HIPAA compliance requires renewed commitment to patient privacy
With the April 14 deadline fast approaching, emergency departments must make sure their processes, procedures, and documentation are fully compliant with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. If they’re not, the consequences could be severe: civil penalties of up to $25,000 for each requirement violated, and criminal penalties of up to $50,000 and one year in prison for obtaining or disclosing protected health information.1
"I think everybody is like they are before a big exam," says Kathleen Catalano, RN, JD, director of regulatory compliance with Provider HealthNet Services, in Addison, TX. "They’ve got things in place; they don’t know if they’re going to work. They won’t know if they’re going to work or if they can remember anything until the day of the exam. I think we’re going to have the pieces in place; we’re just going to have to work out the kinks."
The good news is that emergency departments (EDs) are among the areas most likely to be cut some slack under HIPAA. Reneé Holleran, RN, PhD, chief flight nurse at University of Cincinnati Medical Center, says that the emergent nature of the care being provided probably will weigh in favor of EDs when it comes to minor slips under HIPAA.
Even so, successfully complying with HIPAA will require, if not a new approach, then at least a renewed commitment to the principle of protecting patient privacy. "This whole thing is really a culture change," Catalano says. "It’s not saying that we should be doing something that we’ve never done before. The confidentiality mandates have been there for years, but we just didn’t follow them. Or if we did, we did it laxly."
Notice of privacy practices
One of the key HIPAA issues for EDs is the use of notices of privacy practices, Catalano says. "If someone’s coming in and receiving treatment, they’re probably going to be given a notice of privacy practices from the ED, from the admitting area, and probably from same-day surgery," she adds. "The notice of privacy practices is interesting because it has to line up everything that the hospital is doing. So whatever the hospital’s policy is going to be on the use and disclosure of protected health information, it has to be lined up in that document."
Notices of privacy practices, mandated by the HIPAA privacy rule, are "intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights," according to the federal Office of Civil Rights (OCR), which provides guidance on HIPAA.
No standardized notice has yet emerged, although some groups, such as the American Health Information Management Association (AHIMA) in Chicago, have developed sample notices. (To see AHIMA’s sample notice, visit http://library.ahima.org/bok/ and search for "Sample Notice.") Many facilities have posted their notices on their web sites. Although they share several elements, they also can vary widely, both in terms of content and length (from as short as three pages to as long as 14).
"I think everybody’s doing their own thing, because they don’t know how to handle it," Catalano says. "Like reporting child abuse in the ED or rape. We report right to the local authority immediately, because that’s the law." But that release of information must be documented somehow, either electronically or in paper form, such as with some sort of log book. Different institutions will have different ways of accounting for and documenting such information transfers.
Providers also are required to have documentation indicating that the patient received, read, and understood the notice of privacy practices. The acknowledgement form itself might be simple but, as ED professionals know, obtaining simple consents or acknowledgements sometimes can be difficult in an emergent situation.
For example, Catalano posits, "what if a patient is unable to sign [the acknowledgement] because she is comatose. She came into the ED and we don’t know who she is. Somewhere the hospital’s got to be tracking that patient so that when she comes to and is able, she signs the acknowledgement." That holds true even if a family member initially signs the acknowledgement instead of the patient.
Fortunately, the authors of the HIPAA privacy rule seem to have understood that filling out paperwork isn’t the highest priority in an emergent care situation. According to the OCR, "hospitals and other covered health care providers with a direct treatment relationship with individuals are not required to provide their notices to patients at the time they are providing emergency treatment. In these situations, the HIPAA Privacy Rule requires only that providers give patients a notice when it is practical to do so after the emergency situation has ended. In addition, where notice is delayed by an emergency treatment situation, the Privacy Rule does not require that providers make a good-faith effort to obtain the patient’s written acknowledgement of receipt of the notice."
Tracking patients to make sure they’ve received a notice can be difficult, but responsibility for doing so probably won’t fall to ED staff, Catalano notes. Even so, the facility should have some sort of "tickler system" in place to prompt whoever’s responsible — whether social workers or floor nurses — to provide patients with a notice and secure a signed acknowledgement.
Strategies for compliance
The most daunting aspect of HIPAA compliance is the fact that the rule affects so many different areas, both within the ED and throughout the organization. Indeed, it comes into play as soon as the patient signs in.
To avoid inadvertent disclosures on sign-in sheets, some EDs have instituted a system in which patients write their information on a sticker, which then is transferred to a page shielded from public view. The Medical Center of Central Georgia in Macon uses a triage sign-in sheet consisting of a multipart form with individual tear-off tickets. As each patient signs in, a list that is concealed behind a cover sheet is generated with the name, time, and chief complaint. The form includes a place to write a telephone contact number, should the patient decide to leave prior to being seen by the triage nurse, according to Jonathan Kent, RN, CEN, assistant director of the emergency center.
Catalano notes that regulations do no prohibit traditional sign-in sheets as long as they do not ask for the diagnosis or name of physician. However, some state laws are more stringent than the HIPAA regulation, "so people should be aware. For example, Texas state law is more stringent in some areas than HIPAA."
Protecting patient privacy at triage is another important issue under HIPAA. Patients should not have their vitals taken or an assessment performed in front of registration clerks, and patients’ responses to questions posed by the triage nurse shouldn’t be audible throughout the ED lobby, Catalano says. One solution is to set aside a small room or construct a module in which to triage patients. If your facility does this, make sure curtains are closed and doors are shut. "The Joint Commission [on Accreditation of Healthcare Organizations] has targeted this in a lot of hospitals, and what they’ve asked is, if you don’t have it ready today, let me see your plan for how you’re going to revamp your triage area." Physicians also must take steps to limit the possibility of inadvertently disclosing private information, particularly when they are documenting through dictation. Some physicians continue to dictate patient outcomes in open workstations, which disclose sensitive information to those standing around the desk. Catalano notes that if a physician is behind a desk using the dictation equipment and is overheard, "that’s going to be an incidental disclosure. But if the doctor is standing up . . . and shouting into the machine, as some of them have a habit to do, I would say that there’s no safeguard from the hospital that’s going to protect them."
Protecting patient records from public view can, in some cases, be done with a few simple fixes, such as using binders that protect patient information, centralizing records, and putting a cover page over demographic information and bedside charts. "If it were me, I would use a cover page," Catalano says. "I think it stops people from wanting to look through it."
Catalano also recommends adding a clause to the conditions of admission in the ED whereby patients agree to have their information listed on the tracking board. "If you do that and they sign it, you’re home free," she says. "Because on a lot of them, they say a lot more than just the patient’s name. They say what the patient is in for, who’s seeing them, and who’s assigned."
It’s also important to consider what to do should a patient request total anonymity. "If your patient says, I don’t want anybody to know that I’m here,’ that’s going to be an issue," Catalano says. "How do you handle that in the ED? I don’t think most people think about it."
Still little consensus on HIPAA
Given the sweeping nature of the HIPAA regulations and the approaching implementation deadline, it’s understandable if some ED professionals overreact a bit. Holleran says, "they’re reacting because they’re afraid that if they don’t, then somebody is going to come to the hospital and say, OK, we’re going to fine you $25,000 because you’re not HIPAA-compliant.’ But they’re not really clear on what that means."
Part of the problem is that, even with the OCR guidance, there are some areas of HIPAA compliance in which no expert consensus has emerged. For example, Holleran says, there’s some disagreement about the extent to which tracking boards are addressed by HIPAA. "It depends on whose interpretation of the law you look at," she says. "Nobody is really emerging as the true expert. It’s sort of going down the road of EMTALA. People in different parts of the country and even different counties interpret EMTALA differently. I think we’re seeing some of that with HIPAA."
Holleran views the HIPAA regulations as essentially reinforcing the professional standards of privacy and confidentiality that EDs already should have in place. "If you read [the law], it’s essentially more to protect your privacy from outside companies getting hold of your information. . . . And in a way, it’s kind of nice that insurance companies are not going to have access to certain things that are really none of their business. But it’s unfortunate that they had to come up with a federal law, because there are so many multiple interpretations."
1. 45 CFR § 160.306 and § 160.312 (2000) for Civil Enforcement; 42 USC 1320d-6 (HIPAA Sec. 1177) for Criminal Enforcement.