Health Information

First-Year Experiences under the Federal Privacy Rule Gao ID: GAO-04-965 September 3, 2004

Issued under the Health Insurance Portability and Accountability Act of 1996, the Privacy Rule provided new protections regarding the confidentiality of health information and established new responsibilities for providers, health plans, and other entities to protect such information. GAO reviewed (1) the experience of providers and health plans in implementation; (2) the experience of public health entities, researchers, and representatives of patients in obtaining access to health information; and (3) the extent to which patients appear to be aware of their rights.

Organizations representing providers and health plans told us that implementation of the Privacy Rule went more smoothly than expected during the first year after most entities were required to be compliant. In addition, they reported that new privacy procedures have become routine practice for their members' staff. However, provider and health plan representatives also raised a variety of issues about provisions that continue to be problematic. In particular, many organizations emphasized that two provisions--the requirement to account for certain information disclosures and the requirement to develop agreements with business associates that extend privacy protections "downstream"--are unnecessarily burdensome. Some organizations suggested that difficulties with these provisions could be ameliorated with modification of certain provisions and further guidance from the Department of Health and Human Services' Office for Civil Rights (OCR). Organizations reported a number of challenges faced by entities that rely on access to health information for public health monitoring, research, and patient advocacy. Public health entities noted that some states have had to take concerted action to ensure that providers' concerns about complying with the Privacy Rule do not impede the flow of important information to state health departments and disease registries. Some research groups asserted that the rule has delayed clinical and health services research by reducing access to data. Some consumer advocacy groups told us that patients' families, friends, and other representatives have experienced unnecessary difficulty in assisting patients. These groups perceived that while providers and plans are allowed, in certain cases, to disclose health information without written patient authorization, they are reluctant to do so. Consumer and provider representatives contend that the general public is not well informed about their rights under the Privacy Rule. According to these organizations, patients may not understand the privacy notices they receive, or do not focus their attention on privacy issues when the notices are presented to them. Some evidence of patients' lack of understanding is reflected in the 5,648 complaints filed with OCR in the first year after the Privacy Rule took effect. Of the roughly 2,700 complaint cases OCR closed as of April 13, 2004, nearly two-thirds were found to fall outside the scope of the Privacy Rule because they either involved accusations of actions that were not prohibited by the regulation, involved entities that were not "covered entities" as defined by the Privacy Rule, or involved actions that occurred before covered entities were required to be compliant. Of those cases that were germane to the rule, OCR determined that about half represented cases in which no violation had occurred.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:

GAO-04-965, Health Information: First-Year Experiences under the Federal Privacy Rule This is the accessible text file for GAO report number GAO-04-965 entitled 'Health Information: First-Year Experiences under the Federal Privacy Rule' which was released on October 04, 2004. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Committee on Health, Education, Labor, and Pensions, U.S. Senate: September 2004: HEALTH INFORMATION: First-Year Experiences under the Federal Privacy Rule: GAO-04-965: GAO Highlights: Highlights of GAO-04-965, a report to the Chairman, Committee on Health, Education, Labor, and Pensions, U.S. Senate. Why GAO Did This Study: Issued under the Health Insurance Portability and Accountability Act of 1996, the Privacy Rule provided new protections regarding the confidentiality of health information and established new responsibilities for providers, health plans, and other entities to protect such information. GAO reviewed (1) the experience of providers and health plans in implementation; (2) the experience of public health entities, researchers, and representatives of patients in obtaining access to health information; and (3) the extent to which patients appear to be aware of their rights. What GAO Found: Organizations representing providers and health plans told us that implementation of the Privacy Rule went more smoothly than expected during the first year after most entities were required to be compliant. In addition, they reported that new privacy procedures have become routine practice for their members‘ staff. However, provider and health plan representatives also raised a variety of issues about provisions that continue to be problematic. In particular, many organizations emphasized that two provisions”the requirement to account for certain information disclosures and the requirement to develop agreements with business associates that extend privacy protections ’downstream“”are unnecessarily burdensome. Some organizations suggested that difficulties with these provisions could be ameliorated with modification of certain provisions and further guidance from the Department of Health and Human Services‘ Office for Civil Rights (OCR). Organizations reported a number of challenges faced by entities that rely on access to health information for public health monitoring, research, and patient advocacy. Public health entities noted that some states have had to take concerted action to ensure that providers‘ concerns about complying with the Privacy Rule do not impede the flow of important information to state health departments and disease registries. Some research groups asserted that the rule has delayed clinical and health services research by reducing access to data. Some consumer advocacy groups told us that patients‘ families, friends, and other representatives have experienced unnecessary difficulty in assisting patients. These groups perceived that while providers and plans are allowed, in certain cases, to disclose health information without written patient authorization, they are reluctant to do so. Consumer and provider representatives contend that the general public is not well informed about their rights under the Privacy Rule. According to these organizations, patients may not understand the privacy notices they receive, or do not focus their attention on privacy issues when the notices are presented to them. Some evidence of patients‘ lack of understanding is reflected in the 5,648 complaints filed with OCR in the first year after the Privacy Rule took effect. Of the roughly 2,700 complaint cases OCR closed as of April 13, 2004, nearly two-thirds were found to fall outside the scope of the Privacy Rule because they either involved accusations of actions that were not prohibited by the regulation, involved entities that were not ’covered entities“ as defined by the Privacy Rule, or involved actions that occurred before covered entities were required to be compliant. Of those cases that were germane to the rule, OCR determined that about half represented cases in which no violation had occurred. What GAO Recommends: GAO recommends that HHS (1) require that patients be informed of mandatory disclosures to public health authorities in privacy notices and exempt such disclosures from the accounting requirement, and (2) conduct a public information campaign to improve patients‘ awareness of their rights. HHS noted that it continues to monitor the public‘s experience with the accounting provision to assess the need to modify the rule and described ongoing efforts to educate consumers. GAO remains concerned about the burden of accounting for disclosures to public health authorities and believes it is important that HHS more effectively disseminate information about the Privacy Rule. www.gao.gov/cgi-bin/getrpt?GAO-04-965. To view the full product, including the scope and methodology, click on the link above. For more information, contact Leslie G. Aronovitz at (312) 220-7600. [End of section] Contents: Letter: Results in Brief: Background: Compliance Difficulties for Providers and Health Plans Have Eased, but Problems Remain: Constraints on Access to Data Have Raised Concerns for Public Health Entities, Researchers, and Patient Advocates: Evidence Suggests Patients Are Not Aware of Privacy Rights or May Misunderstand the Privacy Rule: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Organizations Interviewed: Appendix II: Comments from the Department of Health and Human Services: Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Acknowledgments: Table: Table 1: Outcomes of Privacy Complaints Closed by OCR from April 14, 2003, through April 13, 2004: Figure: Figure 1: Outcomes of Privacy Complaints Closed by OCR from April 14, 2003, through April 13, 2004, by Type of Entity Cited: Letter September 3, 2004: The Honorable Judd Gregg: Chairman: Committee on Health, Education, Labor, and Pensions: United States Senate: Dear Mr. Chairman: Issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the federal Privacy Rule provided individuals with new protections regarding the confidentiality of their health information and established new responsibilities for health care providers, health plans, and other entities to protect such information.[Footnote 1] The rule was implemented as a result of advances in information technology and an increased number of parties with access to identifiable health information. Together, these trends have created new challenges to maintaining the privacy of an individual's medical records. April 14, 2004, marked the first anniversary of the date that most entities were required to be compliant with the Privacy Rule. More than a full year of experience with the rule offers an important and timely opportunity to determine how different groups have fared under the new regulation. This report focuses on (1) the experience of providers and health plans in implementing the Privacy Rule; (2) the experience of public health entities, researchers, and representatives of patients in obtaining access to health information under the rule; and (3) the extent to which patients appear to be aware of their rights. In gathering this information, we interviewed representatives of 23 national organizations representing health care consumers, health care providers, health plans, state officials, public health agencies, researchers, privacy professionals, and a health care accrediting body. (These organizations are listed in app. I.) We supplemented our discussions with these organizations with a review of information from their Web sites and surveys and reports issued by them. We also contacted the Centers for Disease Control and Prevention (CDC)--a federal public health agency--and the Centers for Medicare & Medicaid Services (CMS)--the agency that administers the Medicare program--both in the Department of Health and Human Services (HHS). In addition, we spoke with officials at the Office for Civil Rights (OCR) within HHS-- the agency responsible for enforcing the Privacy Rule--about their procedures for logging in privacy complaints and analyzed data extracted for us by OCR from the database that it maintains on these complaints. We did not independently verify the reliability of the data compiled by OCR. However, we determined that these data were sufficiently reliable for the purposes of our engagement. In addition, we reviewed testimony by public health and research organizations delivered at 2003 and 2004 hearings on the Privacy Rule held by the National Committee on Vital and Health Statistics (NCVHS) and followed up with several state officials.[Footnote 2] We performed our work from March 2004 through August 2004 in accordance with generally accepted government auditing standards. Results in Brief: Organizations representing providers and health plans told us that implementation of the Privacy Rule went more smoothly than expected during the first year. In addition, they reported that initial confusion has diminished and new privacy procedures have become routine practice for their members' staff. However, they noted ongoing difficulties with certain provisions and some remaining misunderstandings. In particular, many organizations emphasized that two provisions--the requirement to account for certain information disclosures and the requirement to develop agreements with business associates that extend privacy protections "downstream"--are unnecessarily burdensome. Some organizations suggested that difficulties with these provisions could be ameliorated with modification of certain provisions and further guidance from OCR. Organizations reported a number of challenges faced by entities that rely on access to health information for public health monitoring, research, and patient advocacy. Public health entities noted that some states have had to take action to ensure that providers' concerns about complying with the Privacy Rule do not impede the flow of important information to state health departments and disease registries. Some research groups asserted that the rule has delayed clinical and health services research by reducing access to data. Some consumer advocacy groups told us that patients' families, friends, and other representatives have experienced unnecessary constraints in assisting patients. They perceived that while providers and plans are allowed, in certain cases, to disclose health information without written authorization, they are reluctant to do so. Representatives of provider and consumer groups contend that the general public is not well informed about their rights under the Privacy Rule. According to these organizations, patients may not understand the privacy notices they receive, or they do not focus their attention on privacy issues when the notices are presented to them. Some evidence of patients' lack of understanding is reflected in the 5,648 complaints filed with OCR in the first year most entities were required to be compliant with the Privacy Rule. Of the roughly 2,700 complaint cases OCR closed from April 14, 2003, through April 13, 2004, nearly two-thirds were found not to fall within the scope of the Privacy Rule because they either involved accusations of actions that were not prohibited by the regulation, involved entities that were not "covered entities" as defined by the Privacy Rule, or involved actions that occurred before covered entities were required to be compliant. Of those cases that were germane to the rule, OCR determined that half represented cases in which no violation had occurred. We recommend that the Secretary of HHS modify the Privacy Rule to require that privacy notices state that patient information will be disclosed to public health authorities when required by law, and to exempt such public health disclosures from the accounting-for- disclosures provision. We also recommend that the Secretary undertake a public information campaign to improve patients' awareness of their rights under the Privacy Rule. In written comments on a draft of this report, HHS stated that our finding that implementation went more smoothly than expected during the first year is generally consistent with what the agency has heard from covered entities and others. Regarding our recommendation that mandatory reporting of health information to public health authorities be exempted from the accounting for disclosure requirement, HHS noted that it has considered such a change in the past and continues to monitor the need to modify the rule. However, we remain concerned that given the burden of accounting for mandatory disclosures to public health authorities, covered entities may be disinclined to add to their tracking requirements by responding to public health agencies' requests for voluntary reporting. Regarding the recommendation for a public information campaign, HHS agreed that notices of privacy practices may appear too long and complicated and that consumers may not be closely reading their notices. HHS cited two new consumer fact sheets posted to its Web site on August 17, 2004, a toll-free call-in line to respond to questions about the rule, and efforts to encourage covered entities to develop consumer-friendly notices that highlight key information. We believe it is important that, in current and future efforts to educate the public, HHS more effectively disseminate information about protections provided under the Privacy Rule. Background: The Privacy Rule addresses the use and disclosure of individuals' health information and establishes individuals' rights to obtain and control access to this information.[Footnote 3] Specifically, the rule covers "protected health information," defined as individually identifiable health information that is transmitted or maintained in any form.[Footnote 4] It applies to "covered entities," defined as health plans, health care clearinghouses, and health care providers that transmit information electronically with respect to certain transactions.[Footnote 5] The protections under the Privacy Rule extend to all individuals, regardless of the state in which they live or work, but the rule does not preempt state privacy laws that are more stringent--that is, more protective of health information privacy. Permissible Uses and Disclosures: Under the Privacy Rule, a covered entity may use and disclose an individual's protected health information without obtaining the individual's authorization when the information is used for treatment, payment, or health care operations. Protected health information may also be disclosed without an individual's authorization for such purposes as certain public health and law enforcement activities, and judicial and administrative proceedings, provided certain conditions are met. In addition, an individual's authorization is not required for disclosures for research purposes if a waiver of authorization, under defined criteria, is obtained from an institutional review board (IRB) or a privacy board.[Footnote 6] Except where the rule specifically allows or requires a use or disclosure without an authorization, the individual's written authorization must be obtained; for example, authorization is generally required for disclosures to life insurers or employers. In addition, the rule contains specific provisions that generally require an individual's authorization for the use or disclosure of psychotherapy notes or of protected health information for marketing purposes. In many circumstances, a provider or health plan can choose not to disclose information, regardless of whether an individual's authorization is required. The Privacy Rule allows covered entities to use their discretion in deciding whether to disclose protected health information for many types of disclosures, such as those to family and friends, public health authorities, and health researchers. Individual Privacy Rights: The Privacy Rule provides individuals with a number of rights regarding access to, and use of, their health information. Specifically, the rule provides the following: * Access to and amendment of health information. Individuals have the right to inspect and copy their protected health information and to request amendments of their records. * Notice of privacy practices. Individuals generally have a right to written notice of the uses and disclosures of their health information that may be made by a covered entity as well as the individual's rights and the entity's duties with respect to that information. * Accounting for disclosures. Individuals generally have the right to request and receive a listing of disclosures of their protected health information that is shared with others for purposes other than treatment, payment, or health care operations. * Complaints. In addition to being able to complain directly to a covered entity, any person who believes a health care provider, health plan, or clearinghouse is not complying with the Privacy Rule may file a complaint with the Secretary of HHS.[Footnote 7] Responsibilities of Health Care Providers, Health Plans, and Clearinghouses: Covered entities are required to comply with Privacy Rule provisions and follow various procedures. They must do the following: * Develop policies and procedures for protecting health information. A covered entity must maintain administrative, technical, and physical safeguards. Among other requirements, a covered entity must also designate a privacy official, train its employees on the entity's privacy policies, and develop procedures to receive and address complaints. * Limit information used and disclosed to the minimum necessary. Covered entities must make reasonable efforts to limit their employees' access to identifiable health information to the minimum needed to do their jobs. When sharing protected health information with other entities (such as collection agencies and researchers), they must make reasonable efforts to limit the information disclosed to the minimum necessary to accomplish the purpose of the data request. However, providers may share the full medical record when the disclosure is for treatment purposes. * Account for disclosures of protected health information. Upon request, covered entities must provide individuals with an accounting of disclosures of their protected health information made in the preceding 6 years. This requirement applies to most disclosures other than those for treatment, payment, or operations purposes, including those that are mandated by law--such as certain disclosures to public health entities and law enforcement agencies. The accounting must include the date of each disclosure; the name and, if known, the address of the entity or person who received the information; a description of the information disclosed; and a statement of the purpose of the disclosure. * Ensure that "downstream users" protect the privacy of health information by implementing business associate agreements. Covered entities must enter into a contract or other written agreement with any business associates with which they share protected health information for various purposes. A business associate performs certain functions or activities--such as claims processing and benefit management--on behalf of a covered entity involving the use or disclosure of individually identifiable health information. Business associate contracts must establish conditions and safeguards for uses and disclosures of identifiable health information and authorize termination of contracts if the covered entities determine that business associates have violated the agreements. Disclosures to Researchers Seeking Health Information from Covered Entities: The regulation establishes requirements that apply to both federally and privately funded research that seeks to use protected health information: * Researchers may seek to obtain from covered entities health information without authorization if the data do not identify an individual and there is no reasonable basis to believe it could be used to identify an individual.[Footnote 8] * Researchers must use one of three options to gain access to protected health information: obtain patient authorization, obtain a waiver of authorization by having their research protocol reviewed and approved by an IRB or privacy board, or use a limited data set provided by the covered entity.[Footnote 9] Responsibilities of HHS's Office for Civil Rights: OCR has responsibility for implementing and enforcing the Privacy Rule as follows: * Provide guidance. OCR is responsible for communicating policies contained in the Privacy Rule by issuing guidance to answer common questions and clarify certain provisions. Mechanisms by which OCR makes information available to various entities on its Web site include links to guidance documents as well as answers to frequently asked questions (FAQ). In addition, OCR has provided guidance through roundtable discussions, answers to written inquiries, an automated e-mail notification system, a toll-free hotline for questions about the Privacy Rule, as well as presentations and telephone conference calls. * Administer a complaint process. OCR is responsible for investigating complaints received from health care consumers. * Enforce compliance. OCR may provide covered entities with technical assistance to help them comply voluntarily with the Privacy Rule. OCR investigates complaints and may conduct reviews to determine if covered entities are in compliance and attempts to resolve issues of noncompliance through informal means. Violators are subject to civil and criminal penalties.[Footnote 10] OCR administers the civil monetary penalties while the Department of Justice administers criminal penalties involving a knowing disclosure or obtaining identifiable health information in violation of HIPAA. Compliance Difficulties for Providers and Health Plans Have Eased, but Problems Remain: Organizations representing providers and health plans stated that implementation of the Privacy Rule was smoother than expected over the past year and that some initial confusion has abated. Although many provider and health plan organizations reported dealing with various ongoing problems, they noted that two provisions were particularly burdensome: the requirement to maintain a record of certain disclosures of patient information and the requirement to create business associate agreements with downstream users of protected health information. Several organizations suggested that OCR could take steps to facilitate compliance with these provisions. Confusion among Providers and Health Plans Has Diminished: Some organizations we interviewed told us that the first year they were required to be compliant with the Privacy Rule was smoother than they had anticipated. The American Medical Association and the American Hospital Association stated that in general, they have heard relatively few negative reactions from their members during the past year. Many provisions were considered straightforward and relatively easy to implement, including developing the notice of privacy practices and limiting disclosures for marketing purposes. In addition, many provider, health plan, and consumer representatives reported that the Privacy Rule has increased provider awareness of, and sensitivity to, patient privacy issues, and new privacy procedures have become routine practice. For example, representatives from the American Health Information Management Association (AHIMA)--which assists providers with their management of protected health information--noted that the Privacy Rule has helped to make staff working for covered entities more aware of the flow of patient information. Organizations we interviewed also reported that some early confusion has subsided. Groups commented that initial confusion stemmed from challenges in understanding and implementing the Privacy Rule. The American Hospital Association, for example, stated that hospitals were initially concerned about the requirement to limit information disclosures to the "minimum necessary" but now understand that they can share the information needed to ensure that appropriate clinical care is provided to their patients. Representatives from the American Pharmacists' Association (APhA) stated that members faced initial confusion implementing the Privacy Rule, but that pharmacies have since developed new standard procedures to address these issues. Representatives of the American Medical Association noted that after receiving and resolving many calls requesting clarification early in the year, it has since received few calls from its members related to the Privacy Rule. However, organizations also commented that some uncertainties and misunderstandings continue. For example, provider groups stated that some physicians and hospitals remain unclear about what type of information may be disclosed for law enforcement purposes. In addition, health plan representatives reported ongoing difficulties associated with knowing whether state laws prevail over the Privacy Rule. Despite these problems, AHIMA representatives told us that "the number of people talking about the ship sinking" because of the Privacy Rule has decreased. Overall, the organizations had mixed opinions about the extent to which OCR's guidance facilitated implementation of the Privacy Rule. As of June 29, 2004, OCR has posted 223 FAQs and answers on its Web site. While some provider and health plan representatives reported that the OCR Web site--particularly the FAQs--was very helpful, others stated that the FAQs were not specific enough to explain certain vague or ambiguous Privacy Rule provisions. Furthermore, organizations we interviewed stated that various types of guidance offered by OCR--including roundtable discussions and guidance on particular provisions--would have been more helpful if they had been offered sooner. For example, representatives from the American Health Care Association (AHCA) stated that if they had received clarification and guidance from OCR earlier, they would have had fewer problems implementing the rule. Two Provisions Were Commonly Cited as Particularly Difficult to Implement: Although provider and health plan representatives reported dealing with a variety of ongoing problems, we consistently heard from them that two provisions were especially burdensome. These were the provisions that require accounting for disclosures and business associate agreements. Accounting for Disclosures: Most provider and health plan organizations we interviewed identified the requirement to account for certain disclosures as unnecessarily burdensome. These organizations reported that significant time and resources are needed to establish and maintain systems to track disclosures. For example, in hospitals, various departments keep patient information in separate systems that are not necessarily electronically linked. According to the Health Care Compliance Association, hospitals have had to revise systems to establish electronic links or have had to create manual tracking mechanisms. Similarly, representatives from America's Health Insurance Plans (AHIP) reported that many health plans or insurers generally keep information related to one patient in multiple systems--for example, separate systems for enrollment, claims payment, and customer service--making it difficult to track all information disclosures for that patient. In addition to difficulties experienced when tracking disclosures of protected health information, provider and health plan representatives also expressed concern about the volume of disclosures that must be tracked. They commented that frequent, diverse disclosures required by law add significantly to the volume of information that must be continually tracked. These include disclosures to public entities to maintain disease registries, vital statistics, and other health databases.[Footnote 11] For example, the Minnesota Department of Public Health identified over 50 state statutes in which health information may or must be released to specific state or local organizations, such as health departments, health licensing boards, and schools. Blue Cross Blue Shield Association (BCBSA) representatives told us that accounting for the disclosures of births and deaths to state health departments-- required by state law--can be burdensome. They noted that some state laws require health plans to report information to the health department quarterly, while others require reporting information monthly. One organization we spoke with indicated that its members expect that complying with the provision to account for disclosures will become increasingly difficult, because they need to track these disclosures for 6 years to meet obligations under the Privacy Rule. Moreover, many organizations we interviewed questioned whether the Privacy Rule's accounting provision generates much benefit for patients. These organizations reported that their members have received few or no requests from patients for an accounting of the disclosures of their protected health information. To somewhat reduce the burden of the requirement to account for disclosures, several organizations suggested that OCR modify the rule to require covered entities to inform patients in the privacy practices notice that when required by law, their information will be disclosed to public health organizations and law enforcement agencies. This modification would inform patients of disclosures required by law and would obviate the need to track these disclosures as they occur.[Footnote 12] Business Associate Agreements: Provider and health plan representatives reported that significant resources have been required to implement business associate agreements. These organizations commented that some of the burden associated with implementing this provision has stemmed from confusion and variation in determining which relationships with downstream entities require business associate agreements.[Footnote 13] The Medical Group Management Association (MGMA) stated that there is still uncertainty among its members and that it receives calls weekly about business associate agreements. APhA representatives attributed pharmacists' difficulties determining which entities were business associates to the provision's broad language and lack of adequate OCR guidance. Although the Privacy Rule provided for phased-in implementation of business associate agreement requirements to accommodate existing contracts, provider and health plan groups viewed the business associate agreements provision as very burdensome.[Footnote 14] Organizations we interviewed stated that some of their members have spent substantial amounts of time and money to develop thousands of business associate agreements with downstream users of protected health information, though they did not estimate specific amounts. Provider and health plan representatives reported that high costs have been associated with the need for legal counsel to negotiate and customize agreements with the multiple and various business associates. For example, BCBSA officials stated that some of their business associates have requested specific and sometimes "excessive" details in their agreements. They noted that business associates sometimes regard the agreements as an opportunity to include new provisions in their contracts that are unrelated to health privacy. The Joint Commission on Accreditation of Healthcare Organizations (JCAHO), however, was able to successfully avoid these types of problems by including a standard business associate agreement as an addendum to applications for health care accreditation. As a result, it has had "excellent compliance and cooperation from accredited entities," according to JCAHO representatives. In contrast, hospitals and other providers negotiating individually with business associates do not have similar leverage to compel the use of their particular agreements. Some organizations representing providers and health plans suggested that OCR provide more guidance to covered entities about when and how to enter into a business associate agreement. These organizations did not consider OCR's existing guidance specific enough to assist providers and health plans with their agreements.[Footnote 15] APhA representatives stated that OCR's guidance on business associate agreements has "led to more questions." Constraints on Access to Data Have Raised Concerns for Public Health Entities, Researchers, and Patient Advocates: Organizations representing public health agencies, research entities, and patient advocates identified several areas in which efforts to apply the Privacy Rule have created new challenges. State and federal agencies reported having to take explicit action--including outreach efforts and changes in state law--to ensure that providers and health plans continue to report health information for public health activities. Researchers pointed to increased difficulty in obtaining patient data to conduct clinical or health services research. Patient advocates also identified obstacles in obtaining protected health information from providers and plans on behalf of their clients. Many of these challenges have been attributed to misunderstandings or confusion about how to interpret the rule in conjunction with other federal requirements. Most organizations found providers reluctant to share information without patient authorization when the rule permitted providers such discretion. The burden of accounting for disclosures and liability concerns were two reasons often cited for their reluctance. State and Federal Agencies Have Had to Increase Efforts to Obtain Data for Public Health Monitoring: Organizations representing state public health officials told us that the Privacy Rule has hindered access to patient health information because some providers are reluctant to report to public health authorities. They experienced this difficulty despite the fact that under the Privacy Rule, providers and health plans may report to public health authorities without a patient's authorization.[Footnote 16] This provision applies both where a law requires that certain health information--such as immunizations--be reported and where a public health agency requests that providers voluntarily report certain information. Public health organizations--such as the Council of State and Territorial Epidemiologists (CSTE) and CDC--reported several cases where obtaining patient health information has become more difficult. For example, a CSTE survey of 40 state and local programs designed to detect early signs of an epidemic found that 3 programs experienced "substantial" problems and 10 experienced "some" problems with obtaining health information from providers because of patient confidentiality concerns.[Footnote 17] In another example, a CDC representative reported facing obstacles to its surveillance of mental health disabilities. CDC's efforts to collect data on individuals with certain mental health diagnoses met resistance from a large clinic and an inpatient mental health facility. As a result, CDC redesigned its study and had to approach different providers to participate in its data collection effort. Public health organizations attributed the difficulty in obtaining public health data from providers and plans to several factors. First, organizations we spoke with believed that providers have a disincentive to report data requested by public health agencies because of the provision to account for such disclosures. According to a state public health agency representative, the necessary tracking of disclosures has had a major impact on the state's public health activities. This is consistent with concerns expressed by representatives of health plans, physicians, hospitals, and long-term care facilities about the burden of accounting for certain disclosures. Second, some providers were confused about the rule in that they believed they were permitted to report to public health agencies only when specifically required by federal or state law. A representative of CDC noted that in some states that did not mandate reporting of birth defect surveillance data, providers were initially unwilling to disclose this information. Third, state officials noted that providers are concerned legal action might be taken against them if they provide health information to public agencies. In CDC's efforts to monitor mental health disabilities, a provider cited fear of liability associated with improper disclosure of protected health information as the reason it declined to participate. The organizations we interviewed also reported that state and federal health agencies have taken various actions to facilitate public health reporting. These include changes in state law, enhancements to the data collection process, and targeted Privacy Rule education. For example, * Kentucky, Massachusetts, and North Dakota revised regulations and laws to clarify the circumstances for reporting to public health agencies without patient authorization, to make state law more consistent with the Privacy Rule, and to make certain public health reporting mandatory. * CDC modified its survey procedures for a group of health care provider surveys, known as the National Health Care Survey, to help providers participate in the surveys under the Privacy Rule. The modifications included creating a document that providers can use to account for disclosures. * The Minnesota Department of Health developed a series of fact sheets that clarify, for each of several different types of disease reporting, the specific authority in the Privacy Rule that allows reporting of data to the department without patient authorization. Like the health plan and provider groups, organizations representing public health agencies stated their desire that the Privacy Rule be amended to exempt reporting to public health agencies from the accounting provision and announce in the privacy practices notice that this information will be disclosed as required by law. They contended that this approach would significantly reduce burden and remove the incentive that exists for providers to avoid disclosure of protected health data to public health agencies. Research Groups Report Unnecessary Delays and Less Access to Health Data: Organizations representing health services and clinical researchers, such as Academy Health, the Association of American Medical Colleges, the Association of Clinical Research Organizations, and the National Cancer Advisory Board, reported that access to data for research has been delayed due to the varying approaches that some providers are taking to research requests under the Privacy Rule. They reported that research studies involving several sites of care have been delayed because of the different confidentiality requirements at study provider sites. Under the rule, researchers must obtain IRB or privacy board approval for their studies to waive the patient authorization requirement. HHS guidance states that a multisite research study need obtain approval from only one of the provider sites, but researchers' organizations contend that often each provider institution requires that its IRB approve the waiver request. They noted that meeting the requirements of multiple IRB reviews can add substantial time to completing these studies. Under the Privacy Rule, researchers seeking authorization to use patient information must pursue their requests through the patients' providers. Organizations reported that smaller providers with more limited administrative resources--such as some group practices and rural community hospitals--are reluctant to facilitate research studies because of misunderstanding of the rule and the added burden of contacting patients. Providers may also decline to participate because of concern about liability and because of the administrative burden of the accounting for disclosures requirement. For example, the Association of American Medical Colleges reported that some physicians no longer contribute data to research registries for cancer because of the additional resources required to track these disclosures. Another issue raised by several organizations we spoke with concerned the perceived conflicts between the Privacy Rule and federal regulation governing the protection of human subjects in research, known as the Common Rule. Research groups noted that differences between Privacy Rule and Common Rule requirements may cause confusion among researchers and covered entities and create unnecessary obstacles to research. For example, they stated that one difference relates to the scope of authority of informed consent or authorization: informed consent by patients under the Common Rule covers the research effort as a whole, including future disclosures from registry and data depositories. In contrast, they noted that a patient's authorization or an IRB's waiver of authorization covers only a specific research study and not future unspecified research under the Privacy Rule. Some national organizations expressed concern that providers and health plans may find it too confusing to comply with both the Privacy Rule and Common Rule requirements in responding to research proposals and requests. An AHIMA official reported that in some cases, providers and health plans "just threw up their hands and said they would just not give information to researchers." CMS--a source of health services utilization data on Medicare beneficiaries--did not approve research requests for approximately 6 months while it developed new criteria and procedures for review of research requests to comply with the Privacy Rule. CMS now requires that researchers, who submit about 1,000 requests each year, provide more information about their study methodology and demonstrate that their research purpose is consistent with CMS's mission. To comply with the Privacy Rule, CMS established a privacy board to review research requests. The board meets once a month, which lengthens this phase of CMS's research approval process. The Association of American Medical Colleges, the Association of Clinical Research Organizations, and public health organizations such as the Association of State and Territorial Health Officials and CSTE reported that OCR's guidance has not addressed some of the key misunderstandings and fundamental problems associated with the Privacy Rule's impact on research. Ambiguity remains in determining whether a health survey activity is considered health care operations or research and whether a public health entity's data request is part of its public health activities or is for research. These organizations stated their desire for OCR to address concerns through official revisions to the rule and issuance of federal guidance. They believe that compared with OCR's efforts to provide information on its Web site, such official actions would "carry more weight" among providers, health plans, and research organizations. Patient Advocates Report Obstacles to Obtaining Data on Behalf of Patients: Organizations representing patient advocates reported that their members face new obstacles when seeking access to protected health information on behalf of patients. Such access problems, they say, are due to excessive paperwork, misunderstanding of the rule, and reluctance by providers and health plans to share information with legal aid attorneys, state ombudsmen, and others when the rule permits discretion. The rule gives providers and plans some latitude in exercising their professional judgment about when to disclose protected health information to individuals serving as patient advocates who are not "personal representatives" as defined by the Privacy Rule.[Footnote 18] Factors such as liability concerns and the burden of accounting for disclosures may contribute to their guarded disclosure practices. Representatives for Families USA's Health Assistance Partnership and the National Health Law Program reported problems when lawyers or other patient advocates sought a client's medical records. These organizations contend that some providers deny access and other providers delay or restrict access by requiring the use of a provider's customized authorization form. They asserted that it can be cumbersome if a patient's signature on multiple unique forms needs to be obtained from each provider. These organizations also noted that state ombudsmen services--telephonic programs that assist consumers, such as the elderly and disabled, with problems accessing health care--have had problems intervening on behalf of consumers over the telephone. Even after a consumer has given verbal approval, providers have declined to share information with the ombudsman in subsequent phone calls if the patient is not also on the telephone. In addition, AHIP, AHCA, and BCBSA reported that families and friends of patients continue to face problems obtaining information to assist in patients' care. BCBSA reported that some plans are confused about how to implement the Privacy Rule's provisions for releasing information to families, friends, and others. Where the rule permits discretion, some covered entities have taken a strict approach to patient authorization requirements, requiring any adult calling on behalf of another adult to obtain an authorization form signed by the patient. For example, this approach resulted in one health plan requiring 10,000 patient authorizations during the first year. Similarly, AHCA found that some long-term care facilities have taken a strict approach to disclosing information and do not provide information to nursing home residents' family members without patient authorization. AHCA also reported that the Privacy Rule does not address a potential conflict with the Omnibus Budget Reconciliation Act of 1987 that requires nursing homes to notify families of incidents or significant changes in health status unless the resident exercises the right to privacy. Under the Privacy Rule, a provider may, in certain situations, determine whether or not to share information with family based on professional judgment. Evidence Suggests Patients Are Not Aware of Privacy Rights or May Misunderstand the Privacy Rule: Numerous organizations reported that patients are not aware of their rights under the Privacy Rule, either because they do not understand the notice of privacy practices, or because they have not focused their attention on privacy issues when the notices are presented to them. In the first year after entities were required to be compliant with the Privacy Rule, OCR received over 5,600 privacy complaints and closed about half of the complaint cases filed. Nearly two-thirds of the closed cases were resolved on the basis that they were outside the scope of the Privacy Rule, suggesting that patients may misunderstand their rights. Diverse Groups Contend That Patients Are Not Well Informed of Their Rights: Consumer groups--including AARP, the Bazelon Center for Mental Health Law, the Health Privacy Project, the Health Assistance Partnership, and the National Health Law Program--reported that many patients are not aware of their privacy rights. They attribute this, in part, to the use of customized privacy notices. For example, consumer groups reported that typical privacy notices, as drafted by providers and health plans, are often difficult to read and understand. The Health Privacy Project maintained that the privacy notices are written primarily to protect providers and health plans from enforcement actions, rather than as a vehicle to inform the patient. It noted that even basic information about disclosures and the right to access records is often buried in the document. Representatives of providers and health plans also stated that patients are largely unaware of their rights. According to AHIMA, patients are unaware of their privacy rights because the privacy notice is treated as one more piece of paper that they have to sign when they seek care. MGMA noted that some physicians have placed boxes in their offices specifically for the purpose of recycling the notices after patients discard them. Representatives from both provider and consumer groups noted that the public should receive more education about how their rights have changed. MGMA told us that OCR has placed the burden of patient education on private organizations--such as professional associations, providers, and health plans--and that some of these organizations interpret the rule incorrectly. Moreover, provider and consumer groups stated that further OCR attention is needed to address the issue of privacy notices that are difficult for patients to read and understand. Some groups told us that the notice of privacy practices could be made easier to comprehend by highlighting some key patient rights under the Privacy Rule. Complaints Filed with HHS OCR Indicate That Patients May Misunderstand the Privacy Rule: In the first year that entities were required to be compliant with the Privacy Rule, consumers and others filed 5,648 privacy-related complaints with OCR. The number of complaints received increased steadily from quarter to quarter, with each quarter's intake totaling 1,068, 1,392, 1,521, and 1,667, respectively. Overall, roughly half of the complaints filed in the rule's first year were closed as of early May 2004. The database that OCR maintains on these complaints includes information that classifies one or more privacy issues raised in several broad categories. Data on the open and closed cases showed that the most commonly cited category (56 percent of complaints) was "impermissible uses and disclosures."[Footnote 19] According to an OCR official, this could include allegations regarding patient billing information sent to the wrong address or FAX number, patient information seen or overheard in a doctor's office or hospital, or provider employees accessing patient information for their own personal or business benefit.[Footnote 20] Approximately a third of the complaints cited inadequate safeguards for patient information, and 17 percent reported problems with patients gaining access to their own health information. Patients have filed privacy complaints against many different types of health care entities. The two most commonly cited were private practices--comprising physicians, dentists, chiropractors, and similar licensed health professionals--and hospitals--including general, psychiatric, and specialty hospitals. Together, private practices and hospitals accounted for 41 percent of privacy complaints with information on entity type recorded.[Footnote 21] For closed cases, the OCR database provides additional information, primarily related to the final disposition of the complaint. The majority of these complaints--79.1 percent--were not germane to the Privacy Rule, lacked sufficient information to process them, or fell into diverse miscellaneous categories. That left 20.9 percent of the closed privacy complaints that OCR concluded fell within the scope of the Privacy Rule (see table 1).[Footnote 22] Table 1: Outcomes of Privacy Complaints Closed by OCR from April 14, 2003, through April 13, 2004: Outcome category: Germane to the Privacy Rule; Number of cases: 573; Percentage: 20.9%. Outcome category: Violation occurred and corrective action agreed to[A]; Number of cases: 258; Percentage: 9.4%. Outcome category: No violation occurred; Number of cases: 315; Percentage: 11.5%. Outcome category: Not germane to the Privacy Rule; Number of cases: 1,760; Percentage: 64.2%. Outcome category: Alleged action not prohibited by Privacy Rule; Number of cases: 971; Percentage: 35.4%. Outcome category: Entity cited in the allegation is not a covered entity; Number of cases: 484; Percentage: 17.7%. Outcome category: Alleged action took place before April 14, 2003, the compliance date of the Privacy Rule; Number of cases: 264; Percentage: 9.6%. Outcome category: Other; Number of cases: 41; Percentage: 1.5%. Outcome category: Indeterminate; Number of cases: 408; Percentage: 14.9%. Outcome category: Complaint incomplete; Number of cases: 364; Percentage: 13.3%. Outcome category: Miscellaneous and other; Number of cases: 44; Percentage: 1.6%. Outcome category: Total; Number of cases: 2,741; Percentage: 100.0%. Source: GAO analysis of OCR data. [A] In these cases, OCR obtained voluntary compliance from covered entities and did not issue a formal violation finding. [End of table] About half of the germane complaints (representing 9.4 percent of total closed cases) involved a violation of the Privacy Rule substantiated by OCR's investigation where the provider or plan agreed to correct its policies or procedures. For the rest of these germane complaints (11.5 percent of total closed cases), OCR determined that no violation had occurred. By May 2004, OCR had not recommended sanctions against any provider or health plan for privacy violations, but this remained a potential outcome for the first-year complaints that were still open at that point. Nearly two-thirds of the privacy complaints closed during the rule's first year of operation fell outside the scope or time frame of the rule. This included the 35.4 percent of closed privacy complaints that involved alleged actions by providers, health plans, or other entities that OCR determined would not constitute violations of the regulation even if true. In other words, they concerned actions to which the patient might object, but that were not prohibited by the Privacy Rule. An additional 17.7 percent of closed complaints involved entities that were not "covered entities" as defined by the Privacy Rule, and 9.6 percent cited actions that occurred before covered entities were required to be compliant. However, OCR officials stated that the proportion of complaints closed because they were not germane to the Privacy Rule may have been higher in the first year of the rule's implementation than it will be in later years because OCR can generally complete its processing of such complaints more quickly than complaints that require full-scale investigations. Just over half of the complaints received in the first year remained open in early May 2004. Finally, about 15 percent of closed complaints fell into one of a number of miscellaneous categories or, more commonly, could not be pursued because OCR did not receive, and could not obtain, critical information. For example, some complaints lack addresses or telephone numbers by which the persons filing the complaints could be contacted for more information. Closed complaints involving three major categories of providers-- private practices,[Footnote 23] hospitals, and pharmacies--were more likely to be judged germane under the Privacy Rule by OCR than were complaints about other organizations. Nevertheless, for each of these major provider types, as well as for all other entities cited in privacy complaints, OCR found that a clear majority of the complaints it closed were not germane to the regulation because they either involved accusations of actions that were not prohibited by the regulation, involved entities that were not "covered entities" as defined by the Privacy Rule, or involved actions that occurred before covered entities were required to be compliant (see fig. 1). Figure 1: Outcomes of Privacy Complaints Closed by OCR from April 14, 2003, through April 13, 2004, by Type of Entity Cited: [See PDF for image] Note: Numbers in columns represent the number of complaints for that outcome category. [End of figure] The similarity of this pattern across different types of entities suggests that patients may misunderstand the scope of the protections provided to them under the Privacy Rule. The pattern is also consistent with consumer advocates' opinions concerning the limitations of privacy notices in informing patients about their rights under the Privacy Rule. Conclusions: Overall, in its first year, HIPAA's Privacy Rule has resulted in both positive and negative experiences among covered entities and other users of health information. Health care staff have been sensitized to privacy issues and the procedures required of their organizations to protect patient health information. Providers and health plans have taken steps to develop working environments that are sensitive to patient privacy and to enhance staff understanding of how to handle the complexities of complying with the Privacy Rule. However, some operational issues and misconceptions about the rule continue to raise concerns. A prime example is the requirement to account for disclosures for public health purposes that are mandated by law. This requirement is seen by many to have created a costly and unnecessary demand on providers and health plans and a drag on the flow of information for purposes considered to be in the public interest. Providers and health plans that are uncertain or misinformed about their privacy responsibilities have often responded with an overly guarded approach to disclosing information, resulting in procedures that may be more protective of the organizations than necessary to ensure compliance with the Privacy Rule. At the same time, the job of educating the public about the content and intent of the Privacy Rule has been relegated to providers and health plans and their privacy notices have not consistently provided a clear message to patients. Recommendations for Executive Action: We recommend that to reduce unnecessary burden on covered entities and to improve the effectiveness of the Privacy Rule, the Secretary of HHS take the following two actions: * Modify the Privacy Rule to (1) require that patients be informed in the notice of privacy practices that their information will be disclosed to public health authorities when required by law and (2) exempt such public health disclosures from the accounting-for- disclosures provision. * Conduct a public information campaign to improve awareness of patients' rights under the Privacy Rule. Agency Comments and Our Evaluation: In written comments on a draft of this report, HHS agreed with our finding that implementation went more smoothly than expected during the first year, confusion has diminished, and new privacy procedures have become routine practice for staff. They stated that the experience of providers and health plans in implementing the Privacy Rule, as we reported, were generally consistent with what HHS has heard from many covered entities and others. (See app. II.) Regarding our recommendation that mandatory reporting of health information to public health authorities be exempted from the accounting for disclosure requirement, HHS noted that it has considered such a change in the past and continues to monitor the need to modify the Privacy Rule. In August 2002, HHS considered exempting public health disclosures from the accounting provisions whether required by law or not, but decided against such a modification pending further experience with the rule. HHS acknowledged that covered entities continue to report difficulties tracking such disclosures and stated that its guidance documents emphasize flexibility in how covered entities structure their record keeping. Given HHS's goal of ensuring effective patient privacy protections without imposing unnecessary costs or barriers to quality health care or interfering with other important public benefits, we remain concerned that the accounting for disclosure provision as applied to mandatory public health reporting may not support this goal. Effective privacy notices could be used to inform patients of public health disclosures required by law and, in turn, reduce the need to track these numerous disclosures. Furthermore, public health officials noted that the burden imposed by accounting for legally required disclosures may generate the unintended consequence of reducing the amount of information voluntarily reported to public health authorities. To the extent that covered entities are discouraged in this way, the public interest may be negatively affected. In commenting on our second recommendation, to conduct a public information campaign to improve awareness of patient's rights under the Privacy Rule, HHS agreed that notices of privacy practices may appear too long and complicated and that consumers may not be closely reading their notices. HHS stated that the complaint data received by OCR may not indicate that consumers are unaware of their rights under the rule, but rather that they may not properly understand them. Regarding its consumer outreach, HHS pointed to two new consumer fact sheets posted to its Web site on August 17, 2004, a toll-free call-in line to respond to questions about the rule, and efforts to encourage covered entities to develop consumer-friendly notices that highlight key information. Evidence from numerous organizations indicated that consumers are largely unaware of their rights under the Privacy Rule, and our analysis of OCR complaint data suggested that consumers may misunderstand the scope of the protections provided. A more diverse approach to consumer outreach may be necessary to effectively communicate the new privacy rights. The information available on the HHS Web site and from the call-in line provide access to a portion of the general public but may not reach the many consumers who do not know of these sources. We believe it is important that, in current and future efforts to educate the public, HHS more effectively disseminate information about protections provided under the Privacy Rule. As agreed with your office, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days from its date. At that time, we will send copies of this report to the Secretary of HHS and to other interested parties. In addition, this report will be available at no charge on GAO's Web site at [Hyperlink, http://www.gao.gov]. We will also make copies available to others upon request. If you or your staff have any questions about this report, please call me at (312) 220-7600. Another contact and key contributors are listed in appendix II. Sincerely yours, Signed by: Leslie G. Aronovitz: Director, Health Care--Program Administration and Integrity Issues: [End of section] Appendixes: Appendix I: Organizations Interviewed: We included the following national organizations and federal agencies in our review. Health Care Providers: American Health Care Association: American Hospital Association: American Medical Association: American Pharmacists' Association: Medical Group Management Association: National Association of Community Health Centers: Health Plans: America's Health Insurance Plans: Blue Cross Blue Shield Association: Medicare (HHS's Centers for Medicare & Medicaid Services): Public Health: Association of State and Territorial Health Officials: Council of State and Territorial Epidemiologists: HHS's Centers for Disease Control and Prevention: Health Care Research: Academy Health: Association of American Medical Colleges: Association of Clinical Research Organizations: National Cancer Advisory Board: Patient Advocates: AARP: Bazelon Center for Mental Health Law: Health Assistance Partnership: Health Privacy Project: National Health Law Program: Other: American Health Information Management Association: Health Care Compliance Association: Healthcare Leadership Council: Joint Commission on Accreditation of Healthcare Organizations: [End of section] Appendix II: Comments from the Department of Health and Human Services: DEPARTMENT OF HEALTH & HUMAN SERVICES: Office of Inspector General: Washington, D.C. 20201: AUG 27 2004: Ms. Leslie G. Aronovitz: Director, Health Care-Program Administration and Integrity Issues: United States Government Accountability Office: Washington, D.C. 20548: Dear Ms. Aronovitz: Enclosed are the Department's comments on your draft report entitled, "Health Information: First-Year Experiences under the Federal Privacy Rule" (GAO-04-965). The comments represent the tentative position of the Department and are subject to reevaluation when the final version of this report is received. The Department provided several technical comments directly to your staff. The Department appreciates the opportunity to comment on this draft report before its publication. Sincerely, Signed by: Lewis Morris: Chief Counsel to the Inspector General: Enclosure: The Office of Inspector General (OIG) is transmitting the Department's response to this draft report in our capacity as the Department's designated focal point and coordinator for Government Accountability Office reports. OIG has not conducted an independent assessment of these comments and therefore expresses no opinion on them. COMMENTS OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) ON THE GOVERNMENT ACCOUNTABILITY OFFICE'S (GAO) DRAFT REPORT "HEALTH INFORMATION: FIRST-YEAR EXPERIENCES UNDER THE FEDERAL PRIVACY RULE" (GAO-04-965): HHS appreciates the opportunity to comment on the GAO's draft report. The Department is committed to implementing strong and effective patient privacy protections that are appropriately balanced so as not to unnecessarily interfere with access to quality health care or other important public benefits and national priorities. The Privacy Rule affords health care consumers important new rights to access their health information and increases their ability to control uses and disclosures of this information. The GAO draft report focuses on the experience of providers and health plans in implementation, and of researchers, public health entities, and patient advocates in obtaining access to health information during this first year of Privacy Rule compliance, as well as the extent to which patients appear to be aware of their rights. It is gratifying to hear from GAO's report that providers and health plan representatives reported that implementation of the Privacy Rule went more smoothly than expected during this first year, confusion has diminished, and that new privacy procedures have become routine practice for staff. This is consistent with what the Department itself has heard from many covered entities and other stakeholders. The Department's Office for Civil Rights (OCR) is responsible for administering and enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. As part of that effort, OCR has undertaken expansive outreach to educate covered entities about the Rule, including providing guidance on an ongoing basis in targeted areas and to clarify aspects of the Rule as needed, and to educate the public about their new rights under the Rule. A significant number of guidance materials OCR has published, including materials published since GAO undertook this review, address areas GAO identifies as needing additional clarity. OCR's ongoing outreach efforts include: Development and broad dissemination of guidance and other information on the OCR web site at http://www.hhs.gov/ocr/hipaa. The web site includes, among other materials, - a Summary of the Privacy Rule, with links to other helpful information on specific topics: - fact sheets on general and specific topics of interest to various stakeholders, such as Business Associates, and most recently, a set of new Consumer fact sheets - hundreds of searchable answers to frequently asked questions, which have been accessed over 2.3 million times, including a newly-published FAQ on disclosures to law enforcement: - sample business associate contract provisions: - extensive guidance materials developed in conjunction with the National Institutes of Health and the Centers for Disease Control and Prevention that explain the research and public health provisions of the Rule and - information for consumers on how to file complaints with OCR: * Broadcasting to a listserv, which now has nearly 15,000 subscribers, to assist in making sure that guidance materials are broadly disseminated as soon as they are published. * Offering a free call-in line for HIPAA Privacy Rule questions, 1-866- 627-7748, in conjunction with the Centers for Medicare and Medicaid Services (CMS). Since April 2003, some 30,000 calls related to the Privacy Rule have been responded to. Giving hundreds of presentations and telephone audio conferences to varied audiences across the country on all aspects of the Privacy Rule. OCR and the Department remain committed to these outreach and technical assistance efforts. GAO Recommendation: Modem the Privacy Rule to (1) require that patients be informed in the notice ofprivacy practices that their information will be disclosed to public health authorities when required by law, and (2) exempt such public health disclosures from the accounting-for-disclosures provision. HHS Response: The draft report and Recommendation reflect concerns we also have heard from certain covered entities and other stakeholders regarding the accounting for disclosures provision of the Privacy Rule. For example, we have heard concerns regarding the burden associated with accounting for routine public health disclosures, routine disclosures to Federal and State oversight authorities, and disclosures in other contexts, whether required by law or not. When modifying the Privacy Rule in August 2002 to address certain workability concerns, the Department considered the extent to which such disclosures should be exempted from the accounting provisions, seeking to balance an individual's right to know about disclosures of which he or she otherwise may not have specific knowledge, with the potential cost and other burdens on covered entities in providing the accounting. Ultimately, the Department decided against any such modification at the time, pending further experience with the Rule in this regard. Now, more than 1 year into implementation of the Privacy Rule, the Department continues to receive anecdotal accounts, such as are reflected in this GAO report, of challenges covered and entities faced in tracking disclosures that must be accounted for under the Rule, and that relatively few consumers have thus far requested an accounting. The Department has responded to these concerns by publishing guidance that emphasizes that the Rule flexibly permits covered entities to structure their records systems in any way that efficiently permits them to comply with the Rule, and clarifying, for instance, that notations do not have to be made in each client file - particularly where more routine disclosures are concerned and where the information can be retrieved, as needed, by other methods. In addition, the Department continues to monitor experience with this aspect of the Rule, along with the benefits to consumers it affords, to determine whether modification of the Rule may be required. As with other areas of the Rule, our goal is to ensure that the Rule strikes the appropriate balance: affording individuals their rights, including the right to be informed of how their health information may be used and disclosed, without unnecessarily imposing costs or barriers to quality health care. GAO Recommendation: Conduct a public information campaign to improve awareness of patients' rights under the Privacy Rule. HHS Response: We fully agree it is essential that health care consumers are aware of their significant new rights under the Privacy Rule, and have been working diligently toward that end. For example, in recent weeks OCR published and is disseminating two new fact sheets (enclosed) - targeted specifically to consumers, and designed in a consumer-friendly format - that explain an individual's rights and protections under the Rule. As a further example, the toll-free call-in line continues to provide consumers and other callers with instant information about the Rule, and advises where additional information readily can be obtained. We agree that many Notices of Privacy Practices may appear too long and complicated to consumers, and similarly are concerned with reports that consumers are not closely reading them. To address this, we have encouraged covered entities to focus on creating consumer friendly notices by using layered notices that describe the individual's rights and other key information in clear and simple language up front, and have required in the Rule itself that the notices be written in plain language. Further, the Privacy Rule requires covered health care providers with a direct treatment relationship with individuals to make a good faith effort to obtain a written acknowledgment of receipt of the notice, so that individuals are afforded an opportunity to focus on and discuss their privacy concerns and questions with their providers. We note that the GAO-cited data on non-germane complaints may not actually indicate that consumers are unaware of their Privacy Rule rights, as GAO suggests. Rather, the number of such complaints could also indicate that consumers have been made aware, through the Notice of Privacy Practices and OCR's outreach efforts, of the important new rights they have with respect to their health information, though they may not comprehend entirely the parameters of those rights. For example, a consumer that has been made aware of the existence of protections now required under the Privacy Rule may file a complaint naming her provider even though that provider is not a covered entity; or the individual may believe that the Rule requires an action when it does not, as is the case, for instance, where a complainant alleges problems in having his medical records sent to his new doctor. In any case, OCR will continue its efforts to increase consumer awareness about both the existence and nature of their rights and protections under the Rule. Your Privacy Is Important to All of Us: Most of us feel that our health and medical information is private and should be protected, and we want to know who has this information. Now, Federal law: Gives you rights over your health information: Sets rules and limits on who can look at and receive your health information: Your Health Information Is Protected By Federal Law: Who must follow this law? Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and many other health care providers: Health insurance companies, HMOs, most employer group health plans: Certain government programs that pay for health care, such as Medicare and Medicaid: What information is protected? Information your doctors, nurses, and other health care providers put in your medical record: Conversations your doctor has about your care or treatment with nurses and others: Information about you in your health insurer's computer system: Billing information about you at your clinic: Most other health information about you held by those who must follow this law: The Law Gives You Rights Over Your Health Information: Providers and health insurers who are required to follow this law must comply with your right to: Ask to see and get a copy of your health records: Have corrections added to your health information: Receive a notice that tells you how your health information may be used and shared: Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing: Get a report on when and why your health information was shared for certain purposes: If you believe your rights are being denied or your health information isn't being protected, you can: - File a complaint with your provider or health insurer: - File a complaint with the U.S. Government: You should get to know these important rights, which help you protect your health information. You can ask your provider or health insurer questions about your rights. You also can learn more about your rights, including how to file a complaint, from the website at www.hhs.gov/ocr/hipaa/ or by calling 1-866-627-7748; the phone call is free. For More Information: This is a brief summary of your rights and protections under the federal health information privacy law. You can learn more about health information privacy and your rights in a fact sheet called "Your Health Information Privacy Rights". You can get this from the website at www.hhs.gov/ocr/hipaa/. You can also call 1-866-627-7748; the phone call is free. Other privacy rights Another law provides additional privacy protections to patients of alcohol and drug treatment programs. For more information, go to the website at www.samhsa.gov. The Law Sets Rules and Limits on Who Can Look At and Receive Your Information: To make sure that your information is protected in a way that does not interfere with your health care, your information can be used and shared: For your treatment and care coordination: To pay doctors and hospitals for your health care and help run their businesses: With your family, relatives, friends or others you identify who are involved with your health care or your health care bills, unless you object: To make sure doctors give good care and nursing homes are clean and safe: To protect the public's health, such as by reporting when the flu is in your area: To make required reports to the police, such as reporting gunshot wounds: Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot: Give your information to your employer: Use or share your information for marketing or advertising purposes: Share private notes about your mental health counseling sessions: Published by U.S. Department of Health & Human Services Office for Civil Rights: The Law Protects the Privacy of Your Health Information: Providers and health insurers who are required to follow this law must keep your information private by: Teaching the people who work for them how your information may and may not be used and shared: Taking appropriate and reasonable steps to keep your health information secure: Privacy is important to all of us: You have privacy rights under a federal law that protects your health information. These rights are important for you to know. You can exercise these rights, ask questions about them, and file a complaint if you think your rights are being denied or your health information isn't being protected. Who must follow this law? Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and many other health care providers: Health insurance companies, HMOs, most employer group health plans: Certain government programs that pay for health care, such as Medicare and Medicaid: Providers and health insurers who are required to follow this law must comply with your right to... Ask to see and get a copy of your health records: You can ask to see and get a copy of your medical record and other health information. You may not be able to get all of your information in a few special cases. For example, if your doctor decides something in your file might endanger you or someone else, the doctor may not have to give this information to you. In most cases, your copies must be given to you within 30 days, but this can be extended for another 30 days if you are given a reason. You may have to pay for the cost of copying and mailing if you request copies and mailing. Have corrections added to your health information: You can ask to change any wrong information in your file or add information to your file if it is incomplete. For example, if you and your hospital agree that your file has the wrong result for a test, the hospital must change it. Even if the hospital believes the test result is correct, you still have the right to have your disagreement noted in your file. In most cases the file should be changed within 60 days, but the hospital can take an extra 30 days if you are given a reason. Receive a notice that tells you how your health information is used and shared: You can learn how your health information is used and shared by your provider or health insurer. They must give you a notice that tells you how they may use and share your health information and how you can exercise your rights. In most cases, you should get this notice on your first visit to a provider or in the mail from your health insurer, and you can ask for a copy at any time. Decide whether to give your permission before your information can be used or shared for certain purposes: In general, your health information cannot be given to your employer, used or shared for things like sales calls or advertising, or used or shared for many other purposes unless you give your permission by signing an authorization form. This authorization form must tell you who will get your information and what your information will be used for. Privacy is important to all of us: Other privacy rights You may have other health information rights under your state's laws. When these laws affect how your health information can be used or shared, that should be made clear in the notice you receive. For more information This is a brief summary of your rights and protections under the federal health information privacy law. You can ask your provider or health insurer questions about how your health information is used or shared and about your rights. You also can learn more, including how to file a complaint with the U.S. Government, at the website at www.hhs.gov/ocr/hipaa/ or by calling 1-866-627-7748; the phone call is free. Published by: U. S. Department of Health & Human Services Office for Civil Rights: Providers and health insurers who are required to follow this law must comply with your right to: Get a report on when and why your health information was shared: Under the law, your health information may be used and shared for particular reasons, like making sure doctors give good care, making sure nursing homes are clean and safe, reporting when the flu is in your area, or making required reports to the police, such as reporting gunshot wounds. In many cases, you can ask for and get a list of who your health information has been shared with for these reasons. * You can get this report for free once a year. In most cases you should get the report within 60 days, but it can take an extra 30 days if you are given a reason. Ask to be reached somewhere other than home: You can make reasonable requests to be contacted at different places or in a different way. For example, you can have the nurse call you at your office instead of your home, or send mail to you in an envelope instead of on a postcard. If sending information to you at home might put you in danger, your health insurer must talk, call, or write to you where you ask and in the way you ask, if the request is reasonable. Ask that your information not be shared: You can ask your provider or health insurer not to share your health information with certain people, groups, or companies. For example, if you go to a clinic, you could ask the doctor not to share your medical record with other doctors or nurses in the clinic. However, they do not have to agree to do what you ask. File complaints: If you believe your information was used or shared in a way that is not allowed under the privacy law, or if you were not able to exercise your rights, you can file a complaint with your provider or health insurer. The privacy notice you receive from them will tell you who to talk to and how to file a complaint. You can also file a complaint with the U.S. Government. [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Rosamond Katz, (202) 512-7148: Acknowledgments: In addition to the contact named above, Kelly L. DeMots, Mary F. Giffin, Eric A. Peterson, and Lisa M. Vasquez made key contributions to this report. (290372): FOOTNOTES [1] Pub. L. No. 104-191, � 264, 110 Stat. 1936, 2033. Additionally, HIPAA's administrative simplification provisions are aimed at encouraging the electronic transfer of health information and require the development of standards for electronic transactions, including standards for unique identifiers, code sets, and security. See �� 261 and 262, 110 Stat. at 2021-2031. [2] NCVHS is an 18-member committee of individuals in the private sector that serves as the statutory public advisory body to the Secretary of HHS in the area of health data and statistics. [3] 45 C.F.R. pts. 160 and 164 (2003). [4] "Health information" includes oral or written information created or received by health care providers or others related to the medical condition of, providing health care to, or paying for health care provided to an individual. "Individually identifiable health information" is health information that identifies an individual or from which there is a reasonable basis to believe an individual may be identified. [5] Providers include hospitals, physicians, dentists, pharmacies, and any other persons or organizations that furnish, bill, or are paid for health care. "Health plans" refers to individual and group plans that provide or pay the cost of medical care. "Clearinghouses" refers to entities that facilitate the flow of information between providers and payers. In addition, sponsors of Medicare-endorsed prescription drug discount cards were added as covered entities by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003, although the Secretary is authorized to waive portions of the privacy rule to promote sponsor participation. [6] An IRB is a board, committee, or other group established in accordance with applicable federal regulations and formally designated by an institution to review human subject research. A privacy board is a review body that may be established to act on research requests under the Privacy Rule in place of using an IRB. Before issuing waivers, these boards must determine, among other things, that the use or disclosure of protected health information involves no more than a minimal risk to the privacy of the individuals. [7] The Privacy Rule does not create a private cause of action--that is, a federal right to sue for violations of the rule. [8] "De-identified" information is not considered individually identifiable health information. De-identification of data can be achieved in two ways: (1) all individually identifiable data--for example, names, addresses, phone numbers, Social Security numbers, dates indicative of age, and other unique identifiers--are removed or (2) a qualified statistician, using generally accepted statistical and scientific principles, determines that the risk is very small that the individual could be identified. [9] A limited data set has many direct identifiers removed, such as name, street address, telephone number, and Social Security number. [10] Civil monetary penalties can include fines of $100 per violation up to $25,000 per year for all violations of an identical requirement. Criminal penalties can include fines of up to $250,000 and imprisonment for up to 10 years. [11] Examples of the types of health information providers are asked to report included births and deaths, cancer cases, brain and spinal cord injuries, child immunizations, blood lead analyses, and reports of work-related injuries. [12] In August 2002, HHS determined that elimination of this requirement was not justified without ensuring the individual's knowledge of such disclosures. [13] The Joint Commission on Accreditation of Healthcare Organizations and the National Committee for Quality Assurance recently established a certification program--called the Privacy Certification for Business Associates program--that is intended to provide business associates with independent verification that they are complying with the Privacy Rule. Both of these organizations assess providers' compliance with quality standards. [14] Covered entities with existing written contracts or agreements with business associates prior to October 15, 2002, that were not renewed or modified prior to April 14, 2003, were permitted to continue to operate under those contracts until they renewed them or until April 14, 2004, whichever came first. [15] OCR posted on its Web Site a fact sheet and FAQs as guidance for the business associate provisions in July 2001, and sample contract language in August 2002. OCR updated the fact sheet and the FAQs for the business associate provisions in December 2002. [16] While patient authorization is not required for disclosures for public health purposes, providers and health plans must maintain an accounting for such disclosures under the Privacy Rule. [17] The survey response rate was 74 percent (29 of 40 programs). [18] Under the Privacy Rule, a personal representative generally is a person who is lawfully authorized to act on behalf of the patient in making decisions related to health care. [19] The percentages provided on cited categories reflect complaints for which this information was recorded. The OCR complaint data lacked such information for 40 percent of open cases and 46 percent of closed. [20] OCR defines "impermissible uses and disclosures" as any use or disclosure of protected privacy information without patient authorization that falls outside of the permitted uses specified in the regulation. The OCR database provides no additional information describing the action or policy that prompted these complaints. [21] Many more open complaints (45 percent) than closed ones (4.5 percent) lacked information on entity type. [22] There were no complaints with missing data with respect to case closure disposition. [23] Private practices include physicians, dentists, chiropractors, osteopaths, and other licensed medical providers. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: