INFORMATION


FAQs
Staff
Board
Work Teams
Code of Ethics
Governance
News Releases

Chapters Calendar
Chapters Finder
Chapters Resources


Annual Conference
Audio Conferences
Barton Certificate Modules
Online Education
Patient Safety Curriculum
Faculty Opportunities

News and Archives


U.S. Department of Health and Human Services
Assistant Secretary for Planning and Evaluation
Attention: Privacy – P, Room G-322A
Hubert Humphrey Building
200 Independence Avenue SW
Washington, DC 20201

February 16, 2000

Re: Proposed Rule on the Standards for Privacy of Individually Identifiable Information, Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Dear Mr./Madam Secretary:

On behalf of the American Society for Healthcare Risk Management (ASHRM), we appreciate the opportunity to comment on the notice of proposed rule-making regarding standards for privacy of individually identifiable health information. As the preeminent society for healthcare risk management, ASHRM strives to promote collaboration with governmental agencies by contributing specific knowledge and expertise from a healthcare risk management perspective. We hope that you will find these comments useful in your endeavors:

  • There is a potential threat to patient care delivery by allowing patients to request that certain protected health information be restricted from further use or disclosure.

Recommendation: ASHRM suggests consideration of either the development of standardized criteria by which specified health information may be restricted from further use or disclosure, or a statement that there are no exceptions. Patients’ restriction of the use of their information should be limited to non-emergency situations and be limited to clinical information only. It is very difficult to limit scheduling information and some billing information. This would require changes to many organizations’ systems to eliminate this information from reports.

  • There is potential ambiguity of who may be classified as a "business partner" and the limits on their ability to use the information they receive from the covered entity.

Recommendation: ASHRM suggests clarification of the term "business partner" and specific limitations on their ability to use the information that they receive from the covered entity. Organizations need to have the ability to contract with individuals and organizations to complete clinical studies, provide clinical expertise, to increase access to experts and quality of care. This needs to be preserved.

  • There is potential confusion about requiring each individual provider within a health care system that includes multiple covered entities to have separate authorizations for the same purpose.

Recommendation: ASHRM suggests consideration of allowing all "authorized" providers within a health care system that includes multiple covered entities to have the same authorization for the common purpose.

  • There is potential for confusion regarding disclosure for judicial and law enforcement purposes, uses for government health data systems, directory information, research, and accounting of disclosures.

Recommendation: ASHRM suggests consideration of further limitations and specification on the disclosure of information, in order to minimize opportunities for breach of confidentiality (i.e., a requirement for legal process versus just verbal assurances of the requesting officer).

  • While there is a provision that absolves the covered entity of any liability if an employee or other person associated with a business partner discloses protected health information to a law enforcement official, oversight agency or an attorney if they believe the information is evidence of a violation of law, there is an absence of process parameters for a "member of the workforce" to give an oversight or law enforcement agency or legal counsel individually identifiable health information if they believe any law has been violated (whistleblower provisions).

Recommendation: ASHRM suggests the incorporation of a clause which addresses rules for a "member of the workforce" to give an oversight or law enforcement agency or legal counsel individually identifiable health information if they believe any law has been violated.

  • There is a need to broaden the definition of "healthcare operations" to incorporate incident reporting and investigative activities.

Recommendation: ASHRM suggests the incorporation of incident reporting and investigative activities in the description of "healthcare operations."

  • In the section exempting information "prepared in anticipation of litigation", there is an absence of protection of risk prevention data that is gathered about incidents.

Recommendation: ASHRM suggests the incorporation of the protection of data that is gathered in the course of incident investigation or other risk prevention activities.

  • All should be held to strict compliance, including federal, state and local government, as well as private entities and agencies.

Recommendation: In order to effect compliance with laws that would apply in a particular state, ASHRM suggests the incorporation of a process to give covered entities guidance towards such compliance.

  • A great deal of revision of current policies is required, as well as creating many new policies and educating staff on the new policies and regulations.

Recommendation: The implementation date should take into consideration ample time for organizations to develop pertinent policies and education.

ASHRM would like to acknowledge the following contributors to the analysis found in this response: Jeffrey F. Driver, JD, MBA, FASHRM, Chair, ASHRM 2000 Advocacy Committee; Sally T. Trombly, RN, JD, member, ASHRM 2000 Advocacy Committee; Jill Callahan Dennis, JD, RHIA, Chair, ASHRM 2000 Confidentiality Tool Kit Task Force; Susan Kell, RN, BSN, Chair, ASHRM 2000 Legislative & Regulatory Committee; Arthur Carlo, member, ASHRM; and Jack Bradford, member, ASHRM. Our Society is indebted to these healthcare risk management professionals for their suggestions.

If you have any additional questions about these comments, or if ASHRM can be of any further assistance at any time, please feel free to either contact me at (804) 334-0715, or Pamela J. Para, BSN, RN, MPH, Director of Professional & Technical Services, ASHRM, by telephone at (312) 422-3982 or via e-mail at ppara@aha.org. Thank you for your consideration!

Sincerely,
Fay Rozovsky
Fay Rozovsky, JD, MPH, DFASHRM
President

This page and all contents are Copyright 1997-00 by the American Society for Healthcare Risk Management, Chicago, IL 60606
Prepare with the CPHRM Study Guide CPHRM Logo