Publications

We wanted to take a moment to summarize for you the uncertain status and politics of the HIPAA privacy regulations and the implications for this uncertainty on how to plan for HIPAA compliance and other information technology (IT) strategies. In short, this remains a time for evaluating your current privacy and security practices, thinking about big picture strategies, and evaluating how HIPAA privacy compliance will fit into your other IT initiatives.

As you know, the Department of Health and Human Services issued a “final” privacy HIPAA rule during the last hours of the Clinton administration, on December 28, 2000. Although initially effective February 14, 2001 with a general compliance date of February 14, 2003, the effective and compliance dates were pushed back to April 14, 2001 and April 14, 2003, respectively, due to a bureaucratic technical error.

Still further developments have arisen in the unstill wake of the final rule’s publication. The new Secretary of HHS, Tommy Thompson, announced a 30-day comment period on the final rule, which ends Friday, March 30, 2001, an unusual administrative procedure. Although the comment period does not specifically delay implementation, it may result in some changes to the rule and potentially a further delay.

In addition, on March 15, Congressman Ron Paul introduced a joint resolution (HJR 38) in the House of Representatives to “disapprove” the privacy rule under the authority of the Congressional Review Act. The Congressional Review Act gives Congress the authority to review and disapprove the final rule before its effective date (April 14, 2001). If Congress adopts the resolution, the rule will effectively be revoked. The resolution has been referred to various House committees. It is not clear how much support there is in Congress for Rep. Paul’s resolution. Some prominent commentators and organizations are pushing for at least a delay in the implementation deadline while other interests maintain that the rule still does not go far enough.

The enclosed advisory summarizes the current “final” rule and suggests preliminary steps for getting started now while keeping an eye on further HIPAA developments. It may be advisable to hold off on some of the suggested steps (such as developing policies and procedures and workforce training) in light of new developments arising after the advisory’s publication. Fortunately, much of the uncertainty concerning the privacy rule should dissipate as the 30-day comment period and the April 14, 2001 Congressional deadline draw to a close.

Although the status of the final privacy rule is uncertain and HCFA had not yet issued a final HIPAA security rule, you should be aware that the HIPAA Standards for Electronic Transactions regulations remain final, with a compliance deadline of October 16, 2002. You should have a compliance strategy underway to meet these standards, which address transactions such as electronic billing and payment.

We will continue to keep you informed of developments in this area and invite your questions or comments. As issues in Health Information Technology continue to develop – with or without HIPAA – we also welcome your submission of questions to be addressed in our future newsletters.

Sincerely,

THE HEALTH INFORMATION TECHNOLOGY GROUP

Of WIGGIN & DANA