Covered Entities Must Comply by April 2003
Secretary Tommy G. Thompson of the Department of Health and Human Services (HHS) released a statement on April 12, 2001 indicating that the effective date of the Health Insurance Portability and Accountability Act (HIPAA) privacy rules (the Final Rules) will not be delayed and the rules will be effective without changes on April 14, 2001.
Although the Final Rules were published on December 28, 2000, due to a HHS procedural error, the effective date was delayed until April 14, 2001. Secretary Thompson took advantage of the delay by reopening the Final Rules for comment. There was wide speculation in the health care industry about whether the effective date would be delayed again and about whether Secretary Thompson would make substantive changes to the Final Rules.
Despite rumors of impending delays or changes, Secretary Thompson announced that HHS would "…immediately begin the process of implementing the [Final Rules] that will give patients greater access to their own medical records and more control over how their personal information is used." This appears to indicate that the effective date of the Final Rules will remain April 14, 2001.
Health care providers, clearinghouses and most health plans will need to become compliant with the Final Rules by April 14, 2003. Small health plans will have an additional year to comply.
Secretary Thompson indicated that HHS will adjust some aspects of the Final Rule over time. First, he indicated that HHS would begin to issue guidelines on how the Final Rules should be implemented, which will allow HHS to clarify potential confusion. Second, Secretary Thompson indicated that HHS will consider changing certain aspects of the Final Rules over time, noting potential modifications for pharmacists to fill prescriptions over the phone, to facilitate physicians consulting with specialists and to enable parental access to children’s sensitive health information.
However, covered entities cannot afford to delay compliance until additional changes to the Final Rules are proposed. Many health care providers have postponed their compliance efforts until Secretary Thompson’s decision. These organizations will need to begin immediately to learn how the Final Rules impact their operations, assess their current level of compliance with the Final Rules and begin to implement changes.
McDermott Will & Emery's lawyers advise clients with respect to the wide ranging issues arising from HIPAA's requirements and can offer a host of pragmatic tools and services necessary to assist in compliance with these new and complex rules. In addition to our general counseling, our services include the following:
- On site comprehensive HIPAA interpretation and implementation sessions with management personnel
- A privacy audit checklist and assessment
- A customized privacy compliance plan based on the results of the initial audit and gap analysis
- Administrative policies and procedures for privacy and security
- Training sessions and educational materials for personnel
Contract addenda for use with business associates
- Consent and authorization forms for use with patients and customers
Introductions to businesses that provide technical security solutions
Our other HIPAA activities have included the following:
- Lobbying Congress and HHS on the policies and language of the privacy regulations, including meetings with members of Congress, members of the HHS drafting team and other major industry representatives and coalitions
- Preparing and filing comments on the proposed and final privacy regulations for national clients, including an alliance of over 1,000 hospitals and health systems
- Initiating a gap analysis for the implementation of the privacy regulations for health providers
- Analyzing provider agreements to identify business associate amendments that will be required by the privacy and proposed security regulations
- Assisting a major teaching hospital's chief information officer in analyzing the proposed security, transaction and code sets, electronic signature and privacy regulations in order to estimate their impact on the hospital's budget and operations
- Authoring an opinion letter for customers of a disease management and health data company on the ability of hospitals to continue to transmit patient data after the privacy regulations become final
- Advising a health research organization on the ownership of patient tissue samples and consent requirements in light of proposed privacy regulations
- Advising a major health insurance company on the development of its software and website for the sale of online health insurance in regard to security and privacy regulation compliance
- Preparing a software development contract for a joint venture of hospices to ensure that software will be compliant with HIPAA requirements, including chain of trust provisions required by the proposed privacy and security regulations
- Providing on site educational and HIPAA training sessions to a large health care system and provider associations
In addition, our lawyers have presented numerous seminars on privacy and security and have authored articles in industry publications. Our lawyers sit on a variety of boards and advisory groups on privacy and security, including the Board of Directors of the nonprofit Privacy Officers Association, of which McDermott, Will & Emery is a founding member.