By

The U.S. Department of Health and Human Services last week filled more than 400 pages with the final version of the privacy regulation required by the Health Insurance Portability and Accountability Act of 1996.

But insurance trade groups say they still have plenty of work to do to shape U.S. health privacy policy.

The regulation, which will apply to most health plans starting April 14, 2003, addresses everything from use of protected health information in research to exemptions that let doctors discuss health matters with patients in semiprivate rooms.

Representatives for the American Association of Health Plans and the Health Insurance Association of America, both of Washington, are praising the final version of the regulation but emphasizing what it leaves out: any effort to preempt state privacy laws.

HIPAA itself authorizes HHS to set a minimum “floor” for privacy standards, but then gives states the right to impose tougher standards.

The AAHP released a statement promising that it “will continue to work with the administration to address current confusion and inconsistency between the federal rule and the individual laws of 50 states.”

The conflict between the federal and state rules “is going to cause a lot of problems,” HIAA spokesman Joseph Luchok says. “It could be a big mess.”

The HIAA is calling for Congress to enact new, national health privacy legislation that would take the matter out of the states hands.

Congress ordered HHS to develop a health privacy regulation in HIPAAs “administrative simplification” section.

The Clinton administration released a final regulation in December 2000, but critics argued that version was so rigid that it would have kept patients from filling prescriptions over the telephone.

In March, the Bush administration released a draft of its own that drew 11,000 public comments.

The final version adopts two major changes included in the March version that could help health plans.

One change affects the contracts that health plans and other “entities” covered by the privacy regulation use to work with “business associates.” The Clinton administration version would have required covered entities to use contracts to protect the privacy of any protected health information they shared with business associates, according to an analysis by Barry Handy, a lawyer at Davis Wright Tremaine L.L.P., Seattle.

The final version also requires covered entities to negotiate new, privacy-conscious contracts, but it gives most covered entities until April 14, 2004, to replace the old contracts, Handy writes.

A second change included in the final version affects health plans use of protected health information in communications with the plans own members.

The Clinton administration version would have required plans to get specific patient authorization before they could notify pregnant women about pregnancy-related benefits or send diabetic patients brochures about diabetes.

The final version lets plans tell beneficiaries about plan features and health-related products available only to plan members without getting prior authorization.

“For example,” Handy writes, “if a child is about to age out of coverage under a familys policy, this provision will allow the plan to send the family information about continuation coverage for the child.”

A third section of the privacy regulation now permits a health plan to notify an employer when a worker has joined or dropped out of the employers health plan without first amending the plan documents, according to HHS.


Reproduced from National Underwriter Life & Health/Financial Services Edition, August 19, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.