So Many Rules, So Little Time

Proposal to modify HIPAA's patient-consent rule gives managers leeway

InformationWeek Staff, Contributor

March 30, 2002

2 Min Read
InformationWeek logo in a gray background | InformationWeek

A proposal to relax key provisions of the Health Insurance Portability and Accountability Act could ease the burden on technology managers in the health-care industry who are scrambling to meet an April 2003 deadline to implement the HIPAA rules.

The Department of Health and Human Services proposes to eliminate a part of the act's privacy regulations that requires written patient consent before health-care providers can use protected health information for treatment and billing. The proposed changes were published in the Federal Register last week and could become part of HIPAA after a 30-day public-comment period.

The changes "will eliminate crazy IT projects, like programs that force a patient to sign a consent form before making an appointment to see a physician," says John Halamka, senior VP and CIO of CareGroup Healthcare System, which operates six Boston-area hospitals. "We want to protect patient privacy but not reduce the quality of patient care."

CareGroup had planned to devote about $1 million in IT resources for HIPAA projects, including one that prevents office workers from scheduling appointments until a patient signs a consent form. "Before, we had to reprioritize mission-critical stuff for the sake of HIPAA," Halamka says. "Now we can redirect those projects for good-quality patient care."

The proposed rule change would let CareGroup redirect about $200,000 in resources this year to other projects, including work on a Web-based medical-records program that fosters better communication between doctors and patients, and among doctors. "We had to pull people off that project; now, we can put them back on it," Halamka says.

Another significant proposed change involves transactions with third parties. Currently, HIPAA requires all contracts between health-care providers and billing companies or service providers to include patient-privacy safeguards. HHS proposes that only new or renegotiated contracts get those safeguards by April 2003; existing contracts wouldn't need them until April 2004, giving both parties more time to upgrade their systems and processes.

The changes, if adopted, could be frustrating for some IT managers, says Alan Goldberg, an attorney at Boston law firm Goulston & Storrs and an expert in health-care law and technology. Says Goldberg, "If I were them, I'd be unhappy" because many have put in a lot of work complying with HIPAA's rules.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights