HIMSS Supports Final Changes to HIPAA Privacy Rule; Organization's Concerns Addressed in Revisions

8/14/2002

From: Tarsis Lopez of HIMSS, 312-915-9237 or tlopez@himss.org

CHICAGO, Aug. 14 --- The Healthcare Information and Management Systems Society (HIMSS) has written a letter of support for the final version of the new privacy regulations of the Health Insurance Portability and Accountability Act (HIPAA), which was released today by the federal government.

The Society said the 442-page document, released by the Office of Civil Rights of the Department of Health and Human Services (HHS), will help provide strong patient privacy protections while correcting unintended consequences that could have threatened patients' access to healthcare.

The amendments proposed in the final privacy rule make important changes to the HIPAA privacy regulations, which are scheduled to go into effect in April 2003.

HIMSS has monitored and offered written feedback throughout the rulemaking process. It was able to draw on the expertise of its members, who are professionals within the healthcare information technology field.

"HIMSS is pleased the new privacy rule is now finalized," said HIMSS President and CEO H. Stephen Lieber. "I have written a letter to the Secretary of Health and Human Services on behalf of HIMSS applauding the administration for taking substantive input from all interested parties, including HIMSS, and issuing a fair final rule."

Lieber said the organization hopes the rules are a starting point for protecting medical records and other personal health information maintained by healthcare providers, such as hospitals, health plans, health insurers, and clearinghouses, which process financial transactions for healthcare.

In its comments on the privacy regulations, HIMSS had focused on three key areas in suggesting potential changes -- consent and notice provisions; provisions relating to the "minimum necessary" standard; and provisions on the use and disclosure of protected health information for research as well as approaches to de-identification.

"Overall, the final rule has adequately addressed all three areas of concern to HIMSS," Lieber said. "It appears that a balance has been successfully reached."

The final rule makes some changes regarding consent and notice provisions. It requires covered entities to provide patients with notice of the patient's privacy rights and the entity's privacy practices, but does not contain mandatory written consent requirements that could have inhibited patient access to healthcare.

The final rule also exempts from the minimum necessary standards any uses or disclosures of information for which a covered entity has received an authorization. HIMSS believes that those minimum necessary requirements still in effect will ensure an individual's privacy for most other uses and disclosures without hampering customary and necessary communication of healthcare practices.

Finally, the new privacy rule will help researchers by requiring the use of a single combined form to obtain informed consent for authorization to use or disclose protected health information for such research. Those who crafted the final regulations incorporated changes suggested by HIMSS for the use and disclosure of protected health information for research.

------ About the Healthcare Information and Management Systems Society (HIMSS) The Healthcare Information and Management Systems Society (HIMSS) provides leadership in healthcare for the advancement and management of information technology. Headquartered in Chicago, HIMSS provides services to more than 13,000 members, including IT healthcare corporations, firms and professionals from around the globe. Through the collaboration of 41 chapters and 20 special interest groups, HIMSS directs and shapes the healthcare industry, encourages emerging technology and promotes public policies that will improve healthcare delivery. For more information, visit HIMSS at http://www.himss.org.