The trusted source for
healthcare information and
However, sweeping operational changes expected
Organizations now can move ahead and comply with the Health Insurance Portability and Accountability Act (HIPAA) now that the final privacy rule, which will be less burdensome, has been published.
"In general, I feel that the Department of Health and Human Services’ updates to the HIPAA regulations improve our ability to provide treatment and protect the privacy of our patients’ information," says Janice Roach, executive director of Tri-City Regional Surgery Center in Richland, WA.
The Chicago-based American Hospital Association, however, warns that the rule still requires "sweeping operational changes."
"Because it will affect every department, employee, and business associate of the hospital, it will take intense education of hospital workers and patients," the association warns.1
A previous version of the privacy rule was published on Dec. 28, 2000, and proposed modifications were published on March 27, 2002. The final rule was published Aug. 14, 2002, in the Federal Register. The deadline for compliance is April 14, 2003, or April 14, 2004, for small health plans.
Here are the areas with major changes:
• Privacy notice.
The rule omits the requirement for written consent from patients before disclosing patient information among providers. Instead, patients should be asked to sign or otherwise acknowledge that they have received information about their privacy rights and the providers’ information practices.
"I am happy about the reduced expectation for the patient consent requirement," Roach says. "It will be easier for us to administrate and also easier for the patients to understand."
The privacy notice must be given during the initial patient encounter and any time patients request it, Roach says. "Of course we make a good-faith attempt to make sure that our patients understand their rights under HIPAA, but not by having to provide them a 20-page legal document," she says.
• Initial use and disclosure.
The final rule allows uses or disclosure of patient information that are incidental to a use or disclosure that is otherwise permitted. For example, surgery centers may keep patient charts at bedside, physicians can talk to patients in semiprivate rooms, and physicians can confer at nurses’ stations without fearing that they violate the rule if a passerby overhears them, according to a statement from the Department of Health and Human Services.2z
The relaxation of the regulations for incidental disclosures actually will make it easier for outpatient surgery providers to take good care of patients, Roach says. "Medical personnel need to be able to discuss a patient’s condition and treatment, without having to constantly worry about breaking the law," she says. "Staff at the [Tri-City Regional] Surgery Center understand the patient’s need and right for confidentiality, but this change makes it easier for the nurses and doctors to do their job."
The final rule said providers must obtain a patient’s specific authorization before sending them marketing materials.
General newsletters still can be mailed if they have general health information and they aren’t labeled "information for patients," says Mark Mayo, executive director of the Illinois Freestanding Surgery Center Association in St. Charles. Mayo received this advice at the recent HIPAA conference sponsored by the Alexandria, VA-based Federated Ambulatory Surgery Association. "The recommendation is that the mail packet not be too obvious," Mayo says.
The final HIPAA security regulations still are uncertain.
"We are still a little nervous about the fact that the final security regulations are not yet finalized, yet we are supposed to ensure the privacy of our patients’ information," Roach says. "We expect to make some minor changes to improve security of patient data, but we already have had to begin staff awareness and training." Her awareness includes discussion at monthly staff meetings, she says. Privacy training for all employees is mandatory under HIPAA.
"We are also reviewing our policies and procedures to make sure that we are protecting the privacy of patient information," Roach says.
[Editor’s note: The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will continue to conduct outreach and education targeted to providers affected by the privacy regulation. These efforts include technical assistance materials and responses to frequently asked questions. HHS also will hold national educational conferences in the fall to address issues related to key parts of the privacy regulation. Technical assistance materials will be posted on OCR’s privacy rule web site at www.hhs.gov/ocr/hipaa/.
Copies of the Federal Register can be found at www.access.gpo.gov/su_docs/fedreg/frcont02.html. Click on "Wednesday, Aug. 14," and look under the "Health and Human Services Department." Or, you can view the Federal Register at many libraries. To order by mail, the cost is $10. Specify the date (Aug. 14, 2002), and enclose a check or money order payable to the Superintendent of Documents, or enclose your Visa or MasterCard number and expiration date. Send your request to: New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Credit card orders can be placed by telephone: (202) 512-1800, or by fax: (202) 512-2250.]
1. American Hospital Association. AHA News Now Special Report — HHS issues final HIPAA Medical Privacy Rule. Chicago; Aug. 9, 2002.
2. Department of Health and Human Services, Press Office. Modifications to the Standards for Privacy of Individually Identifiable Health Information — Final Rule. Washington, DC; Aug. 9, 2002.