 | |
| |
TechnologyDaily Mobile
The State Of Medical Privacy In The States
by Liza Porteus
As states attempt to comply with federal rules on medical privacy, one of the largest problems may be that while no state has crafted a successful model for others to implement, federal officials are not taking the lead on the issue, either.
The 1996 Health Insurance Portability Assurance Act (HIPAA) called for federal officials to pass some sort of comprehensive privacy legislation by Aug. 21, 1999. When Congress failed to do so, HIPAA required the Department of Health and Human Services (HHS) to craft such protections via regulation.
Published Dec. 28, 2000, the final privacy rules took effect April 14, 2001, giving patients greater access to their medical records and more control over how their personal health information is used. The rules cover all providers who conduct transactions electronically, such as billing and fund transfers. The rules also obligate healthcare providers and health plans to protect health information.
Providers have until April 14, 2003, to comply with the rules.
The Privacy Road Ahead For CIOs
Achieving technological compliance is the job of many state chief information officers (CIOs) -- and it is not an easy task. "First, we're trying to understand it all. It's such a sweeping initiative," New Mexico CIO Bob Stafford told National Journal's Technology Daily.
Stafford said his state has established a multi-agency group to examine the medical privacy rules and request proper funding from the state legislature to implement the latest technology necessary to comply. Stafford said many states use outdated technology that cannot keep pace with the federal mandates.
"As CIO of New Mexico, I've promised our state not to do that again," he said. "We're attacking this thing by working with the federal government but in such a way [that we are] using new technology. ... While we don't think it's going to be without problems, we do think there's going to be technology out there to solve it."
Stafford said state officials would be looking increasingly toward the National Association of State Chief Information Officers (NASCIO) for guidance. "In order to have a lot of clout, it's crucial for states to work together on this," Rick Friedman, an official with HHS' Health Care Financing Administration (HCFA), told CIOs at the NASCIO conference in May.
Friedman stressed that the impact of the medical privacy rules reaches beyond the health insurance industry. He noted that the rules affect any government agency or organization that has access to medical information covered by the rules.
At the NASCIO conference, John Christiansen, a partner at the Stoel Rives law firm in Seattle, recommended that states convene task forces or committees to determine current privacy practices and see what systems are necessary to comply with the new rules. "IT folks are going to be crucial. ... IT will be central to secure data," Christiansen said. He also stressed that "technology is necessary but not sufficient," and that personnel and funding also will be needed.
Another Y2K?
As more states launch e-government services, and as some lag behind, one of the most predominant problems regarding the medical privacy rules is ensuring that the states' technological systems comply with federal standards.
The Privacy Project said the emergence of integrated healthcare systems -- such as health maintenance organizations and provider networks -- and the establishment of statewide health-information databases has created new demands for data that push well beyond the limits originally anticipated by states. About 20 states such as California and Utah are members of various alliances that inform states on regulations like those for medical privacy.
"It's like Y2K only much, much worse ... It's not just a changing of a date," Friedman said in comparing the rush to comply with medical privacy rules to the efforts to prepare for the year 2000 computer bug. "It goes far beyond a techie's job of making sure the codes work."
But Charles Gerhards, Pennsylvania's deputy secretary for information technology, questioned that comparison. Although technology programs need to be modified in Pennsylvania to satisfy medical privacy rules, he said, "at this point, we're not looking at the technology part of this as being huge." Business practices involving privacy and security issues are bigger concerns, he said.
"What you have are a lot of people in state government and a lot of different state agencies used to handling this information in a certain way," Gerhards said, adding that many state employees need to change the way they handle sensitive information. "This thing is kind of spidering into most of our state agencies. Our biggest effort now is just making sure we identify those nooks and crannies where this information exists."
Gerhards said CIOs have determined that the task is "doable." "I don't think ... that CIOs are losing a lot of sleep about their ability to comply," he said.
Although no state has emerged as a leader in compliance, those with more personnel and financial resources have launched implementation plans, according to an HHS source. Some states have cited a lack of national leadership as an obstacle, the source said, unlike when an entire White House office helped state agencies organize to defend themselves against Y2K.
The fact that HHS can revise the medical privacy rules annually also may force states to constantly update their systems, the source said. "It's kind of like a moving target. I think it's causing some tension and aggravation, and it's understandable."
States Take Action
The new rules only establish a floor of privacy protection; states can enact stronger protections. Some states have passed legislation that makes slight or major modifications to current insurance laws to comply with the federal rules.
States such as Delaware, Hawaii, Illinois, Kentucky, Louisiana, Maryland, Minnesota, New Mexico, Pennsylvania, Rhode Island and Texas have altered current practices in order for the states to maintain control over their health insurance. Oregon, meanwhile, passed legislation that establishes a committee to study the relationship between federal rules on medical privacy and existing state privacy laws. And California lawmakers are considering a bill, S.B 456, that would require state entities to assess the impact the federal rules will have on their operations.
States also are considering various changes to insurance laws in an effort to comply with separate federal regulations on financial privacy mandating that health information be treated the same as financial information. The 1999 banking reform law linking the two issues allows consumers to opt out of having their personal financial information shared with third parties
States already working to comply with the financial privacy rules simultaneously have been moving closer to satisfying the demands of the medical privacy rules, although the latter require slightly stricter privacy guidelines. "There's a dovetailing, an overlapping, of HIPAA treatment of health plans and the state insurance treatment of health plans," said Emilio Cividanes, a partner and healthcare privacy expert at the law firm Piper, Marbury, Rudnick and Wolfe.
The National Association of Insurance Commissioners, meanwhile, said the federally mandated privacy protection is not enough and has issued its own guidelines for financial and medical privacy. Its tougher "opt in" approach to medical privacy would require consumers to consent to having their personal information shared with third parties.
NEW FEATURE
-Advertisement-
-Advertisement-
-Advertisement-
