17 February 2000 The Honorable Margaret Ann Hamburg Dear Secretary Hamburg: The Institute of Electrical and Electronics Engineers-United States of America (IEEE USA) is pleased to submit these comments regarding the CFR 160-164 Proposed Rule. The IEEE-USA has been a strong advocate for enactment of comprehensive Federal legislation to protect the security and confidentiality of personal health information. For your information, we enclose copies of our position papers, "Privacy and Universal Identification Numbers" (http://www.ieeeusa.org/documents/forum/library/positions/priuniv.html) and "Principles for Privacy, Confidentiality, and Security of Personal Health Information," (http://www.ieeeusa.org/forum/POSITIONS/healthinfo.html). The IEEE-USA also asks you to give serious consideration to similar comments and recommendations from the American Medical Informatics Association. We believe that the use of computerized patient record systems in electronic health information networks holds great promise to improve the quality of health care while reducing its cost. However, this will happen only if the public is confident that safeguards exist to protect the security and privacy of individually identifiable health information. We appreciate that, while Congress was unable to pass comprehensive confidentiality legislation, the Department of Health and Human Services has produced proposed standards for the protection of individually identifiable health information, pursuant to Section of 264 of the Health Insurance Portability and Accountability Act of 1966 (HIPAA). We are submitting the following comments for your consideration. In addition, we make suggestions for additional legislative action we believe will add to patient privacy protection. 1. § 160.102b Applicability. The legislative provisions that identify covered entities as a) health plans, b) health care clearinghouses, and c) health care providers who transmit health information in electronic form, in our view does not deal adequately with the status of information given to patients. First, patients are not covered entities (or business partners). While §164.506(a)(2)(i) requires a covered entity to disclose protected health information to patients that ask for it under §164.514, the fact that individuals are not covered entities creates ambiguities about the status of protected health information in the hands of patients. The proposed rule, as now written, appears to end a physician’s responsibility as a covered entity to protect a patient’s protected health information when the physician discloses information to the patient, who is not a covered entity. Moreover, the precise point at which the physician’s responsibility ends is not specified. Thus, for example, a physician who faxes positive HIV lab results to one of his patients at that person’s office could be held liable under HIPAA for the fact that a third person at the patient’s office read the fax and divulged the information. We believe that the proposed rule should clarify the status of protected health information when a covered entity discloses it to a patient, and specify exactly when the covered entity’s responsibilities end. With regard to the latter point, we suggest that the covered entity’s responsibilities for information disclosed to patients ends at the beginning of transmission of the information: a fax sent or a letter mailed. However, the covered entity should also take reasonable measures to ensure that the patient is warned beforehand that the transmission mechanism is not secure, and is given a choice for a more secure transmission mechanism. 2. § 160.103 Definitions – Health Care. "Health care" is defined, and that definition is used to define what a health care provider (a covered entity) does. However, the definition of "health plan" (also a covered entity) refers to the provision of or payment for "medical care," which is not defined. We recommend the definition of "health plan" be revised to provide or pay the cost of "health care" (which is defined) rather than "medical care" (which is not). 3. § 160.103 Definitions - Transactions. "Transaction" definitions do not include information about pharmaceutical prescription and use, individually identifiable health information collected by pharmacy benefits managers. Nor does it include information health insurance companies share with one another through industry clearinghouses about individual insurance applications and claims. We recommend that the definition be enlarged to include specifically this information. 4. § 164.504 Definitions - Business Partners. We endorse the concept of "business partners" as a means of extending the limited reach of the defined "covered entities" to all health industry participants that handle individually identifiable health information. However, the language used in the second sentence of the definition, which spells out what the definition includes, conveys the notion that the list is inclusive and complete. We believe that the language should not convey this implied limitation. We recommend that the phrase ", but not limited to," be inserted between the words "including" and "lawyers" in the second sentence. 5. § 164.504 Definitions – Protected Health Information. Paragraph One of this definition defines "electronically transmitted" and "electronically maintained" individually identifiable health information, functions carried out by covered entities. We believe that there are two flaws in this definition, both of strategic importance. First, the definitions of "electronically transmitted" and "electronically maintained" individually identifiable health information specify that the key definer is the role of a computer in transmitting or maintaining health information. The first problem is that computers and microprocessors used in many Medical Devices regulated by the FDA, would meet this definition. Application of this definition to such devices would mean that implementing changes in device hardware, software or firmware would require FDA approval or clearance. If this is intended, we believe that the implementation timetable of two years is extremely unrealistic, given the FDA’s regulatory procedures and timetables. In any event, we recommend that the final version of the proposed rule be coordinated with the FDA. The second problem also arises from the definition of "electronically transmitted" and "electronically maintained." We believe that these definitions are technically flawed. The intent to stipulate that a computer’s involvement defines what is electronically transmitted or maintained implies that computers are not involved in analogue electronic transmissions: voice wired and wireless telephone; fax to fax communications; and satellite communications. The fact is that computers are involved in all modern electronic networks today, and the distinction drawn in the Proposed Rule is increasingly meaningless. We make one recommendation to solve both problems. We recommend that Section One, defining "electronically transmitted" and "electronically maintained" individually identifiable health information, be deleted. 6. § 164.524 Effective Date. We believe that the requirement for implementation of 24 months for covered entities (except 36 months for small health plans) following the effective date of the rule, is extremely unrealistic. While the Department of Health and Human Services has not yet so stated, it is widely expected that rules for security and privacy will be combined, with a 24/36 month implementation requirement. We believe that the envisioned timetables will prove to be unachievable for two reasons. First, there is widespread conviction that the costs for compliance as estimated in the HIPAA NPRM, are far too low. Should this prove to be true, covered entities will be faced with a severe conflict between timely compliance and financial viability. Second, the legal and insurance communities are gearing up for the prospect that compliance enforcement will gradually drift into a certification regime. JCAHO and NCQA have already announced that they intend to incorporate security standards into their accreditation and review processes. And, as we have stated above, the FDA will have to exercise its regulatory responsibilities over medical devices under its jurisdiction that also fall under HIPAA. Evolution of a certification regime will be time-consuming and delay compliance. We recommend that the Effective Date be divided into three phases, each timed to provide vigorous but reasonable compliance:
This concludes our comments on the proposed rule. As we noted at the outset, we believe that the HIPAA legislation is inadequate in its provision of security and privacy for health information. We recommend that the Department of Health and Human Services seek additional legislation. First, and most important, this proposed rule excludes paper records. We believe this exclusion creates two kinds of problems. The first is that health care providers will have to partition their individually identifiable health information into pure paper records (not subject to HIPAA) and computerized information generated by clinical information systems, practice management systems and claims information submitted through billing agents and health care clearinghouses (which is subject to HIPAA). This partition, artificially imposed, will create a severe administrative record-keeping burden on health care providers that will result in increased health care costs. The second problem created is that the partitioning of record keeping requirements will create a disincentive for health care providers to upgrade from paper patient records to electronic patient records – an important goal of the Health Care Finance Administration. We recommend that HIPAA be amended to include all health information, perhaps over a time-phased regime. Second, the definition of covered entities in HIPAA is too restrictive. For example, these entities do not include pharmacy benefit managers or health insurance clearinghouses, which assemble and catalogue large volumes of individually identifiable health information with virtually no restrictions on its use. The proposed rule sidesteps this problem in § 164.504 Definitions – Business Partners (see below) which may include health information databases such as pharmacy benefit managers. We recommend, however, that the Department of Health and Human Services seek legislation that enlarges the definition of covered entities to include all entities that may have access to individually identifiable health information, without exception. IEEE-USA promotes the careers and public policy interests of the nearly 230,000 U. S. members of The Institute of Electrical and Electronics Engineers Inc., the worlds largest technical professional society. Thank you for the opportunity to provide these comments on this important regulation. If you have any questions or would like further information, please contact Deborah Rudolph at (202) 785-0017. Sincerely, Merrill W. Buckley, Jr. The Institute of Electrical and Electronics
Engineers - United States of America | Top of Page | Policy Log | Public Policy Forum | IEEE-USA | Last Update: 18 Feb. 2000 Permission to copy IEEE-USA policy communications is granted for non-commercial uses with appropriate attribution, unless otherwise indicated. |
