Health Information:

First-Year Experiences under the Federal Privacy Rule

GAO-04-965: Published: Sep 3, 2004. Publicly Released: Oct 4, 2004.

Additional Materials:

Contact:

Kathleen M. King
(312) 220-7767
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Issued under the Health Insurance Portability and Accountability Act of 1996, the Privacy Rule provided new protections regarding the confidentiality of health information and established new responsibilities for providers, health plans, and other entities to protect such information. GAO reviewed (1) the experience of providers and health plans in implementation; (2) the experience of public health entities, researchers, and representatives of patients in obtaining access to health information; and (3) the extent to which patients appear to be aware of their rights.

Organizations representing providers and health plans told us that implementation of the Privacy Rule went more smoothly than expected during the first year after most entities were required to be compliant. In addition, they reported that new privacy procedures have become routine practice for their members' staff. However, provider and health plan representatives also raised a variety of issues about provisions that continue to be problematic. In particular, many organizations emphasized that two provisions--the requirement to account for certain information disclosures and the requirement to develop agreements with business associates that extend privacy protections "downstream"--are unnecessarily burdensome. Some organizations suggested that difficulties with these provisions could be ameliorated with modification of certain provisions and further guidance from the Department of Health and Human Services' Office for Civil Rights (OCR). Organizations reported a number of challenges faced by entities that rely on access to health information for public health monitoring, research, and patient advocacy. Public health entities noted that some states have had to take concerted action to ensure that providers' concerns about complying with the Privacy Rule do not impede the flow of important information to state health departments and disease registries. Some research groups asserted that the rule has delayed clinical and health services research by reducing access to data. Some consumer advocacy groups told us that patients' families, friends, and other representatives have experienced unnecessary difficulty in assisting patients. These groups perceived that while providers and plans are allowed, in certain cases, to disclose health information without written patient authorization, they are reluctant to do so. Consumer and provider representatives contend that the general public is not well informed about their rights under the Privacy Rule. According to these organizations, patients may not understand the privacy notices they receive, or do not focus their attention on privacy issues when the notices are presented to them. Some evidence of patients' lack of understanding is reflected in the 5,648 complaints filed with OCR in the first year after the Privacy Rule took effect. Of the roughly 2,700 complaint cases OCR closed as of April 13, 2004, nearly two-thirds were found to fall outside the scope of the Privacy Rule because they either involved accusations of actions that were not prohibited by the regulation, involved entities that were not "covered entities" as defined by the Privacy Rule, or involved actions that occurred before covered entities were required to be compliant. Of those cases that were germane to the rule, OCR determined that about half represented cases in which no violation had occurred.

Recommendations for Executive Action

  1. Status: Closed - Not Implemented

    Comments: HHS continues to monitor the experience of covered entities regarding the accounting for disclosures provisions of the Privacy Rule to determine whether modification of the Rule is required. If HHS determines that a change in the Privacy Rule is necessary, it will issue a Notice of Proposed Rulemaking. However, HHS has not yet issued notice proposing changes to the Privacy Rule.

    Recommendation: To reduce unnecessary burden on covered entities and to improve the effectiveness of the Privacy Rule, the Secretary of Health and Human Services should modify the Privacy Rule to (1) require that patients be informed in the notice of privacy practices that their information will be disclosed to public health authorities when required by law and (2) exempt such public health disclosures from the accounting-for-disclosures provision.

    Agency Affected: Department of Health and Human Services

  2. Status: Closed - Not Implemented

    Comments: HHS Office for Civil Rights (OCR) continues to disseminate information to consumers through various means, including a toll-free call line and a website that now includes two new fact sheets and an expanded Frequently Asked Questions section. HHS OCR also has developed a Spanish-language fact sheet as part of a campaign to reach out to consumers in Hispanic-dominant communities. The efforts by HHS OCR do not appear to fulfill GAO's recommendation that it conduct a public information campaign to improve awareness of patients' rights under the Privacy Rule.

    Recommendation: To reduce unnecessary burden on covered entities and to improve the effectiveness of the Privacy Rule, the Secretary of Health and Human Services should conduct a public information campaign to improve awareness of patients' rights under the Privacy Rule.

    Agency Affected: Department of Health and Human Services

 

Explore the full database of GAO's Open Recommendations »

Dec 12, 2014

Dec 8, 2014

Dec 3, 2014

Dec 1, 2014

Nov 24, 2014

Nov 21, 2014

Looking for more? Browse all our products here