HIPAA Privacy Rule faces scrutiny one year after implementation

As the HIPAA Privacy Rule celebrated its first birthday April 12, industry groups such as the Health Privacy Project and the American Hospital Association issued report cards examining the first federal law aimed at protecting the privacy of patient's health information.

The policy's strongest criticism came from the Health Privacy Project, which turned in a failing grade on the Bush administration's efforts to enforce the law.

"Sadly, the Bush administration's tepid commitment to the Privacy Rule means that people are continuing to put their health at risk to protect their privacy," said Janlori Goldman, director of the nonprofit organization dedicated to raising health privacy awareness.

Goldman said the Bush administration must do more to ensure that medical record privacy is safeguarded and that U.S. patients should be able to trust that their sensitive health information will not be used against them.

The Privacy Rule, mandated by Congress in the 1996 Health Insurance Portability and Accountability Act, was issued by the Clinton administration and allowed to become law in 2001 by President Bush.

Healthcare plans and providers were given two years to comply with the privacy law, which went into effect April 14, 2003.

The AHA found the government's enforcement of the law to be "flexible and reasonable." Nevertheless, the group had suggestions for improvement.

"Hospitals' initial experiences with compliance suggest that there are some aspects of the rule that are confusing and harmful to essential hospital operations," the AHA said in a letter to Secretary of Health and Human Services Tommy Thompson.

For example, many hospitals were unsure how to handle releasing patient information to law enforcement, the letter said.

The Healthcare Financial Management Association is celebrating HIPAA's birthday with an audio Webcast on Wednesday, April 28. Subscribers can listen to HIPAA compliance war stories from privacy officers, including examples of what does and doesn't work, some unintended consequences of the law that privacy officials are facing, and how they are dealing with them. The Webcast is one hour and 45 minutes. Contact the HFMA at http://www.hfma.org/education/Audio_Webcast/april28_2004.htm.