Pharmacy Organizations Support HHS's Proposed Changes to HIPAA Regulations
April 16, 2002
The Honorable Tommy Thompson
Subject: Support for Proposed Change in Written Consent Requirement under Medical Records Privacy Regulation
Dear Mr. Secretary:
The national pharmacy organizations listed below, representing all sectors of pharmacy practice, strongly support the proposed changes issued by the Department on March 27, 2002, to the patient consent requirements of the final medical records privacy regulations (required under the Health Insurance Portability and Accountabilty Act of 1996). We support the changes in the proposed rule that would give providers the option of obtaining consent for the use of personal medical information for treatment, payment, and health care operations. We thank the Department for responding to the concerns of pharmacy providers by proposing these changes.
Pharmacy Committed to Protecting Patient Information: Pharmacy providers are committed to safeguarding the privacy of patient medical records. Currently, licensed pharmacists must abide by patient privacy standards specified in state pharmacy practice acts, state board of pharmacy regulations, and other state laws. We believe that any new Federal privacy standards, whether implemented through statute or regulation, must strike the appropriate balance of assuring that any new protections do not impede the ability of patients to obtain pharmacy services in a timely and efficient manner. We believe that the proposed changes regarding consent, if finalized by the Department, would achieve this goal without compromising patient privacy.
Change in Signed Written Consent Requirement Enhances Delivery of Pharmacy Services: Making it an option for direct treatment providers to obtain written consent from patientsrather than requiring itmakes the rule much more workable. Requiring pharmacies to obtain signed written consent from the patient before they can use the patients information to provide treatment or seek payment would increase waiting times and inconvenience patients. For example, pharmacies cannot fill prescriptions for patients that were phoned in or faxed to the pharmacies without signed written consent. Similarly, billions of prescriptions cannot be refilled after the regulations compliance date without a patients signed written consent. Clearly, this would have been problematic for patients and pharmacies and affect quality of care.
Pharmacies Committed to Informing Patients of Privacy Practices: Pharmacy providers are fundamentally committed to providing patients with a description of their privacy rights, and assuring that they understand how their information is being used to provide them with quality patient care services.
We would urge, however, that the Department give providers flexibility to implement the requirement that they obtain acknowledgement from the patient that they have received the notice of privacy practices. For example, the Department should not implement any rules regarding the form or content of the acknowledgement. Moreover, the final rule should clarify that pharmacies are not required to include in their privacy practice notice a description or interpretation of individual state-based privacy laws and regulations in relation to Federal regulation. This will be an almost impossible and costly task to undertake because state laws and regulations change frequently, and there may be varying interpretations of which privacy protections are stronger. Providers should be able to use a phrase such as "additional state privacy protections may apply" in their written notice to indicate that additional patient protections might exist.
Coordinate Compliance Date for Privacy and Security Standards: Finally, we also strongly urge that compliance date for both the final privacy regulations and the final security standards also required pursuant to HIPAA be delayed until at least 24 months after the effective date of the rule that is issued last. Implementation of each of these rules requires significant operational and computer system changes. Providers will already face significant operational challenges in implementing the privacy protections, since we are unlikely to know the final provisions of the regulation until well into the future. That would provide less than one full year to prepare for implementation.
Given that the privacy standards and the security standards are supposed to work interchangeably, and there is no indication as to when the security regulations will be published as final, it will be exceedingly challenging to plan implementation of the privacy standards without knowing the final security standards. Pharmacies should have the opportunity to concurrently assess the impact of both the security standards and any new privacy protections on their operations, and make the necessary changes at the same time.
We very much appreciate the Departments efforts to address pharmacy providers concern with the impact of the final regulations, and once again reiterate our strong support for the proposed changes regarding consent. We want to work with you to ensure that reasonable privacy protections result from this process, and that patients access to efficient, quality pharmacy services remains. Thank you.
American Association of Colleges of Pharmacy (AACP)