GAO Recommends Privacy Rule Changes
Health Data Management (October 6, 2004)

The Department of Health and Human Services should exempt from the HIPAA privacy rule the accounting of disclosures of information for public health purposes mandated by law, the Government Accountability Office recommends. Provider and payer organizations have argued that the provision is overly burdensome, as they must release such information regardless of whether the disclosures are accounted.
The GAO, a congressional oversight agency, further recommends the privacy rule be modified to require that patients be informed in notices of privacy practices that their information will be disclosed to public health authorities when required by law.

In a report recently sent to the Senate Committee on Health, Education, Labor and Pensions, the GAO examined provider and payer experiences in the first year of complying with the privacy rule. The agency found that the rule is working to safeguard patient privacy. "Health care staff have been sensitized to privacy issues and the procedures required of their organizations to protect patient health information," according to the report. "Providers and health plans have taken steps to develop working environments that are sensitive to patient privacy and to enhance staff understanding of how to handle the complexities of complying with the privacy rule."

In addition to the burden of accounting for public disclosures, however, other operational issues and misconceptions about the rule raise concerns, according to the GAO. These include confusion over provisions concerning business associate requirements under the rule, and covered entities taking an overly guarded approach to disclosing information.

Further, "The job of educating the public about the content and intent of the privacy rule has been relegated to providers and health plans, and their privacy notices have not consistently provided a clear message to patients," the report states. Consequently, the GAO recommends HHS conduct a public information campaign to improve awareness of patients' rights under the privacy rule.

Text of the 43-page report, "Health Information: First-Year Experiences Under the Federal Privacy Rule," is available at http://www.gao.gov/new.items/d04965.pdf.

Posted to HIPAAcomply 10/7/04