| |||||||||||||||
|
Home
|
For other articles and previous issues click here. August 8, 2005 Protecting
Privacy — HIPAA Regs Meet Day-to-Day Care Healthcare organizations still struggle with finding the proper middle ground between draconian secrecy measures and properly guarding patients’ right to privacy. In 1996, Congress passed into legislation a set of standards developed by Health and Human Services (HHS) titled the Health Insurance Portability and Accountability Act (HIPAA). One key component of the law and ensuing regulations established guidelines for individual patient management and access to healthcare information—including the provision of a legal firewall to prevent inappropriate, unauthorized disclosure of patient information. In an effort to prevent inadvertent disclosures, many facilities adopted a “no information given, no fines levied” mentality when the regulations went into effect. Families calling inpatient units for medical updates were met by rote, vague statements from perplexed ward clerks and nursing staff, worried that the tiniest leak of information would be grounds for immediate termination. Despite the readily available resources and length of time that healthcare providers have had to implement the law, bewilderment persists. What Is Private? In its consumer fact sheet, the HHS has “defined” PHI as: “Under the final rule, patients will have significant new rights to understand and control how their health information is used. Providers and health plans will be required to give patients a clear written explanation of how the covered entity may use and disclose their health information. Patients will be able to see and get copies of their records, and request amendments. In addition, nonroutine disclosures must be made accessible to patients.” The fact sheet also lists patient recourse for violations of confidentiality, public responsibility with privacy protections (which permits disclosure of information without patient authorization), special protection for psychotherapy notes, and compliance and enforcement. The permitted disclosures include but are not limited to emergency circumstances, identification of a deceased person or the cause of death, public health needs, and research. Practical Problems In the July 17, 2003, issue of The New England Journal of Medicine, Deem Salem, MD, and Stephen Pauker, MD, address the adverse effects of HIPAA: “Although the goal of the Health Insurance Portability and Accountability Act of 1996 [HIPAA] is to protect patients’ privacy and rights, such protections, if misunderstood or overzealously applied, could impede necessary communication and thereby negatively affect patient care and safety.” In the review of two case histories, Salem and Pauker first describe a patient between the ages of 50 and 70 (the exact age and sex withheld in compliance with HIPAA) having undergone cardiac transplantation. Shortly after the patient received the transplanted heart, it was discovered that the donor was positive for bacteria in his blood cultures. To prevent the fragile transplant patient from receiving unnecessary antibiotics, the infectious disease officer contacted the donor hospital, asking for identification of the infectious organism. The donor hospital refused, stating that prior to his death the donor did not authorize the release of his hospital records and that to share clinical information about the deceased donor would violate HIPAA regulations. In Salem and Pauker’s second study, a patient between the ages of 40 and 50 was referred to a heart specialist after failing an exercise stress test. While the patient was in attendance with the cardiologist, the specialist asked that the stress test rhythm strips be faxed to him for review. Citing HIPAA regulations regarding faxing patient information, the referring facility refused the request, disregarding the presence of the patient and verbal demands that the documents be sent to the cardiologist. The cardiologist eventually received the strips and was able to review the case; however, the misinterpretation of the HIPAA regulation delayed the cardiologist’s review by two hours. Possibly as a direct result of the patient’s anxieties, the patient required cardiac catheterization and angioplasty the next day. Understanding Patient Rights The fact sheet fails to mention several details. It does not mention that the government can impose civil penalties for noncompliance ranging from $100 to $250,000. Hospital administrators and office managers wield this warning over their employees in an effort to prevent inadvertent escape of confidential information. Interestingly, there is a significant amount of harmless data that can be released without violating patient confidentiality, according to the six patient rights of PHI. For example, reporters can call the hospital spokesperson to ask about the condition of a patient. Unless a patient has opted out, secretaries can inform callers whether a patient is in their unit. “The HIPAA law is not intended to freeze everyone into utter silence; rather, it is meant for you to use your common sense, for you to do what you have already been doing—limiting the amount of information you give about your patients,” says Linda Hurley, MSN, RN, former corporate compliance officer at the Springfield Hospital in Vermont. “What would you want revealed about yourself? How can you be sure who’s on the phone, asking you questions? If they’re calling to ask about Aunt Millie, who is 87 years old tomorrow and can they bring her some cupcakes, of course you’re going to answer that question. But the 37-year-old overdose in room 5 is a patient for whom little information would be given—and you had better be certain his family didn’t opt out on the admissions form.” Being Careful Several days later, the ED manager began speaking to all the nurses who were on the shift the day Mr. X came in for treatment. Evidently, Mr. X decided he hadn’t wanted the caller to know he was there and had called to complain about the breach of confidentiality. In this particular case, there was enough staff present as witnesses to confirm that the patient had no legitimate complaint, but it doesn’t stop the uncertainty. After that episode, many staff members reversed their position of “some information can’t hurt” and resorted to telling callers they could not give out any patient information, including whether the patient was present. Many Misunderstandings In regard to the cases presented by Salem and Pauker, HIPAA permits PHI disclosure for cadaveric organ donation. The misunderstanding resulted from overzealous, fear-driven behavior on the part of the donating facility. HIPAA also permits the release of information to avert a serious threat to health, as in the case of the patient who was referred to the cardiologist for further critical evaluation. The privacy rule addresses covered entities, individually identifiable information, and PHI. Covered entities include the persons or organizations that transmit patient health information. According to the HHS, healthcare providers, health plans, and healthcare clearinghouses are covered entities. HIPAA includes those who provide patient care, bill for the patient’s care, and pay for the care that has been received. Therefore, professional, nonprofessional, and/or volunteer persons in a healthcare setting, or employed by a healthcare agency, who use or have access to a patient’s healthcare information are legally bound to follow the HIPAA ruling. The privacy rule protects any form of healthcare information—verbal, paper, or electronic. Items considered under the PHI are any that can identify a patient—demographics, details concerning a patient’s condition, and care provided to the patient. The medical record is the one source many healthcare providers associate with patient information; however, any information that can identify a patient is considered private under the PHI segment, including health insurance and billing information. The privacy rule does not restrict information that has been deidentified. A physician may share an electrocardiogram with a group of medical students or fellow physicians in a grand rounds session, eliminating the patient’s name, age, medical ID, and room number. Nursing quality control and performance improvement committees routinely black out any identifying information when presenting copies of medical records for staff review. Identifiers include relatives, employers, addresses, zip codes, cities, dates of birth, ages, Social Security numbers, telephone numbers, fax numbers, medical record numbers, vehicle identifiers, and pictures. Once all identifiers are removed, the privacy rules no longer apply to the remaining information. Thus, the information can be used for studies and research and be electronically transmitted. Patients who are actively enrolled in clinical trials are already accounted for, having agreed to their participation in the trial. In the case of retrospective epidemiological studies on closed medical records, it would be impossible to get every patient’s authorization. Semiprivate Problems Newer facilities have the choice of designing rooms to afford more privacy; the older ones are caught in the dilemma of not being able to follow HIPAA to the letter of the law. This includes EDs, postanesthesia recovery areas, preoperative holding areas, and waiting rooms. Placards that ask patrons to stand farther back from the receptionist’s desk are little more than a feeble attempt at providing privacy. In the emergency and perioperative areas, patient safety weighs greater than the need for privacy—the curtained cubicles provide quick access to other ill or recovering patients, as well as quick visual and auditory capabilities. Ward nursing staff are becoming increasingly reluctant to discuss a patient’s care and treatment plans when on the other side of the curtain is another patient who cannot help but hear the conversation. In addition to workload constraints, the nurse must now wait for a suitable time to enter the room to discuss the patient’s care—when the roommate is out of the room at a test or visiting with family in the lounge. Frequently, people who are visiting a bedridden patient are asked to leave the room when personal matters—medical discussions, ancillary referrals, use of the bedpan or bedside commode—are addressed. What can be done to eliminate the confusion of PHI? Healthcare professionals recognize the ethical practice of maintaining confidentiality, upholding patient rights, and supporting the autonomous choices of their patients. Therefore, healthcare personnel must be active in their role as advocates, developing practices that promote protection of patient information. Workstations that eliminate visual access to unauthorized persons, chart racks located well within the confines of the station, and identifiable medical information kept away from public areas (eg, countertops where visitors approach) are the physical means by which patients’ privacy can be protected. Curtains drawn for procedures, including personal care and physical assessments, are means by which patients’ privacy is visually maintained. Where possible, semiprivate-roomed patients can be removed to a separate area for consultation and discussions concerning care. If a patient cannot be moved, then visitors should be escorted to the lounge until the patient’s matters are attended to. Telephone information is limited to the presence of the patient and condition, provided the patient or responsible party has not chosen to opt out. Frequently, the call can be forwarded directly to the patient, thus eliminating inadvertent disclosure. Facilities Adjusting For employees and students alike, the University of Miami has the Privacy/Data Protection Project. Interestingly, it addresses the release of information regarding deceased persons, including organ and tissue donations. Regarding hospital’s EDs, HIPAA permits covered entities to notify, or assist in the notification of, family members, their personal representatives, or other persons (significant others, regardless of relationship) who are responsible for the patient’s care, location, general condition, or death. If the patient is present and conditions permit the patient to express his or her own wishes, it will be the patient who decides whom the hospital will notify. For instance, a doctor may call a patient’s spouse to inform him or her that his or her family member is in the ED for treatment following an automobile accident. A doctor can notify the husband of a pregnant patient who has arrived in labor. A nurse may contact the friend of a patient, informing him or her that the patient is now recovering from surgery after a fall down a staircase. What Is Reasonable? David Kibbe, MD, MBA, addressed the law in an article published in Family Practice Management. In addition to defining the regulation, he offers recommendations for adapting the new law to individual practices—ie, designating a resource person, continuing education for the staff, and scrutinizing electronic devices used for the submission of private documentation. Rather than specify the technologies needed to meet the HIPAA security requirements, the HHS has specified the process and outcome requirements. The word reasonable appears 57 times in the rule, demonstrating the government’s willingness to scale solutions according to facilities’ different sizes and degrees of sophistication. The HIPAA regulations have become a stumbling block for many individual organizations. However, a little dose of common sense can be a powerful tool in constructing a fair interpretation for patients and healthcare workers. — Desiree Wyatt, ADN, RN, CCRN, is a member of the Association of Critical-Care Nurses. References Affiliated Dermatology and Cosmetic Surgery Center. Notice of Privacy Practices for Protected Health Information. 2004. ProQuest Newspapers. ProQuest Direct. University of Wisconsin-Green Bay. Mary Ann Coffrin Library, Green Bay, Wisc. March 16, 2004. Available at: http://umi.com/proquest AFLAC. Notices of Privacy Practices – Protected health Information. Disclosures. March 14, 2004. Available at: http://www.aflac.com/action_item/privacy_hipaa.asp Belcher K. New Privacy Rules Meant to Protect Patients. Journal-Gazette. May 16, 2003:11A. Erlen J. HIPAA-clinical and ethical considerations for nurses. Orthopaedic Nursing. 2004;23(6):410-414. Frank-Stromberg M. They’re real and they’re here: The new federally regulated privacy rules under HIPAA. Dermatol Nurs. 2004;16(1). Gosfield A. The HIPAA privacy rule: Answers to frequently asked questions. Family Practice Management. July/August 2001. Kibbe D. A problem-oriented approach to the HIPAA security standards. Family Practice Management. July/August 2001. Martin R. Navigating HIPAA: In the ED. Advance Online
Editions. February 2004. Oatway D. HIPAA security is next. Nursing Homes. January 2004. Privacy Rules Go Too Far. Herald. April 6, 2003. Salem DN, Pauker SG. The adverse effects of HIPAA on patient care. New Engl J Med. 2003;349(3):309. Showalter, JS. Compliance: What’s around the corner? Healthcare Financial Management. April 2003. Stein R. Hospital Privacy Rules Confuse Doctors, Patients. Washington Post Journal Gazette. August 19, 2003. University of Miami. Protected Health Information (HIPAA). March 8, 2004. Available at: http://privacy.med.miami.edu/glossary/xd_protected_health_info.htm. U.S. Department of Health and Human Services. Protecting the Privacy of Patients’ Health Information. April 14, 2003. Available at: http://aspe.hhs.gov/adminsimp/final/pvcfact.htm. |
 |
|
3801 Schuylkill Rd • Spring City, PA 19475 Publishers of Radiology Today All rights reserved. |