Standards
for Privacy of Individually Identifiable Health Information
II. Overview of the March 2002 Notice of Proposed
Rulemaking (NPRM)
As described above, through public comments, testimony at public
hearings, meetings at the request of industry and other stakeholders,
as well as other communications, the Department learned of a number
of concerns about the potential unintended effects certain provisions
would have on health care quality and access. On March 27, 2002,
in response to these concerns, and pursuant to HIPAA's provisions
for modifications to the standards, the Department proposed modifications
to the Privacy Rule (67 FR 14776). ]
The Department proposed to modify the following areas or provisions
of the Privacy Rule: consent; uses and disclosures for treatment,
payment, and health care operations; notice of privacy practices;
minimum necessary uses and disclosures, and oral communications;
business associates; uses and disclosures for marketing; parents
as the personal representatives of unemancipated minors; uses and
disclosures for research purposes; uses and disclosures for which
authorizations are required; and de-identification. In addition
to these key areas, the proposal included changes to other provisions
where necessary to clarify the Privacy Rule. The Department also
included in the proposed Rule a list of technical corrections intended
as editorial or
typographical corrections to the Privacy Rule.
The proposed modifications collectively were designed to ensure
that protections for patient privacy are implemented in a manner
that maximizes the effectiveness of such protections while not compromising
either the availability or the quality of medical care. They reflected
a continuing commitment on the part of the Department to strong
privacy protections for medical records and the belief that privacy
is most effectively protected by requirements that are not exceptionally
difficult to implement. The Department welcomed comments and suggestions
for alternative ways effectively to protect patient privacy without
adversely affecting access to, or the quality of, health care.
Given that the compliance date of the Privacy Rule for most covered
entities is April 14, 2003, and the Department's interest
in having the compliance date for these revisions also
be no later than April 14, 2003, the Department solicited
public comment on the proposed modifications for only
30 days. As stated above, the proposed modifications
addressed public concerns already communicated to the
Department through a wide variety of sources since publication
of the Privacy Rule in December 2000. For these reasons,
the Department believed that 30 days should be sufficient
for the public to state its
views fully to the Department on the proposed modifications
to the Privacy Rule. During the 30-day comment period,
the Department received in excess of 11,400 comments.
|
