Privacy Standards

The Department of Health and Human Services (HHS) issued proposed regulations in November 1999 to help ensure the confidentiality of patient data, as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). GAO found that HHS' regulatory strategies appear to be consistent with HIPAA's goal of protecting the privacy of health information and are legally permissible. By requiring that entities directly regulated by the rule--health plans, health care providers, and health care clearinghouses--control the information practices of entities with which they do business, HHS has attempted to fill an otherwise significant gap in privacy protection. HHS has covered the "paper progeny" of electronically maintained or transmitted health information--the privacy protections extended to individuals by HIPAA would be easy to circumvent if protected health information in an electronic record lost its protection merely by being printed. HHS' decision to build flexibility into the proposed rule by allowing the implementation of the standards to vary on the basis of an organization's size is also within its authority. Comments from many of the entities that will have to implement the policies reflect two overriding themes. First is a widespread acknowledgment of the importance of protecting the privacy of medical records. Second is a fundamental difference in the groups' positions that reflects the conflicts that sometimes arise between privacy and competing goals.

GAO noted that: (1) the regulatory strategies HHS adopted in the proposed rule seem consistent with HIPAA's purpose of protecting the privacy of health information and are legally permissible; (2) by requiring that entities directly regulated by the rule--health plans, health care providers, and health care clearinghouses (firms that put information into standard formats)--control the information practices of entities with which they do business, HHS has attempted to fill an otherwise significant gap in privacy protection; (3) for the same reason, HHS has covered the "paper progeny" of electronically maintained or transmitted health information--the privacy protections extended to individuals by HIPAA would be easy to circumvent if protected health information in an electronic record lost its protection merely by being printed; (4) HHS' decision to build flexibility into the proposed rule by allowing implementation of the standards to vary on the basis of an organization's size is also within its authority; (5) the stakeholders' comments to HHS reflected sharply divergent views on several critical issues; (6) most notably, patient advocates, state government representatives, and providers strongly supported the provision of the rule that preempts weaker state laws while leaving intact stronger ones; (7) meanwhile, health plans and employers emphasized the practical difficulties of implementing the complex interaction of federal and different state standards; (8) similarly, patient advocates and law enforcement officials approved of extending the rule's coverage from three types of entities subject to HIPAA regulation to business partners with whom these entities share protected health care data; (9) however, the covered entities themselves were wary of assuming the responsibility for enforcing compliance by these other groups; (10) in some cases, the changes desired by industry groups and patient advocates would require congressional action; (11) for example, HHS could not establish a uniform federal privacy standard preempting all applicable state laws unless HIPAA was amended; (12) only Congress could expand the rule's coverage to all types of entities that create, use, and share protected health information; and (13) for other proposed changes, such as coverage of records that had never been stored or transmitted electronically, it was less clear whether HHS could act without new legislation.