Health Information:
First-Year Experiences under the Federal Privacy Rule
GAO-04-965: Published: Sep 3, 2004. Publicly Released: Oct 4, 2004.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(312) 220-7767
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
Issued under the Health Insurance Portability and Accountability Act of 1996, the Privacy Rule provided new protections regarding the confidentiality of health information and established new responsibilities for providers, health plans, and other entities to protect such information. GAO reviewed (1) the experience of providers and health plans in implementation; (2) the experience of public health entities, researchers, and representatives of patients in obtaining access to health information; and (3) the extent to which patients appear to be aware of their rights.
Organizations representing providers and health plans told us that implementation of the Privacy Rule went more smoothly than expected during the first year after most entities were required to be compliant. In addition, they reported that new privacy procedures have become routine practice for their members' staff. However, provider and health plan representatives also raised a variety of issues about provisions that continue to be problematic. In particular, many organizations emphasized that two provisions--the requirement to account for certain information disclosures and the requirement to develop agreements with business associates that extend privacy protections "downstream"--are unnecessarily burdensome. Some organizations suggested that difficulties with these provisions could be ameliorated with modification of certain provisions and further guidance from the Department of Health and Human Services' Office for Civil Rights (OCR). Organizations reported a number of challenges faced by entities that rely on access to health information for public health monitoring, research, and patient advocacy. Public health entities noted that some states have had to take concerted action to ensure that providers' concerns about complying with the Privacy Rule do not impede the flow of important information to state health departments and disease registries. Some research groups asserted that the rule has delayed clinical and health services research by reducing access to data. Some consumer advocacy groups told us that patients' families, friends, and other representatives have experienced unnecessary difficulty in assisting patients. These groups perceived that while providers and plans are allowed, in certain cases, to disclose health information without written patient authorization, they are reluctant to do so. Consumer and provider representatives contend that the general public is not well informed about their rights under the Privacy Rule. According to these organizations, patients may not understand the privacy notices they receive, or do not focus their attention on privacy issues when the notices are presented to them. Some evidence of patients' lack of understanding is reflected in the 5,648 complaints filed with OCR in the first year after the Privacy Rule took effect. Of the roughly 2,700 complaint cases OCR closed as of April 13, 2004, nearly two-thirds were found to fall outside the scope of the Privacy Rule because they either involved accusations of actions that were not prohibited by the regulation, involved entities that were not "covered entities" as defined by the Privacy Rule, or involved actions that occurred before covered entities were required to be compliant. Of those cases that were germane to the rule, OCR determined that about half represented cases in which no violation had occurred.
Recommendations for Executive Action
Status: Closed - Not Implemented
Comments: HHS continues to monitor the experience of covered entities regarding the accounting for disclosures provisions of the Privacy Rule to determine whether modification of the Rule is required. If HHS determines that a change in the Privacy Rule is necessary, it will issue a Notice of Proposed Rulemaking. However, HHS has not yet issued notice proposing changes to the Privacy Rule.
Recommendation: To reduce unnecessary burden on covered entities and to improve the effectiveness of the Privacy Rule, the Secretary of Health and Human Services should modify the Privacy Rule to (1) require that patients be informed in the notice of privacy practices that their information will be disclosed to public health authorities when required by law and (2) exempt such public health disclosures from the accounting-for-disclosures provision.
Agency Affected: Department of Health and Human Services
Status: Closed - Not Implemented
Comments: HHS Office for Civil Rights (OCR) continues to disseminate information to consumers through various means, including a toll-free call line and a website that now includes two new fact sheets and an expanded Frequently Asked Questions section. HHS OCR also has developed a Spanish-language fact sheet as part of a campaign to reach out to consumers in Hispanic-dominant communities. The efforts by HHS OCR do not appear to fulfill GAO's recommendation that it conduct a public information campaign to improve awareness of patients' rights under the Privacy Rule.
Recommendation: To reduce unnecessary burden on covered entities and to improve the effectiveness of the Privacy Rule, the Secretary of Health and Human Services should conduct a public information campaign to improve awareness of patients' rights under the Privacy Rule.
Agency Affected: Department of Health and Human Services
Explore the full database of GAO's Open Recommendations
»
Oct 8, 2020
-
Open Data:
Agencies Need Guidance to Establish Comprehensive Data Inventories; Information on Their Progress is LimitedGAO-21-29: Published: Oct 8, 2020. Publicly Released: Oct 8, 2020.
Jul 16, 2020
-
Coast Guard:
Actions Needed to Ensure Investments in Key Data System Meet Mission and User NeedsGAO-20-562: Published: Jul 16, 2020. Publicly Released: Jul 16, 2020.
Mar 30, 2020
-
Information Management:
Selected Agencies Need to Fully Address Federal Electronic Recordkeeping RequirementsGAO-20-59: Published: Feb 27, 2020. Publicly Released: Mar 30, 2020.
Mar 16, 2020
-
Freedom of Information Act:
Federal Agencies' Recent Implementation EffortsGAO-20-406R: Published: Mar 11, 2020. Publicly Released: Mar 16, 2020.
Dec 16, 2019
-
Assessing Data Reliability (Supersedes GAO-09-680G)GAO-20-283G: Published: Dec 16, 2019. Publicly Released: Dec 16, 2019.
Oct 17, 2019
-
Freedom of Information Act:
DHS Needs to Reduce Backlogged Requests and Eliminate Duplicate ProcessingGAO-20-209T: Published: Oct 17, 2019. Publicly Released: Oct 17, 2019.
Aug 10, 2018
-
Paperwork Reduction Act:
Agencies Could Better Leverage Review Processes and Public Outreach to Improve Burden EstimatesGAO-18-381: Published: Jul 11, 2018. Publicly Released: Aug 10, 2018.
Jun 25, 2018
-
Freedom of Information Act:
Agencies Are Implementing Requirements but Additional Actions Are NeededGAO-18-365: Published: Jun 25, 2018. Publicly Released: Jun 25, 2018.
Mar 13, 2018
-
Freedom of Information Act:
Agencies Are Implementing Requirements but Need to Take Additional ActionsGAO-18-452T: Published: Mar 13, 2018. Publicly Released: Mar 13, 2018. -
Freedom of Information Act:
Federal Court Decisions Have Not Required the Office of Special Counsel to Initiate Disciplinary Actions for the Improper Withholding of RecordsGAO-18-235R: Published: Mar 13, 2018. Publicly Released: Mar 13, 2018.
Looking for more? Browse all our products here