Still need HIPAA help? Check out on-line sites

Resources clarify regulation concepts

As hospitals fine-tune their HIPAA compliance policies and procedures, savvy access managers continue to find the Internet a rich source of information. It’s particularly helpful for those who might still be involved in a crash course in HIPAA readiness.

Just weeks before the HIPAA privacy deadline, says Gillian Cappiello, CHAM, senior director of access services and chief privacy officer at Swedish Covenant Hospital in Chicago, she was receiving phone calls from people whose hospitals hadn’t even begun preparations.

"They didn’t have legal counsel, hadn’t done gap analysis, or gotten consulting help, she adds. "It helps you get organized, although you don’t have to have it."

Even with sample policies and other information available on-line, Cappiello notes, such last-minute scenarios still posed "a heck of a challenge."

Because it took so long for the privacy rule to become final, she says, health care providers early on had the tendency to "take [privacy measures] to the extreme. People initially thought [patients] couldn’t sign their names in the waiting room, that everybody needed beepers, rather than have their names called out."

There was concern that nursing, for example, couldn’t display an information board for fear of violating patient confidentiality, Cappiello adds. "Yes, you can, but just restrict [content] to the minimum amount of information needed to make sure you treat the right patient."

To avoid misinterpretation and misunderstanding by the public, she says, Swedish Covenant includes examples of what is and is not allowed in its privacy notice. "We would rather the patient be educated and we can address any concerns."

Despite hospitals’ best efforts, Cappiello says, she suspects there will be "frivolous lawsuits, as with anything in the health care field. I’ve already had phone calls [before the deadline] from people saying, You’ve violated my privacy.’"

As a source for all kinds of HIPAA-related information, she recommends the web site

Among other things, it provides a detailed explanation of the "minimum [information] necessary" concept and an extensive list of frequently asked questions.

Here are sample questions, with some of the answers condensed:

Question: What is the difference between consent and authorization under the privacy rule?

Answer: The privacy rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.

By contrast, an authorization is required by the privacy rule for uses and disclosures of protected health information (PHI) not otherwise allowed by the rule. Where the privacy rule requires patient authorization, voluntary consent is not sufficient unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use PHI for specified purposes, which are generally other than for treatment, payment and operations, or to disclose PHI to a third party specified by the individual.

Question: May physician offices use sign-in sheets or call out the names of patients in their waiting rooms?

Answer: Yes. Covered entities, such as physician offices, may use patient sign-in sheets or call out names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA privacy rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet.

However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (for example, the medical problem for which the patient is seeing the physician).

Question: How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?

Answer: The HIPAA privacy rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the rule requires covered entities to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and work force, and to implement policies and procedures accordingly.

This is not an absolute standard. . . . Rather this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers and plans today to limit the unnecessary sharing of medical information.