Letter from Lawrence Smarr for the November 6-7, 2002 NCVHS Subcommittee on Privacy and Confidentiality Hearings

November 4, 2002

Susan McAndrew, J.D.
Sr. Health Information Privacy Policy Specialist
Office of Civil Rights
U.S. Department of Health and Human Services
Room 801, Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington, D.C. 20201
Via FAX: (202) 619-3437

Re: Standards for Privacy of Individually Identifiable Health Information (Privacy Rule)

Dear Ms. McAndrew:

I write to alert you about an issue that has come up as we try to aid tens of thousands of health care providers to comply with the HIPAA Privacy Regulations. We know that the law and HHS implementation of the law are designed NOT to erect barriers to the efficient delivery of health care but that is exactly what is happening.

The Privacy Rule requires the physician to provide the Notice of Privacy Practices at the time of that first service delivery and to make reasonable efforts to obtain an acknowledgment of receipt. However, many physicians' first delivery of services to patients occurs in the hospital or nursing home or other facility outside their office, under circumstances that do not amount to an emergency. It is impractical to expect these providers to carry a briefcase full of forms and documents with them when the doctor walks into the hospital room to see the patient for the first time. HHS clearly contemplated a solution to this problem by providing for the option of an Organized Health Care Arrangement (OHCA) among the medical staff and the facility. Formation of an OHCA would allow a single Notice of Privacy Practices to be provided when the patient checks in to the hospital. However, in discussions with several health law attorneys, they are unanimous in concluding that they will be advising their hospital clients not to participate in any OHCAs. While I am not fully conversant with all the reasons for this advice, they have expressed concern about the practical inability of the hospital to control the privacy practices of a large and diverse medical staff, leaving the hospital exposed to possible legal responsibility for HIPAA complaints by patients upset with the conduct of a member of the medical staff. Another reason is concern about an OHCA increasing the hospital's exposure to vicarious liability for the malpractice of a member of the medical staff because it will be one more piece of evidence that the physician is an agent of the hospital.

Accordingly, I am asking HHS to acknowledge that this portion of the rule violates the fundamental principle that the law and its implementing regulations shall not interfere with the delivery of health care, and to acknowledge that the rule needs to be corrected/amended. Furthermore, and until that correction/amendment is accomplished, the duty to provide a Notice of Privacy Practices will not be enforced in the context of a first patient encounter outside the physician's office.

As you may recall the PIAA is a trade association of more than 60 professional liability insurance companies that are owned and/or operated by health care providers. Collectively, these companies insure more than 60 percent of America’s practicing physicians as well as dentists, hospitals and other health care providers. We appreciate the Department’s willingness to work with the PIAA and other members of the health care industry as we develop guidance and provide technical assistance so that providers can understand and comply with these new standards. The PIAA has mailed each of its member companies a guide (complete with sample forms) to aid in complying with the Privacy Rule so that they mayhelp their insureds.

We hope that this issue can be considered and addressed at the next possible opportunity. We stand ready to assist HHS and the Office of Civil Rights in publicizing any corrections/amendments and/or advisory on the problem.

Very truly yours,

Lawrence E. Smarr
President
Physician Insurers Association of America