Thompson to Review HIPAA Privacy Rules

Published April 1, 2001

As one of his first major acts as the Bush administration’s new Health and Human Services Secretary, former Wisconsin Governor Tommy Thompson has postponed the effective date of privacy regulations called for by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The regulatory were ordered by former President Bill Clinton and scheduled to become effective February 26. Thompson issued the delay on February 23, saying he would complete his review of the Clinton order by April 14 and would at that time set a new date for any of the changes he determines should go into effect.

“To ensure a thorough review of these important [privacy] issues, HHS is opening the final regulation to a 30-day public comment period,” said Thompson in his February 23 statement. “The department will review the comments it receives to determine whether changes in the final rule are needed.

“Our goal is to achieve privacy protection that works. I believe we should be open to the concerns of all those who care strongly about health care and privacy. And after we hear those concerns, our commitment must be to put strong and effective patient privacy protections into effect as quickly as possible.”

Armey Applauds Move

Thompson’s move was applauded by House Majority Leader Dick Armey (R-Texas), who had written a letter to Thompson urging that he suspend implementation of the privacy regulations. Under certain circumstances, Armey warned, the rules would allow the federal government to obtain personal, private medical “at any time and without notice.”

In his letter to Thompson, Armey wrote, “It is not entirely clear to me how the new rules will address the real medical privacy harms currently suffered by patients not already covered by tort law or other remedies.” In fact, he added, they “may have the opposite effect, putting private personally identifiable information at greater risk than exists today.”

Armey cited the Department of Veterans Affairs as an example, noting that department received a “D” from the House Government Reform and Oversight Committee for its inability to protect its computer systems from prying eyes.

What the Rules Do

Critics of the privacy rules ordered by Clinton warn they would allow doctors, hospitals, druggists, HMOs, and insurance companies to share personal medical information without a patient’s permission.

Although intended to improve the confidentiality of medical records, the regulations contain a provision that allows health care providers to use confidential medical information for selling their products. Under the proposal, doctors can share the information with a “business partner,” who can conduct marketing on behalf of a provider.

In an interview with, Bob Gellman, a medical privacy consultant and former congressional staffer, explained, “It’s perfectly legal under the rule for someone to knock on your door and say, ‘I’ve learned from your doctor you have hemorrhoids; would you like to buy this treatment?'”

The new rule does not permit the industry to do anything it cannot already do, as the federal government does not currently impose limits on the use of medical information for marketing purposes. Traditionally, ethical concerns and logistical impracticalities have prevented much marketing from taking place.

Gellman, however, thinks the new privacy rule should protect patients from this sort of marketing—not specifically authorize it in law. “You can only opt-out after you have been marketed to,” said Gellman. “I’ve been working on this issue for 20 years, and it’s the worst anti-privacy thing I’ve seen.”

Public Comment Required

The privacy rule was issued by the Clinton administration in December pursuant to HIPAA. Under the Congressional Review Act, before major regulations can take effect, a federal agency must submit to Congress a report containing a copy of the rule, the proposed effective date, and a concise general statement about the rule.

For the most part, regulations proposed in that way become effective 60 days after the later of the date that: (1) Congress receives the agency’s report; or (2) the rule is published in the Federal Register if Congress takes no action in that time frame. The privacy regulation was published in the Federal Register on December 28, 2000. The agency’s report was not sent to Congress, however, until the week of February 12. For that reason, Thompson explained, the effective date of the regulation could be no sooner than mid-April.

“Under the Congressional Review Act,” explained Thompson, “HHS was legally required to submit this regulation for consideration by the Congress for a 60-day period. Due to an oversight under the prior administration, this requirement was not met. As a result of this oversight, the 60-day period of Congressional review did not begin until February 13, and therefore the effective date of the regulation has been delayed until April 14, 2001.”

The Health Insurance Association of America, in a statement issued February 23, expressed its appreciation for the Thompson move. “We commend the Bush Administration for deciding today to open up the Clinton Administration’s confidentiality regulations for further review,” said Dean Rosen, senior vice president of policy and general counsel for HIAA. “The fact that the Clinton administration did not follow the proper procedures for finalizing the regulations is strong evidence that they were adopted in haste. “Health insurers and health plans support strong, uniform national standards that protect Americans’ private medical records from inappropriate use. Patients deserve strong confidentiality protections,” Rosen continued. “However, regulations approved in the waning hours of the Clinton administration would impose unnecessarily burdensome rules that would raise consumers’ costs and jeopardize health care quality.”