Issues in HHS' Proposed Rule on Confidentiality of Personal Health Information
T-HEHS-00-106: Published: Apr 26, 2000. Publicly Released: Apr 26, 2000.
- Full Report:
Pursuant to a congressional request, GAO discussed the Department of Health and Human Services' (HHS) proposed rule on the confidentiality of patient health care information, focusing on: (1) the authoritative basis in the Health Insurance Portability and Accountability Act (HIPAA) statute for some of the approaches taken by HHS in the proposed rule; (2) the overall pattern of public responses to the rule among a selected group of 40 organizations representing different constituencies affected by the rule; (3) the views expressed by those organizations with respect to sections of the rule that prompted an especially large volume of comments; and (4) concerns that would require legislative action to address.
GAO noted that: (1) the regulatory strategies HHS adopted in the proposed rule seem consistent with HIPAA's purpose of protecting the privacy of health information and are legally permissible; (2) by requiring that entities directly regulated by the rule--health plans, health care providers, and health care clearinghouses (firms that put information into standard formats)--control the information practices of entities with which they do business, HHS has attempted to fill an otherwise significant gap in privacy protection; (3) for the same reason, HHS has covered the "paper progeny" of electronically maintained or transmitted health information--the privacy protections extended to individuals by HIPAA would be easy to circumvent if protected health information in an electronic record lost its protection merely by being printed; (4) HHS' decision to build flexibility into the proposed rule by allowing implementation of the standards to vary on the basis of an organization's size is also within its authority; (5) the stakeholders' comments to HHS reflected sharply divergent views on several critical issues; (6) most notably, patient advocates, state government representatives, and providers strongly supported the provision of the rule that preempts weaker state laws while leaving intact stronger ones; (7) meanwhile, health plans and employers emphasized the practical difficulties of implementing the complex interaction of federal and different state standards; (8) similarly, patient advocates and law enforcement officials approved of extending the rule's coverage from three types of entities subject to HIPAA regulation to business partners with whom these entities share protected health care data; (9) however, the covered entities themselves were wary of assuming the responsibility for enforcing compliance by these other groups; (10) in some cases, the changes desired by industry groups and patient advocates would require congressional action; (11) for example, HHS could not establish a uniform federal privacy standard preempting all applicable state laws unless HIPAA was amended; (12) only Congress could expand the rule's coverage to all types of entities that create, use, and share protected health information; and (13) for other proposed changes, such as coverage of records that had never been stored or transmitted electronically, it was less clear whether HHS could act without new legislation.