Worried? HIPAA privacy regs should change little

You’re probably doing what you need to comply

When the privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 went into effect on April 14, they probably didn’t mandate changing anything that you as a hospital case manager have been doing for years, says Sara Kraus, JD, an attorney practicing in the health care department of Proskauer Rose LLP in New York City.

"HIPAA just formalizes the procedures that are already established by some states, institutions, and health care providers for preserving patient rights," she adds.

When the rules first came out, a lot of people in the health care industry panicked, interpreting some provisions as onerous regulations that would make it more difficult for them to treat patients. For instance, some decided hospitals couldn’t put patient names on the door, have a sign-in sheet at clinics, and staff couldn’t have a discussion about a patient in the hall or a room with an open door.

"HIPAA was never meant to apply to incidental disclosure of health care information. Everybody went a little nuts when the rules first came out. The government guidance issued in August 2002 has retreated a little from the original restrictions," Kraus says. HIPAA restrictions shouldn’t disrupt the delivery of health care, she says.

But while you don’t have to go in a room and shut the door to ask a physician a question about one of your patients, you do need to make sure that you discuss patient information in a quiet voice, Kraus says.

Consider training your staff to not to talk loudly when they discuss patients and take other reasonable measures to make sure the patient information is kept confidential, she advises.

Kraus reminds case managers that complying with HIPAA doesn’t necessarily mean that you are complying with state or local laws. If you are working with outside case managers, you should make sure your hospital regulations will allow you to share the information without an authorization, she adds.

One of the biggest differences that HIPAA is likely to make is the requirement that providers make a good-faith attempt to give their privacy notice to patients in person and to get their acknowledgement that they received it. The exception is for emergency treatment.

For hospitals, it’s a one-time requirement for every new patient. If your hospital has a computerized record system that can track whether or not a patient has received a privacy notice and acknowledged receipt of it, you don’t have to give it again. "If you don’t have a way of knowing whether or not the person has gotten your privacy notice before April 14, it will be easier to give them another one," Kraus says.

The privacy notice should include patients’ rights under HIPAA, including their right to access their medical records and propose an amendment to them, a right to an accounting of nonroutine disclosures, such as information given as the result of a government inquiry, and a right to make a complaint if they think their privacy has been violated.

A patient’s information can be disclosed only for treatment, payment, and health care operations. If your hospital is going to use patient information for other purposes, such as fund-raising or clinical research, the patient must give permission.

"There is still confusion among people. The way a provider uses patient information must be disclosed in the privacy notice, but it’s a limited universe. If a particular use is not permitted, the provider still can’t do it, even if it is included in the privacy notice," she adds.

Some other tips for making sure that you are in compliance with the HIPAA regulations:

  • Make sure that everyone on your staff is trained in your hospitals’ HIPAA privacy obligation.
  • When in doubt about something, check with your privacy officer. "It’s better to assume you can’t do something," Kraus says.
  • Make sure your patient records that contain individually identifiable health information are in a secure location and are not readily available to those who do not need them.