Wednesday, October 06, 2004

GAO Report: First Year Experiences under the Federal Privacy Rule (HIPAA)

The U.S. Government Accountability Office issued Report GAO-04-965 on September 3, 2004, "Health Information: First-Year Experiences under the Federal Privacy Rule" which analyzes the impact of HIPAA Privacy on consumers and the health care industry.

The GAO also issued highlights of the Report. Overall health care providers felt that implementation went relatively smooth and that new privacy related procedures/policies are now standard in the industry. Health care providers cited two areas where they felt that implementation of the Privacy Rule was particularly difficult to implement and problematic. First, the area of accouting for disclosures. Second, the area of requiring business associate agreements for downstream users of protected health information by those defined as business associates.

The report also indicates that consumer groups fell that the general public is not well informed about their particular rights under the Privacy Rule and don't understand the nature and substance of the privacy notices that they receive.

The Report recommends that HHS (1) require that patients be informed of mandatory disclosures
to public health authorities in privacy notices and exempt such disclosures from the accounting
requirement, and (2) conduct a public information campaign to improve patients’ awareness of
their rights. HHS noted that it continues to monitor the public’s experience with the accounting
provision to assess the need to modify the rule and described ongoing efforts to educate consumers. The GAO continued that it remains concerned about the burden of accounting for disclosures to public health authorities and believes it is important that HHS more effectively disseminate information about the Privacy Rule.

If my personal experiences with HIPAA Privacy are like others -- I have not taken the time to indivudually read each Notice of Privacy Practice that I have received from a health care provider. I think there are many parallels between HIPAA Privacy notices to patients and Gramm-Leach Bliley notices to financial and insurance consumers. As an attorney who deals in privacy related issues daily I have not been that concerned about reading the notices, studying the opt out options, etc. The general public is more concerned about issues other than privacy. For example, how much my copay went up this year because my insurance coverage (if the individual is not a part of the growing number of the uninsured) was reduced. Not until you feel your individual privacy rights have been violated by your health care provider will you come forward, read the notice and seek to enforce some of new requirements of HIPAA on the health care provider.

No comments: