
Although it seems that the intent was to "grandfather" in current forms of patient consent, the language is confusing and vague. Despite the intent not to impede the functions of the health care system, without clarification this provision will impede many everyday functions of a physician practice. Many physicians are not currently required by law to obtain written consent to use or disclose protected health information for "treatment, payment and health care operations." Most physicians do, however, obtain written consent for disclosures for payment purposes in addition to permission to treat a patient. Those consent forms would not likely discuss or refer to "health care operations" nor contain disclosures necessary for these applications. Therefore, most physicians will not be able to rely on current consent to use or disclose any health information for treatment or health care operations if the consent only applies to disclosures for billing and payment.
This would mean that until a new consent to cover uses and disclosures of information already contained in the medical record is obtained, physicians and their staff would not be able to access these records for many purposes.
We recommend a clarification of this point to allow all legal permission, expressed or implied, applicable for uses or disclosures of protected health information created or received prior to the compliance date to continue.
The AUA believes that the rule could impose significant new costs on physicians' practices. The substantial administrative burdens associated with compliance and the concomitant exposure to civil and criminal penalties for noncompliance is especially troublesome for physicians because they already protect patient information due to their ethical obligation. Ironically, the substantial documentation, personnel, paperwork and systems changes that physicians will need to make to their practices to comply with the administrative requirements in the rule will take vital time and resources away from patient care and may not result in any significant improvement in patient confidentiality.
We believe this runs counter to the explicit intent of HIPAA's "Administrative Simplification" provisions, which require "any standard adopted under this part shall be consistent with the objective of reducing the administrative costs of providing and paying for health care." (Sec. 262. "Administrative Simplification," "Sec. 1172(b) Reduction of Costs.") In addition, the cost to comply with the privacy regulation clearly is not a one-time cost but will be a perpetual and continuing commitment.
Toward that end, the compliance date for the privacy rule, as well as the related HIPAA Administrative Simplification rules, should be two years after the last of these final rules is published (with the exception of the individual identifier rule, which may be significantly delayed). We cannot overstate the onerous result of the cumulative effect each of these requirements for physicians will add to the already swollen administrative burden with which physicians must currently comply. Each of these rules would require significant changes, some of which will overlap while others will be incompatible if these changes are not viewed as a whole. It is imperative that physicians have a complete and workable picture before they can adequately assess how and where to modify their practices in order to comply with these rules.
We urge the Secretary to reconsider the final rule in light of these comments. Significant changes to the rule are necessary to adequately protect patients and to make certain portions of the regulation workable before it is implemented. We reiterate that a limited extension of the effective date is required so that all of the comments can be evaluated and improvements to the rule can be effectuated before the compliance period commences. We look forward to working with you and your staff to improve the existing framework for federal privacy protections for all Americans.
Please direct any questions about these comments to Richard Rutherford, C.M.P.E., AUA practice management department at 410-689-3713.
Irwin N. Frank, MD, F.A.C.S.
American Urological Association