The GAO recently published a report on first-year experiences under HIPAA's privacy regulations (Privacy Rule), which became effective on April 14, 2003. 65 Fed. Reg. 82,462 (Dec. 28, 2000). The GAO looked at compliance concerns raised by various entities subject to the HIPAA Privacy Rule as well as patient advocates' experiences and enforcement/complaint statistics of HHS, the agency with oversight authority for HIPAA enforcement.

Provider and Health Plan Implementation
First, the GAO reviewed and discussed the experiences of health care providers' and health plans' implementation of the HIPAA Privacy Rule. The GAO found, through interviews with providers and health plans, that in the first year under the HIPAA Privacy Rule, implementation went fairly smoothly and, in fact, better than many plans and providers had expected. The providers' and plans' staff reported that many of the new privacy procedures had become routine practice and that confusion over privacy requirements had diminished. However, two provisions continue to remain problematic, creating confusion for providers' and plans' staff: the requirement to account for certain information disclosures and the requirement to develop agreements with business associates.

Tracking PHI Disclosures
The requirement to track and account for protected health information (PHI) disclosures is viewed as unnecessarily burdensome. Providers and plans report that significant time and resources are needed to establish and maintain systems to track disclosures. These requirements have necessitated the revision of systems to establish electronic links within larger health care systems and/or requirements to implement manual tracking mechanisms within existing electronic systems.

Moreover, providers and plans raised additional concerns regarding the tracking of disclosures of PHI and the sheer volume of disclosures they can incur from the requirement to account for them. Providers and health plans noted that, in particular, tracking of disclosures required by law signifi- cantly added to the volume of the disclosures that needed to be tracked. These "required-by-law" disclosures include disclosures to public entities to maintain disease registries, vital statistics, and other health databases. The volume of disclosures requiring tracking was contrasted by many providers with the observation that they have received few, if any, requests from patients to obtain an accounting of their disclosures. Some provider organizations suggested that, to reduce the burden of the accounting requirement, HHS modify the Privacy Rule to require covered entities to inform patients in the covered entities' notice of privacy practices that when required by law, the patients' PHI will be disclosed to public health organizations and law enforcement agencies, and then eliminate the requirement to account for these disclosures.

Business Associate Agreements
Both providers and health plans report that significant resources were required to implement the business associate agreement requirements of the HIPAA privacy regulations. Although many organizations report that the initial confusion as to what entities require execution of a business associate agreement was reduced and/or eliminated in the first year, there continue to be reports of uncertainty over the business associate agreement requirements. Many providers report that confusion remains over whether other health care providers are their business associates or are covered entities of a common patient for which no business associate agreement is required. The provider organizations recommend continued guidance from HHS on the requirements for business associate agreements. Some organizations report that many of their members have spent substantial amounts of time and money in developing thousands of business associate agreements. Moreover, some organizations report that business associates have requested specific and sometimes excessive details in the agreements, requiring many hours of negotiation and discussions over the terms of the business associate agreements.

The GAO notes that some providers attempted to avoid these problems by developing standard business associate agreements as addendums to their existing service agreements. Although some organizations reported that their members had excellent compliance and cooperation from entities in executing these agreements, other organizations reported the inability to require their business associates to enter into their standard agreement. Both providers and health plans have indicated their desire for more guidance from HHS to covered entities about when and how to enter into business associate agreements.

Effects of Accessibility Restrictions on Public Service Organizations
The GAO further identified concerns that the HIPAA Privacy Rule's restrictions on access to certain PHI may have raised inadvertent issues for public health entities, researchers, and patient advocates in obtaining information. Researchers as well as public health organizations have pointed to increased difficulty in obtaining patient data to conduct clinical or health services research. Patient advocates also identified obstacles to obtaining PHI from providers and plans on behalf of their clients. Many organizations that are involved in research or patient advocacy have found that providers are reluctant to share information without patient authorization, even when the privacy rules permit providers such discretion in disclosing information. It is interesting to note that the reason that was often cited for providers' reluctance to share such information was the burden of accounting for such disclosures.

Public Health Entities
State public health officials report to the GAO that the Privacy Rule has hindered access to patient health information because some providers are reluctant to report to public health authorities, for many of the reasons discussed above. Even though the Privacy Rule permits health plans and providers to report to public health authorities without a patient's authorization, the public health authorities nevertheless have experienced difficulty obtaining this information. Public health organizations have speculated that providers have a disincentive to report data to them because of the accounting requirement for any such disclosures. In addition, the organizations report that some providers were confused about the rule in that they believed they were permitted to report to public health agencies only when specifically required by federal or state law. Additionally, state health officials noted that providers often are concerned about legal action that might be taken against them if they provide public health information to public agencies. These providers often cited fear of liability associated with improper disclosure of PHI as the reason for declining participation. Organizations representing public health agencies indicated their desire that the Privacy Rule be amended to exempt reporting to public health agencies from the accounting provision.

Research Entities
Organizations representing research entities report that research studies have been delayed because of varying approaches that some providers take with respect to research and the attendant requirements under the HIPAA Privacy Rule. Organizations report that smaller providers with more limited administrative resources, such as small group practices and rural community hospitals, are reluctant to facilitate research studies because of a misunderstanding of the rule and the added burden of contacting patients. In addition, these providers also were concerned with the tracking/disclosure requirements with which they must comply when releasing information pursuant to the research provisions.

Significantly, the Association of American Medical Colleges, the Association of Clinical Research Organizations, and public health organizations, such as the Association of State and Territorial Health Officials, reported that guidance from the HHS/Office of Civil Rights (OCR) in the area of research does not address some of the key misunderstandings and fundamental problems associated with the HIPAA Privacy Rule's impact on research. They note that ambiguity remains in determining whether a health survey activity is considered health care operations or research and whether a public health entity's data request is part of its public health activities or for research. These organizations suggest that HHS should address some of these concerns through official revisions to the Privacy Rule or issuance of federal guidance as compared with the more general guidance that has been disseminated through the OCR website.

Patient Advocacy Organizations
Organizations representing patient advocates report that some of their members face new obstacles in seeking access to PHI on behalf of patients. These organizations attribute the problems, in part, to excessive paperwork, misunderstanding of the Privacy Rule, and reluctance by providers and health plans to share information with authorized representatives of individuals even when the Privacy Rule permits such discretion. The GAO notes that the Privacy Rule permits providers and plans some latitude in exercising professional judgment about when to disclose PHI to individuals serving as the personal representatives of patients. The GAO notes that providers and health plans have identified such factors as liability concerns and the burden of accounting for disclosures as the reasons for any reluctance.

Other organizations contend that, while some providers deny access, still others delay or restrict access by requiring the use of their customized authorization forms. These organizations assert that accessing patient information can be cumbersome if a patient's signature on multiple unique forms needs to be obtained for each provider. The American Health Care Association (AHCA) reported to the GAO that it found that some long-term care facilities have taken a strict approach to disclosing information and do not provide information to nursing home residents' own family members without patient authorization. AHCA notes that the Privacy Rule does not address the potential conflict with OBRA 1987 requirements that nursing homes notify families of incidents or significant changes in health status unless the resident exercises his or her right to privacy. Although the Privacy Rule may permit providers in certain situations to disclose such information based on professional judgment, it does not necessarily require such disclosure.

Patient Awareness
Many organizations reported to the GAO that patients are not aware of their privacy rights under the Privacy Rule, either because they do not understand the notice of privacy practices or they have not focused attention on privacy issues when presented with them. Certain advocacy groups including AARP, the Bazelon Center for Mental Health Law, and the Health Privacy Project, report that typical privacy notices drafted by providers and health plans are often difficult to read and understand. The Health Privacy Project, in particular, maintains that privacy notices are written primarily to protect providers and health plans from enforcement actions, rather than as a vehicle to inform patients. Interestingly, representatives of providers and health plans also stated that patients are largely unaware of their HIPAA privacy rights. Providers and plan organizations report that they believe patients treat their notice of privacy practices as one more piece of paper that they have to sign when they seek care. One organization noted that some physicians have placed boxes in their offices specifically for the purpose of recycling the privacy notices after patients discard them.

Both provider and consumer groups, however, agree that the public should receive more education about how their rights have changed. These groups agree that further HHS attention is needed to address the issue of privacy notices that are difficult for patients to read and understand. They suggest that HHS might highlight some key privacy rights under the Privacy Rule that notices should include so that patients can focus their attention on the one or two essential core elements of the Privacy Rule.

Privacy Complaint Trends
The GAO also looked at privacy complaints filed with HHS OCR to determine if there were any trends that were worth analyzing. During the first year of operation, consumers and other individuals filed 5,648 privacy-related complaints with OCR. Overall, about half of the complaints filed in the rule's first year were closed as of early May 2004. Data indicates that the most commonly cited category of complaint, at 56 percent, was "impermissible uses and disclosures." Further, 33 percent of the complaints cited inadequate safeguards for patient information and 17 percent reported problems with patients gaining access to their own health information. The two most commonly cited types of health care entities against which patients or advocates filed complaints were private physician practices, including dentists, chiropractors and similarly licensed health professionals, and hospitals. Hospitals accounted for 41 percent of the privacy complaints with information on entity type recorded.

The evaluation of closed cases revealed interesting data. The majority of the closed cases reviewed by the OCR — 79.1 percent — were determined not to be germane to the Privacy Rule and/or lacked sufficient information to process. Consequently, approximately only 20 percent of the closed complaints fell within the scope of the Privacy Rule, according to OCR. Half of those were substantiated by OCR's investigation and the provider or plan agreed to correct its policies or procedures. With respect to the remainder of the germane complaints, OCR determined that no violation had occurred. As of May 2004, OCR had not recommended any sanctions against a provider or health plan for privacy violations. However, the GAO notes that this remains a potential outcome for the first-year complaints that were still open at the time of its review.

GAO Recommendations
With respect to changes to address some of the concerns identified, the GAO recommends that HHS modify the Privacy Rule to (1) require that patients be informed in the notice of privacy practices that their PHI will be disclosed to public health authorities when required by law and (2) exempt such public health disclosures from the accounting requirements. In addition, the GAO recommends that HHS conduct a public information campaign to improve awareness of patients' rights under the Privacy Rule. In its response to the GAO report, HHS notes that it has considered exempting mandatory public health reporting from the accounting requirement and is continuing to review the need to make such a change to the Privacy Rule. In commenting on the GAO's recommendation for a public information campaign to improve awareness of patients' rights, HHS agreed that the notice of privacy practices may appear too long and complicated and that consumers may not be reading their notices closely. HHS points to two new consumer fact sheets posted on its website on August 17, 2004, and the toll-free call-in line it established to respond to questions about the rule.

In conclusion, the GAO's report confirms, and indeed validates, many of the concerns providers have been articulating since the final HIPAA Privacy Rule was published. Providers continue to face significant administrative and operational challenges in implementing HIPAA privacy requirements on a day-to-day basis. Although HHS has acknowledged that concerns and confusion still exist as to implementation of specific Privacy Rule provisions, its responses to the GAO indicate the agency does not appear to be willing or prepared to make changes at this point. In light of HHS's intention, providers need to continue to monitor and assure their ongoing compliance with the HIPAA Privacy Rule and be vigilant in their adherence to the patient rights requirements.