Study: Privacy laws don’t impede access to patient data for treatment, quality

The federal Health Insurance Portability and Accountability Act, which continued to allow states to have privacy laws more stringent than the federal standard, has not prevented health care providers from using personal health data to treat patients and enhance health care quality, according to a new study funded by the Robert Wood Johnson Foundation. Researchers affiliated with George Washington University School of Public Health and Health Services reviewed federal and state court decisions from 1996-2006 involving HIPAA.

According to the authors, none of the cases specifically involving questions of conflict between state and federal requirements concerned the denial of a health care provider’s access to health information to treat patients, improve quality or disseminate information for transparency purposes. The authors say they found no evidence from these legal decisions that more stringent state laws preclude securing necessary data at the point of treatment or including health information in electronic databases used for quality improvement or transparency.

Statement on the HIPAA enforcement rule

Hospitals are concerned that the Department of Health and Human Services general counsel's proposed HIPAA enforcement rule increases the potential liability exposure of all covered entities and may result in the imposition of civil money penalties that significantly exceed the statutorily permitted maximum penalty. The rule's proposed methodologies for determining violations of Health Insurance Portability and Accountability Act regulations and the amount of any penalty are not easy to understand and do not provide covered entities with sufficient information to predict and limit their liability.

Provisions imposing liability on a covered entity for the violations incurred by individuals and organizations over whom the covered entity may be able to exercise little real control inappropriately expands the liability exposure of all covered entities. Hospitals are also encouraging HHS not to publicize the identity of civil money penalty recipients, saying the negative and unintended effects would far outweigh any alleged benefit, and endorse HHS' continued emphasis on voluntary compliance.