Privacy Rule Would Be Detrimental to Patient Care, ASHP Tells HHS
March 30, 2001
U.S. Department of Health and Human Services
To Whom It May Concern:
The American Society of Health-System Pharmacists (ASHP) welcomes the opportunity to provide comments on the Department of Health and Human Services' (DHHS) final rule entitled "Standards for Privacy of Individually Identifiable Health Information." This final rule was published in the Federal Register on December 28, 2000, but was reopened for public comment by a Federal Register notice of February 28, 2001. ASHP is the 30,000-member national professional association that represents pharmacists who practice in hospitals, health maintenance organizations, long-term care facilities, home care agencies, and other components of health care systems.
ASHP has comments on the following provisions of the December 28, 2000, final rule:
Section 164.506Consent for uses or disclosures to carry out treatment, payment, or health care operations
In its discussion of Section 164.506, the preamble to the final rule (page 82510) admits that DHHS made "significant changes in the final rule with respect to uses and disclosures of protected health information" from what the department had included in the proposed rule of November 3, 1999. Under the final rule, "a covered health care provider must obtain the individual's consent, in accordance with this section, prior to using or disclosing protected health information to carry out treatment, payment, or health care operations." This was not the requirement in the proposed rule. This new requirement places an undue and unnecessary burden on pharmacies, and has the potential to detrimentally affect patient care.
In addition, a major concern is that the consent requirement delineated in the final rule was not subject to a meaningful public notice and comment period. Health care providers did not have an opportunity to comment on how this confusing and burdensome procedure would affect patient care or the services provided by pharmacists and pharmacies.
Requiring a signed patient consent form before a pharmacist can use (e.g., fill a prescription) protected health informationsuch as a prescription phoned in by a prescriber or brought into a pharmacy by a patient's family memberis clearly not the intent of the final privacy rule. However, a strict reading of the rule would give it that meaning. Complying with this procedure would cause increased waiting times; inconvenience to homebound, elderly, and disabled patients; and reduced quality of care. There should be some consideration given to the concept that there is "implied consent" when a patient selects a given pharmacyi.e., that the patient has consented that this pharmacy can use his or her protected information for treatment and payment for these services.
Pharmacists also rely on patient identifiable information to protect the patient against inappropriate medication uses. This review process is not always apparent to the patient. Regulations that protect patients from the inappropriate disclosure of their medical information must not hinder the systems that are designed to improve the quality of patient care.
Within health systems, there are inpatient dispensing and clinical services that utilize data. There may also be ambulatory settings with outpatient pharmacies and clinics where both pharmacist and pharmacy services are provided. The problem with the December 28 final rule is that, because there are many contingent factors that are fact specific, the rule will be confusing. Each individual setting will have to determine if, for any specific function, it is a direct or indirect provider, does the consent or authorizations obtained on the inpatient/or outpatient side transfer back and forth allowing the continued use of the information in each of the varied settings, or does the pharmacist or pharmacy need to obtain separate approvals in each environment.
For example, is protected information obtained through a patient's interaction with a pharmacist in an outpatient clinic allowed to be used by the outpatient dispensing pharmacy, or does the pharmacy need a separate consent? In another common scenario, when third parties contract with the health system to provide servicessuch as a management company operating either the inpatient or outpatient pharmacy servicehow does consent "flow" in this situation, both for the manager and its employees as well as for the institution, and what is permissible use or sharing of information that results from this relationship? Or for another example, what about the clinical pharmacist who may or may not be employed by the institution or outpatient clinic, or what if the health system contracts for outpatient pharmacy services with an independent pharmacy company?
It is unclear, because of all the varied and many organizational structures currently existing, how the pharmacy or pharmacist is to know with any consistency when consent or authorization is required and when the information may be shared or used in the continuum of treatment without the added layer of further consents or authorization.
ASHP has always supported the development, either by Congress or DHHS, of uniform national privacy rules. In a policy statement on the "Confidentiality of Patient Health Care Information" ratified by ASHP's House of Delegates in June 1999, we stated, in part:
ASHP believes that pharmacists must have access to patient health records in order to provide quality care and ensure the safe use of medications. ASHP also believes that with access to the patient's health record comes the pharmacist's professional responsibility to safeguard the patient's rights to privacy and confidentiality. Within health systems, all authorized practitioners should be encouraged to communicate freely with each other but to maintain patient confidentiality and privacy. Uniquely identifiable patient information should not be exchanged without the patient's authorization for any reason not directly related to the provision of health care services.
ASHP supported the proposed rule issued by DHHS in 1999 because it seemed to fit well with our policy statement. The new requirements in the final rule, however, seem to be counterproductive to the goal envisioned by the 1999 proposal. We suggest that DHHS open a new, more extensive comment period to allow practitioners the opportunity to fully respond to the December 28 final rule.
ASHP appreciates the opportunity to comment on the Standards for Privacy of Individually Identifiable Health Information rule. Feel free to contact me (301-657-3000, ext. 1316) if you have any questions regarding our comments.