Health-care industry races to comply with new medical-privacy regulations.

• Author: KIRK, KIMBERLY SHORT

The Bush administration shocked health-care providers and health insurers on April 12 with the announcement it would not delay the effective date of sweeping medical-privacy regulations issued in the final weeks of the Clinton administration.

The health-care industry expected the effective date to be delayed for a number of sound reasons, including $26 million in campaign contributions by the health-care industry to Republicans during the 2000 election. Moreover, the most recent round of comments on the rules generated more than 24,000 responses. Even Tommy Thompson, secretary of the Department of Health and Human Services, stated in early April that delays were likely.

Now, most entities subject to the medical-privacy rule must race to comply with its byzantine maze of requirements. The rule affects hospitals, physicians and other health-care providers, health plans and health-care clearinghouses, known as "covered entities." Although employers generally are not subject to the rule, employers who sponsor self-insured health plans will have to comply within the next two years.

The starting line

In 1996, Congress passed the Health Insurance Portability and Accountability Act, which contained many mandates affecting health-care delivery. Included among the mandates were increased portability of health-insurance coverage and increased funding for the federal government to combat fraud and abuse.

HIPAA also contained certain provisions called, ironically, administrative simplification provisions. These were intended to make financial and administrative health-care transactions more efficient by creating national standards for exchanging health information. Congress worried that this ease of sharing medical information could compromise its security and privacy. Therefore, HIPAA directed the establishment of privacy standards.

Because Congress failed to enact a privacy statute the Department of Health and Human Services issue a proposed privacy rule in November 1999. This proposed rule elicited a staggering response of more than 52,000 comments. In December 2000, DHHS issued the final rule, which exceeded 350 pages. The governments accompanying explanation and responses to the flood of comments comprised 1,200 plus more pages.

The race

In general, HIPAA's medical privacy provisions regulate the use and disclosure of protected health information, or PHI. The definition of PHI consists of three parts. First, the information must have been created...