Who's Policing HIPAA?

October 1, 2002
Bob Keaveney

An interview with Robinsue Frohboese, principal deputy of the Office for Civil Rights, on HIPAA


Physicians frustrated by the long and ever-changing road to HIPAA compliance may well wonder if the government's only role is to make their lives and practices more complicated and regulated. Not so, according to Robinsue Frohboese, principal deputy of the Office for Civil Rights (OCR), Department of Health and Human Services (DHHS). Physicians Practice spoke with her about how DHHS is reaching out to help ease the way to the April 14, 2003 compliance deadline.

Q: There is the perception among many physicians that HIPAA is just another rule, just represents more government interference in their ability to practice medicine. How do you respond to that?

Frohboese: Certainly we are sensitive to that perception. [DHHS] Secretary Tommy Thompson's approach to heading up the department is to ensure that any regulatory requirements are workable and are achieving their intended purpose. It's for precisely that reason that, as one of his first acts in office, Secretary Thompson reopened the Privacy Rule for public comment to understand any issues or concerns that physicians may have.

We received more than 10,000 comments, and based on those, we identified areas where the rule was unworkable and had some significant, serious unintended consequences. We addressed these problems through modifications to the Privacy Rule published on August 14, 2002. And although the department is aware of concerns that physicians have raised, by the same token, it's very clear that physicians and groups like the AMA really do want to protect patient privacy and confidentiality.

In many respects, it's already ingrained in medical practice because it is a basic tenet of the Hippocratic Oath, so physician offices already have practices in place to protect patient privacy. Also, all states have laws regarding patient privacy and confidentiality, so physicians are accustomed to operating under requirements in this area.

Q: What do you mean by an "unintended consequence"?

Frohboese: The most common example is the consent provision. Everyone agreed that it interfered with pharmacists filling prescriptions, referrals to specialists, and providing treatment over the telephone.

For example, the requirement for written consent meant that you could not send a relative or friend to the drugstore to pick up a prescription until you first went there to sign a consent form. Similarly, if the patient was referred to a specialist, the patient had to sign a consent form before the specialist was even able to look at the patient's record to schedule an appointment. These clearly were unintended consequences of the way the consent provision was written. So we proposed a different approach where consent is optional, not mandatory, and will not stand as a barrier to patients being able to get the care they need.

Q: What specifically is the role of the OCR with regard to HIPAA?

Frohboese: The Office for Civil Rights is responsible for compliance and monitoring of HIPAA's Privacy Rule, but our monitoring and enforcement responsibilities really do not begin until the compliance date for the Privacy Rule, which for most covered entities is April 14, 2003. In the interim, however, we have been responsible for implementation of the rule and assisting covered entities in coming into compliance, providing outreach and technical assistance.

Q: Can you give some examples of this outreach and technical assistance?

Frohboese: We are developing extensive guidance that we will publish on the OCR Web site (www.hhs.gov/ocr/hipaa/) in the near future. It will be in the form of answers to frequently asked questions, and will cover all aspects of the Privacy Rule and reflect the modifications [made in August]. In addition, we are developing technical assistance material for various covered entities, including physicians.

We will provide easily understood and plain language brochures or handbooks with practical information about how to comply with the Privacy Rule, based on situations involving the use and disclosure of health information which is individually identifiable that physicians and other covered entities are likely to encounter. We also hope to produce instructional videotapes for physicians and other healthcare providers that will provide an overview of the rule and guidance.

Q: How do you determine what kind of information is useful to physicians?

Frohboese: Over the past year and a half we have received tens of thousands of comments about the Privacy Rule and thousands of inquiries over the phone and in writing, during meetings, and at conferences. We are using these questions and comments to come up with both general and specific frequently asked questions. All of this public input - and a lot of it has come from individual physicians - will form the basis of our technical assistance effort. We also will work with the healthcare industry and associations to ensure that we are targeting the correct issues and are providing helpful, real world information.

Q: What comment or question do you receive most frequently?

Frohboese: The number one issue raised by physicians is the desire to have clear, understandable information about the Privacy Rule, which is also one of OCR's chief goals. In particular, physicians want to know whether they are a "covered entity" that is subject to the rule and, if so, what does this mean for their practice? They want to know what safeguards they can put in place to ensure they are not impermissibly using or disclosing protected health information. Our activities are aimed at trying to help physicians find practical, nonburdensome, and cost-effective ways of complying with the rule.

For example, we have posted sample business associate contract provisions on our Web site in response to numerous requests for guidance in this area. Although any contract has to comply with state law, and our sample contract provisions do not replace consultation with a lawyer or negotiations between the parties to a contract, they are designed to help covered entities more easily comply with the requirements of the Privacy Rule. We will continue through our outreach to identify areas in which we can come up with useful, practical information that will help facilitate compliance.

Q: How can physicians put a positive spin on HIPAA?

Frohboese: We find that physicians understand and appreciate the importance of the Privacy Rule, want to make sure it is workable, as does the department. The benefit of the rule is that it establishes a national standard and a floor that gives guidance nationwide to physicians about how to protect patient privacy.

Send comments or questions to editor@physicianspractice.com.

This article originally appeared in the October 2002 issue of Physicians Practice.