>Although the transition went “more smoothly than expected during the first year after most entities were required to be compliant,” problems still persisted, a GAO report states. Issues surrounding the requirement to account for certain information disclosures as well as the requirement to develop agreements with business associates that extend ‘downstream’ certain privacy protections are in need of clarification, and are unnecessarily burdensome, according to organizations who must comply with the rules.
>Also questioned in the report were the problems encountered by organizations that rely on access to health information for public health monitoring, research, and patient advocacy. They often found, according to the report, a conflict between complying with the privacy rule and not impeding the flow of necessary information. Some researchers also complained about delayed clinical and health services due to the act’s requirements.
>The GAO report also states that patients quite frequently do not understand their rights under the act. This can be seen, the office says, through the large number of complaints filed that did not actually fall within the jurisdiction of the privacy rule’s governing body, the Department of Health and Human Services’ Office for Civil Rights.
>To confront these problems, the GAO has suggested that patients be better informed of mandatory disclosures to public health authorities in privacy notices and exempt such disclosures from accounting requirements. The GAO also recommends that a public information campaign be conducted to improve patient awareness of their rights.
>For a complete copy of the report, please see www.gao.gov/cgi-bin/getrpt?GAO-04-965 .