NU Online News Service, March 22, 10:15 a.m. — Washington

Insurers and employers are withholding full support from the revised medical privacy rule issued Thursday by the Department of Health and Human Services.

Donald Young, president of the Health Insurance Association of America, Washington, says the new rule responds to some of HIAA’s concerns over cost and complexity, but he also questions whether relatively minor changes can solve the problem.

“A better approach would be to create a single national privacy standard,” Young says. “A federal rule that preempts state privacy requirements can safeguard patient privacy and reduce burdensome compliance costs.”

James A. Klein, president of the American Benefits Council, Washington, an employers group, says he is “encouraged” by the changes but continues to have concerns.

He agrees with Young that Congress should adopt a single national standard to eliminate conflicting and duplicative state laws.

In addition, Klein says, he believes the controversial “minimum necessary” standard needs further revision.

“The new proposed changes clarify the standard as it applies to conversations among health professionals,” he says.

“However, a more precise rule is needed to state that health professionals may not restrict access to personal health information that a health plan determines is minimally necessary to fulfill its health care operations and quality assurance responsibilities,” Klein says.

HHS Secretary Tommy G. Thompson says the revised rule is intended to safeguard patient privacy while correcting unintended consequences of the original rule that threatened access to quality care.

Much of the controversy surrounded the minimum necessary rule, which states that providers covered by the rule must limit the disclosure of personal health information to the “minimum necessary” to accomplish certain legitimate purposes, such as filing claims.

Insurance groups say this standard is so imprecise that it could make it difficult for insurers to obtain information needed to perform legitimate functions.

However, the revised rule addresses the minimum standard language only slightly. The new standard applies only to oral communications among providers and says providers need only take “reasonable safeguards” when discussing personal health information.

If so, the new standard says, then incidental disclosures, such as another patient hearing a snippet of conversation, would not be subject to penalties.

As for marketing, the new standard explicitly requires health plans to obtain specific authorization from an individual before sending any marketing material.

The privacy rule was mandated by the Health Insurance Portability and Accountability Act of 1996. Unless it is revised again, health plans and other covered entities will have to comply with the rule by April 14, 2003.