by Doug Walter, J.D.

A major upshot of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a series of federal rules that have a considerable impact on providers and patients – their interactions, their rights, and their responsibilities. In sorting through the details and compliance requirements of the privacy rule in particular, it helps for practitioners to know something of the historical and political context in which HIPAA and the rules that resulted from this law took shape.

Under HIPAA, Congress tasked the Department of Health Human Services (HHS) with developing federal rules that govern how patient records are handled, shared, and protected in the health care system. The “transactions rule,” the first rule promulgated by HHS, provides for standard formatting of electronic patient records for health care claims and other purposes. This rule benefits health professionals by making it easier for them to work with uniform rather than multiple claims forms. While more rules will follow, the “800-pound gorilla” of the series, the “privacy rule,” was finalized last April. The privacy rule provides some important protections for psychology records, with provisions that will impact the confidentiality of the psychologist-patient relationship.

The privacy rule may be divided into three parts. The provisions of the first part address when and how patient records may be used and disclosed among treating providers and to third parties. The second part provides patients with certain rights regarding their records, such as the right to access and amend records. The third part outlines administrative requirements that psychologists and other health care professionals and entities must follow in using and disclosing patient records.

In essence, the privacy rule affords psychologists new protections regarding the records of their patients, but it also requires psychologists to proactively ensure the protection of records through certain administrative requirements. These include, for example, providing patients with information about their privacy rights, implementing procedures to ensure records privacy, and securing records in offices.

While the privacy rule includes some requirements already contained in various state laws, some of the federal rule’s mandates are new. The rule may be understood, however, as providing a national “floor” of patient records protections upon which states may build further protections, since Congress has specifically provided that state laws providing for greater records protection will not be preempted by the federal rule.

Some may question why a federal privacy rule was promulgated in the first place, since many state laws already protect the privacy of patient records. The short answer is that state laws vary in the extent to which they protect patient records privacy, particularly mental health records. A federal floor of protection provides a baseline uniformity of records protection. The long answer is rooted in the history leading to promulgation of the privacy rule.

The Stage for Conflict Is Set

HIPAA legislation and rulemaking, including development of the privacy rule, have much to do with the emergence of managed care organizations (MCOs) in the early 1990’s as the primary payers for health care. Unlike insurers in the fee-for-service system, MCOs began demanding broad access to patient records for payment and administrative purposes. Patients and providers balked and fought to keep sensitive personal information outside of the claims-management process.

By the mid 1990’s, the insurance and business lobbies began pitching to Congress that a uniform, electronic patient records system to standardize health insurance claims processing, dubbed “administrative simplification,” would save the health care system billions of dollars and relieve the inefficiency and fragmentation in health care claims management. Insurers were also looking for a federal law that legitimized their demands for broad access to patient records. While organized psychology supported administrative simplification, it could not come at a cost to records privacy.

APA was at the forefront of groups concerned that the onerous MCO demands for patient records disclosures – often for administrative purposes not directly related to patient care – had eroded confidentiality. Provider and patient organizations advocated for privacy and security safeguards that would be needed if Congress were to mandate uniform electronic claims processing.

The stage for political conflict therefore was set by the time President Clinton included both patient records privacy and administrative simplification provisions in his “Health Security Act of 1993,” which failed to win passage. The inclusion of these provisions shed light on the bitter fight brewing between patients/providers and MCOs over control of records and foreshadowed the rancorous congressional debate to come. The underlying conflict, which continues to this day, was the force that shaped HIPAA law in general and the privacy rule specifically.

Battle Pits Provider Groups Against Insurers

The advocacy battle began in earnest when Senator Robert Bennett (R-Utah) introduced the “Medical Records Confidentiality Act” in late October 1995. The Practice Directorate was concerned by the Bennett bill’s bipartisan co-sponsorship by powerful members of Congress and by the strong support of insurers and other influential organizations. The concern arose from APA’s taking a careful look at the bill’s details. The directorate’s analysis revealed substantial weaknesses in protecting the rights of patients and providers with respect to the privacy of records. APA and allied groups mobilized to prevent the Bennett bill from being included in broader health care legislation that Congress also was seriously considering that fall. That broader legislation eventually was enacted as HIPAA.

A "Final" Rule Is Subject to Change The political battle between insurance and patient and provider organizations continues to this day. President George W. Bush’s Administration put the HIPAA privacy rule into effect last April, though the rule itself gives HHS broad authority to make changes until April 2002. Early in 2001, there were indications that the Bush administration was considering gutting the rule, but officials backed down after intense pressure from patient and provider advocacy groups. Despite the delay in revising the rule, HHS has indicated that it will make changes sometime this spring. The Administration can make even further refinements, though very limited, in the final year before the compliance date for the privacy rule — April 14, 2003. The insurance and hospital lobby, faced with the compliance burden on large health care facility providers, has requested changes to the privacy rule on several occasions. The suggested revisions have focused mainly on patient consent requirements and the assertion that the federal privacy rule should take precedence over, or preempt, related state laws. From the APA Practice Organization’s perspective, such changes would weaken the patient protections afforded by the federal privacy rule. Psychology and other mental health advocates, independently and as part of the coalition known as the Mental Health Liaison Group (MHLG), have countered the insurance lobby efforts by repeated calls for preserving the rule’s privacy protections, and even expanding them. For example, the MHLG continues to urge that the special privacy protection given to “psychotherapy notes” as defined in the rule (see article on page 5) should be broadened to apply to other sensitive information such as psychological testing data.

For several months, the directorate’s government relations staff worked to educate Congress and the public about the need for a strong federal privacy bill, or at least a bill that would not undermine existing state privacy laws that protected patients’ rights. APA’s lobbying push successfully countered the insurance industry’s efforts to win inclusion of the Bennett bill in HIPAA. In place of the Bennett bill, Congress incorporated a few sentences into HIPAA to provide a timeline for action. Legislators gave themselves three years, until August 1999, to enact a federal law governing records privacy and further directed that HHS would establish a privacy rule within six months of Congress’ failure to meet its deadline.

Shortly after HIPAA’s passage, it became increasingly clear that the patient and provider lobbies and the insurance lobby were entrenched in polar positions. APA assessed that Congress would not likely pass legislation. While the association continued to advocate for appropriate privacy legislation in Congress, APA began focusing efforts on the Administration in anticipation of a rule from HHS. Organized psychology sought a rule that would recognize the particular privacy requirements of records associated with mental health treatment, including the need for heightened protection for psychotherapy notes and other mental health records.

Too Hot for Congress to Handle

Indeed, the privacy issue ultimately became too controversial for members of Congress to handle, and HHS ended up proposing a federal privacy rule in November 1999. It looked like a compromise for both sides of the debate. Insurers saw their broad access to records recognized in the proposed rule. At the same time, consumers and providers had won strong protections for records each time they were disclosed to insurers.

Throughout 2000, APA worked to ensure that the proposed rule’s strong patient protections were preserved in a final rule. Meanwhile, the insurance lobby pushed to void the rule or at least substantially weaken its protections. HHS released the final privacy rule in the last days of the Clinton Administration in much the same form as the proposed rule. The Practice Directorate considered the final rule a success, with qualification. For example, APA reiterated in written comments to HHS that the privacy rule allowed insurers too much access to records for administrative purposes not directly related to treatment. It appeared the conflict and compromise characteristic of the legislative and rulemaking processes was reflected in the final rule once it ultimately took effect last April.

The following chronology illustrates from 1993 through 2001 the major events and players related to the HIPAA law and the final privacy rule from HHS.