Special Report

Striking the Balance: HIPAA & the ED

by Meghan Cosgrove, Esq., Centers for Medicare and Medicaid Services1

Editor's note: This article begins a two-part series on the legal basis and interpretation for several comomon HIPAA issues that challenge ED staff members.

The public nature and crisis setting of an emergency department (ED) makes the protection of confidential health information under the Health Insurance Portability and Accountability Act (HIPAA) particularly challenging. This challenge requires a balance between the need for effective communication and the need to safeguard voluminous amounts of written, oral, and electronic interchanges.

Several factors unique to emergency care place HIPAA compliance and ED operations in tension and thus warrant particular consideration. HIPAA compliance is critical. As a society, Americans are more protective of their privacy than ever.2 In a 2005 study by the California HealthCare Foundation, 67% of the patients surveyed were highly concerned about the privacy of their health information, yet remained unaware of their rights in this area.3 Increasing reliance on technology, lack of adequate contingency plans and numerous high-profile data breaches speak to the validity of those concerns. Most industries, including education, defense, finance and health care have been the topic of articles that highlight the negligent receipt, storage and access to identifiable personal data, including the recent theft of computer disks containing information on 26.5 million veterans.4

However, the delivery of emergency care is often constrained by factors that hinder communication: time pressures, multiple providers treating one patient, and the hectic, noisy atmosphere that makes it a locus ill-suited for effective communication and comprehension. Environmental factors include the need for rapid decision making, the public function of a setting with 24-hour access, patient overcrowding, and the steady stream of visitors, law enforcement, and staff. EDs are also faced with a diverse patient population including foreign visitors, those with impaired cognitive functions, and those who present age, disability, language, cultural and literacy challenges. Finally, the sensitive clinical issues addressed in this setting include conditions such as mental illness, substance abuse, domestic violence, and sexually transmitted diseases. Adding the regulatory burden of HIPAA into this mix makes it difficult to balance these competing realities and create an environment that fosters the co-existence of free-flowing communication and patient privacy.

HIPAA Overview

HIPAA was signed into law on August 21, 1996. This major health reform initiative dealt with several areas of health care reform. This article focuses on one section that has captivated the attention of the health care industry: Title II, Subtitle F, known as Administrative Simplification.5 Title II deals with the protection of identifiable health information through privacy and security mechanisms as well as tools to increase electronic efficiency such as standard transaction and code sets.6

Perhaps the most robust of the administrative simplification provisions is the Privacy Rule, weighing in at 369 pages. Beyond the pulp, however, are regulations and guidance that set a minimum federal floor of protection for uses and disclosures of what is termed protected health information or PHI.7 The Privacy Rule sets out the rights of an individual to control the use and disclosure by "covered entities" of their own written, oral, or electronic PHI.8 Covered entities include health care providers (those that furnish, bill, or receive payment for health care in the normal course of business) that conduct certain transactions electronically, a health care clearinghouse, or a health plan.9 The Office for Civil Rights (OCR), within the U.S. Department of Health and Human Services (DHHS), is charged with its enforcement.10

A covered entity is required to disclose PHI in two situations: 1) when an individual specifically requests access to his or her PHI, or 2) when the DHHS seeks access for compliance or enforcement reasons.11 A covered entity is permitted to use and disclose PHI without an individual's authorization in six limited situations:12

  • To the individual who is the subject of the PHI
  • For treatment, payment and health care operations
  • Uses and disclosures that are incident to a permissible disclosure where reasonable safeguards were put into practice and the PHI disclosed was limited to the minimum necessary
  • Uses and disclosures where an authorization is required
  • Uses and disclosures where it is required that the individual have an opportunity to agree or object
  • Uses and disclosures where it is not required that the individual have an opportunity to agree or object. These include 12 national public interest and benefit activities13 as part of a limited data set used for research, health care operations and public health activities where certain identifiers have been removed and the recipient promises to use specific safeguards in a data use agreement, for fundraising, and for underwriting purposes.

Uses and disclosures under the Privacy Rule must also be limited to the "minimum necessary" to accomplish the purpose of the disclosure.14 Certain disclosures are not limited by the "minimum necessary" requirement, including disclosures to a health care provider for treatment, to the individual patient, or those required by other laws.15

The Security Rule became effective on April 21, 2005, for covered entities and only recently (April 21, 2006) for small health plans.16 It focuses on internal and external threats to the storage, integrity, access, and transmission of electronic data and will be discussed in a future issue.

The goal of HIPAA was to set a minimum "federal floor" of privacy protection for individually identifiable health information. State laws that are contrary to any provision of HIPAA are preempted.17 If the state law is not contrary to HIPAA, relates to the privacy of individually identifiable health information, and provides greater privacy protections than HIPAA, then the state law is controlling.18

Given the breadth of circumstances that EDs are confronted with that make the unusual and unexpected more common than in other settings it is impossible to address every possible HIPAA dilemma. In the end, the standard of "reasonableness" and a balancing of priorities will dictate the appropriate action.19

Caregiver Discussions

HIPAA's biggest impact is felt in the daily written, ora,l and electronic communications that are necessary to admit and treat patients in an ED.

Physicians, nurses and other clinical staff may breach patient confidentiality when caregiving discussions are overheard by other individuals. In a 1999 survey of ED patients, 36% reported overhearing a conversation in an adjacent room or hallway.20 Surprisingly, this study also revealed that patients placed in walled rooms overheard only 5% less than patients in curtained areas.21 The debate of walls versus curtains brings the issue of ED design as well as its associated costs to the forefront. Patient safety argues for open rooms to allow maximum visibility of all patients in the ED to guard against adverse events. However, respect for privacy argues for the limited visibility of walled rooms that provide more physical privacy and may provide more auditory privacy.

The location of the conversation overheard reveals a substantial difference between walls and curtains. Patients in walled rooms were 40% less likely to overhear a conversation taking place in the room next door than those in curtained areas.22 Patients in curtained rooms, however, were 30% less likely to overhear conversations taking place at the nursing station and 10% less likely to overhear a hallway conversation than their walled counterparts.23 This seems to suggest that the use of walls versus curtains is not as important as safeguarding the locations where conversations start.

Lack of background noise or soundproofing materials also can make it easier for conversations to be overheard. Sound-absorbing walls, floors, and ceilings help with the issue of auditory privacy. In addition, the use of music and television should not be underestimated in their ability to create more auditory privacy.24 Background music and television can serve as a distracting noise and enhance the privacy of conversations for individuals located within close proximity to one another.25 Some advocates even suggest the use of white noise machines in the ED to absorb sound and make conversations more difficult to overhear. The concern with any of these sound-absorbing techniques, however, is that they may also affect the clarity necessary for clinical communication.26

The ability to create and maintain physical and auditory privacy in the ED is a difficult task at best. Walls and curtains can go only so far in providing a sense of privacy amidst the endemic crowding of EDs. In reality, physicians and staff must implement a culture of privacy that extends beyond these safeguards through a constant awareness of the location, volume, and content of their conversations.

Medical Record Issues

Compared with physical and auditory privacy, the protection of written and electronic medical records may be easier to control in some ways. Written records are usually kept in a public workspace in order for them to be readily available. Every effort should be made to store these records in a single secure location where they are returned when not in active use.27 The front of hard copy charts should be covered to further guard against prying eyes.28

The technology surrounding electronic medical records (EMRs) makes them better equipped than written medical records to limit access to PHI. While EMRs provide institutions and staff with a sense of greater control over the security and integrity of their medical records, patients may not be convinced. A recent patient survey on EMRs found that 70% of Americans are concerned that a data breach could cause their health information to be disclosed, while 69% think that EMRs may lead to their health information being shared without their consent.29 Precautions surrounding EMRs include locating monitors in low traffic areas, the utilization of screen savers, automatic logout features, and the use of role-based access (i.e., limiting screen access based on staff responsibilities). The placement of monitors is especially critical if an ED is utilizing an electronic patient tracking system. When accessing EMRs, staff should be aware of individuals reading over their shoulders, a term commonly referred to as 'shoulder surfing'. Staff should also be vigilant with new cell phones that may be equipped with camera and video capability.

The storage of written and electronic PHI also leads to questions of proper disposal. Shredders, disk erasers, and CD destruction machines should be incorporated into HIPAA compliance efforts. Finally, physician and staff training should include information on department policies and procedures related to record access, movement and disposal.

Medical Students and Physician Resident Issues

As part of the caregiving team, medical students and physician residents in academic EDs also are authorized to access medical records as part of HIPAA protected health care "operations." As such, students and residents should receive role-specific privacy and security education and training before they see patients.30 HIPAA training varies by institution but often is incorporated into overall compliance training. Academic medical centers have used several different approaches, including online tutorials, which incorporate a post-test or quiz, live presentations or written documents. Many facilities also require residents and students to sign some version of a confidentiality agreement as part of their employee status. A record should be kept of all students and residents who have completed training as well as those subject to re-training due to a shift in job responsibilities.

A particular HIPAA concern with medical students and physician residents is the copying or removal of medical records by students and residents for classroom reasons.31 While students and residents are allowed to use and disclose PHI within their training setting, use or disclosure outside the training setting requires patient authorization or de-identification. To avert problems in this area, HIPAA training must include a review of policies that address how much of the medical record may be accessed (up to and including the entire record), how to safeguard PHI, and removal of PHI from the training site.

References

1 The author wishes to thank Charlotte Yeh, M.D., FACEP and Maureen Kerrigan, Esq. for their extensive HIPAA knowledge and for insights into the practice of emergency medicine.

2 Press Release, Americans Have Acute Concerns about the Privacy of Personal Health Information, California HealthCare Foundation, at http://www.chcf.org/press/view.cfm?itemID=115814. (November 9, 2005) Accessed: May 29, 2006.

3 Id.

4. Martin H. Bosworth, Ohio University: Data Breach Central?, Consumer Affairs. At: http://www.consumeraffairs.com/news04/2006/05/ohio_u_data_theft.html (May 15, 2006) Accessed: May 29, 2006. David Stout and Tom Zeller Jr., Agency Delayed Reporting Theft of Veterans' Data, New York Times, at http://www.nytimes.com/2006/05/24/washington/24identity.html?_r=1&oref=slogin (May 24, 2006) Accessed: May 29, 2006.

5. 42 U.S.C. §1320d-2

6. Id.

7. 45 C.F.R. §160.103

8. Id.

9. Id.

10. 65 FR 82472

11. 45 C.F.R. §164.502(a)(2)

12. 45 C.F.R. §164.502(a)(1) and U.S. Department of Health and Human Services Office for Civil Rights, Summary of the HIPAA Privacy Rule, at http://www.hhs.gov/ocr/privacysummary.pdf (May 2003) Accessed: May 29, 2006.

13. 45 C.F.R. §164.512

14. 45 C.F.R. §164.502(b)(1)

15. 45 C.F.R. §164.502(b)(2)

16. 45 C.F.R. §164.318

17. 45 C.F.R. §160.203

18. 45 C.F.R. §160.203(b)

19. 45 C.F.R. §164.530(c)

20. Olsen JC, Sabin BR. Emergency department patient perceptions of privacy & confidentiality. J Emerg Med 2003;3; 331, 329-333.

21. Id. at 332.

22. Id. at 331-332.

23. Id. at 331-332.

24. Susan Mazer, Speech Privacy: Beyond Architectural Solutions. At: http://www.healinghealth.com/d-resources/documents/Mazer_SpeechPrivacy.pdf (October 2005). Accessed:

25. Id.

26. Id.

27. Moskop JC, Marco CA, Larkin G, et al. From Hippocrates to HIPAA: Privacy and Confidentiality in Emergency Medicine. Ann Emerg Med 2005;45: 62-63, 53-67.

28. Id.

29. News Release, Majority of Americans Have Privacy Concerns about Electronic Medical Record System, Health Privacy Project, at http://www.healthprivacy.org/info-url_nocat2303/info-url_nocat_show.htm?doc_id=263085 (February 23, 2005). Accessed: May 29, 2006.

30. Id.

31. Youngstrom N. Hospitals Treat Medical Students as Workforce Members Rather Than BAs, AIS Health Report on Patient Privacy. At: http://www.aishealth.com/Compliance/Hipaa/RPPHospitalBA.html. (March 2005). Accessed: May 29, 2006.

32. Gottlieb LK, Stone EM, Stone D, Dunbrack LA, Calladine J. Regulatory and Policy Barriers to Effective Clinical Data Exchange: Lessons Learned From MedsInfo-ED. Health Affairs 2005;24;(5):1197-1204.