Final privacy rule is good, but need security rules too - HIPAA Update

Health Management Technology, Oct, 2002

Last month's issuance of the final privacy rules under HIPAA--with the same compliance date of April 14, 2003--culminated a seven-year effort to establish the first major national rules for protecting private health information. While some consumer groups criticized revisions and Democratic leaders threatened to propose amending legislation, most healthcare organizations and other observers applauded the final rule as a "balanced" and "workable" compromise that will require sweeping operational changes and major expenditures in healthcare.

Two key rulings were 1) protected health information (PHI) safeguards do not apply to employers or the employment functions of covered healthcare organizations, and 2) healthcare organizations do have authority to use and disclose PHI for treatment, payment and operations without obtaining written consent, but still must get approval for other uses and disclosures.

Despite the important action, provider and payer organizations were left wanting more from the Department of Health and Human Services (HHS). The American Association of Health Plans, among others, urged HHS to act swiftly to also finalize the security rules under HIPAA, indicating that compliance will be smoother if privacy and security rules can be implemented at the same time.