HIPAA deadline may have come and gone, but privacy concerns continue

Privacy policies will continue to tighten, access managers say

Although the Health Insurance Portability and Accountability Act (HIPAA) privacy standard became effective in April, hospitals will be improving and refining their HIPAA policies for some time to come.

Several access directors working to complete HIPAA preparations in late March told Hospital Access Management that they felt comfortable with the groundwork that had been established, but wouldn’t know for sure how policies and procedures would play out until they were put into practice.

Swedish Covenant Hospital in Chicago, where Gillian Cappiello, CHAM, is senior director of access services and chief privacy officer, has been preparing for HIPAA implementation for more than a year, Cappiello says, with some initial help from a consulting group.

"We are fairly confident that we have addressed all the issues," she says. "I feel comfortable that people walking in won’t have their privacy violated. Confidentiality is something that we have always addressed."

The ongoing HIPAA focus, Cappiello notes, "will be on the extra things,’ the things that won’t happen often or may never happen. We’ve got a long way to go to really tighten [compliance] the way we want it to be."

The consulting group conducted a gap analysis of the facility, breaking down concerns into categories of high, medium, and low risk, she adds. "We’ve only had time to address high-priority issues."

Lower-profile HIPAA issues that will be addressed in the coming weeks, Cappiello says, include the following:

Right to disclosure

Although, under HIPAA, hospitals don’t have to account for their use of protected health information (PHI) for treatment, payment, and operations (TPO), or if the patient signs an authorization, she notes, there are some PHI uses that must be reported to patients if they ask.

Those uses include, among other things, reports of gunshot wounds, communicable diseases, births, deaths, and electro-convulsive therapy treatments in the psychiatric department, Cappiello says. "We have a database for certain disease-management issues. If information is used within the hospital, fine, but anything that goes out of your facility [would have to be disclosed]."

Facility-related issues

With many hospitals in a space crunch, she points out, "A lot of areas are too small for the kind of operations being managed. So how do you prevent people from overhearing your discussion with another patient?"

One of the things Swedish Covenant will be doing, Cappiello says, is reevaluating all patient care areas with this in mind. The questions will be, she adds, "What can we do, what can we change in the physical layout, and what should we keep in mind if remodeling or building new areas [to ensure patient privacy]?"

Job descriptions

As new job descriptions are written, she points out, each one has to describe the "minimum [access to PHI] necessary" for that person to do his or her job. It was doubtful that all hospital job descriptions would be revised by April 14, she says, "but that doesn’t mean we won’t be abiding by the rule."

System access

When it comes to concerns about system access, Cappiello says, the privacy standard overlaps with the HIPAA security regulations, which were final at the end of February 2003 and become law April 21, 2005.

"How do you make sure people have access in the system only to the things they need?" Formerly, she says, all access personnel at Swedish Covenant had a module on the computer that allowed them to look at results of patient tests.

"We don’t need that, so we made sure to take that off the menu, Cappiello says. "We’re working our way through [that process], but it won’t be totally completed by April 14."

There is no problem, she adds, "as long as everyone understands that even if the whole chart is in front of you, you don’t read it all. It’s about holding people accountable."

The proper approach to the HIPAA privacy provisions, Cappiello suggests, is that protecting patient information is a moral and ethical obligation. "Now it’s not only the right thing to do, it’s illegal if you don’t."

Her hospital has a policy of not sending anything outside its firewall that is not encoded, she adds.

Variation by state

"Another thing that makes [HIPAA implementation] really challenging," she points out, "is that it varies by state. If the state has privacy laws that are more stringent than HIPAA, health care entities abide by the more stringent rule, Cappiello says. "A lot of states didn’t do their preemption analysis."

A few weeks before the implementation deadline, she notes, Swedish Covenant was scheduled to review state law and compare it to hospital policies. "We may have to do revisions, but I don’t think so."

Ongoing training

To ensure that all employees are HIPAA-savvy, the hospital has added instruction on the privacy standard to its new employee orientation and to the annual required annual validation and education (RAVE) program for all employees, says Cappiello.

HIPAA privacy information will be rolled into the existing confidentiality and patient rights segment of the RAVE curriculum, which also includes such topics as business conduct, cultural diversity, infection control, risk management, process improvement, guest relations, as well as other requirements from the Joint Commission on the Accreditation of Healthcare Organizations, she adds.

Getting staff ready

Swedish Covenant completed its HIPAA management training on March 6, and the managers were responsible for training their staffs by April 6, Cappiello notes. "We did an entire overview, rolling out new policies and procedures as they affect departments."

Sessions addressed such issues as how the nursing unit physically manages the flow of information, she says. "There is a board they put up with patient names, for example. It was about what is reasonable. If you can’t do without something entirely, do it so the least possible [information is revealed]. It’s the whole minimum-necessary’ idea."

As the privacy deadline approached, Liz Kehrer, CHAM, system administrator for patient access at Centegra Health System in McHenry, IL, was conducting classes for access staff designed to make sure they understood the fine points of implementing HIPAA policies.

The two-hour class, presented in 13 different sessions to accommodate staff schedules, is a combination of hands-on computer training, instruction in posing questions to patients, and a review of procedural changes "and what they mean to us," she says. After reviewing policies, departmental procedures and changes in the computer screen, participants role-play interactions with patients, Kehrer adds.

Among other things, Kehrer goes over with staff the list of ways in which the hospital will use patients’ PHI, she says. "This is a document we will give to every patient at every registration. This [class] gives the registrars an opportunity to review the information so they can answer patient questions."

"We recommend," Kehrer adds, "that staff actually read what the notice of privacy says."

To attend Kehrer’s class, she says, staff had to bring a certificate showing they had completed a computer-based class called HIPAA Overview. Participants also receive a certificate upon completion of her class.

"I feel really comfortable [about the implementation date]," Kehrer said. "We had a fabulous multidisciplinary team and as a result, we’re pretty prepared."

Kehrer has spent months overseeing myriad preparations, ranging from fine-tuning the procedure whereby patients can request an alternate address for hospital communications to developing a script for determining if people want to opt out of being listed in the facility directory.

The script she has written for registrars to use, one of a number of procedures reviewed in the HIPAA class, is, "Do you agree to have your name included in our facility directory, which is used to give your location to visitors, callers, and community clergy, and accept floral deliveries?"

When patients do opt out of being included in the directory, Kehrer notes, an alert sticker is placed on the registration plate and the words "opt out" are stamped in red on the face sheet.

Private registration offices are in place to safeguard patient confidentiality and the hospital has contracted with an outside company to shred not just paper, but all items that contain protected health information, she says.

That includes such items as IV bags, water jugs, plates — anything with a patient identification label, Kehrer explains. "There are so many different things with labels affixed that we can’t just throw in the trash."

Paper — which registrars used to discard in a container under their desks — and other items containing PHI are now placed in tall containers with a locked door in front and a drop slot, she adds. "[The materials] stay there until the container is emptied and the items are destroyed."

Registrars, who as part of HIPAA changes now interview patients in private offices, no longer leave any paperwork on their desks, Kehrer says. "They used to place [registration packets] face down on their desks, but now as they complete them, they are putting those packets in a drawer."

The concern, she notes, is that when registrars leave the room to pick up face sheets or go to the registration plate maker, the desk is briefly left unattended. "This is an example of taking whatever precaution we can to protect the privacy of our patients, to prevent unintentional access by a nonauthorized individual."

Despite such extensive preparation, Kehrer says, there are things that won’t be known until hospitals have lived with their new policies for a while. "As situations arise, we may need to go back and tweak some of the procedures. I see this as very evolutionary."

Only time will tell, for example, how many patients will request special handling, she points out. "Having documented the patient’s request is crucial. If there’s an issue down the road, you have that written down."

In response to HIPAA requirements, the hospital has modified its face sheet to include a field labeled "alternate patient address," Kehrer says, going so far as to highlight the area to make it more visible. "Then someone [from the nursing department] asked, Can you have staff circle it because when we’re photocopying it won’t show up?"

Under HIPAA, patients may request that bills and other hospital communications be sent to a location other than their primary address and that calls regarding their hospital care be made to another telephone number.

At Centegra, patients will be informed of this option in a privacy notice handed out along with patient rights and advance directives information, Kehrer says. The patient may then ask for the special accommodation.

"I don’t anticipate it being used a lot, but I could be mistaken," she adds. "Only time will tell, but I want us to have the processes in place."

Centegra has made changes to its consent form, Kehrer notes, in response to the HIPAA provision regarding use and disclosure of patient information. "That section is reworded because we no longer have to ask permission to [provide records] to an employer or insurance company as part of TPO."

Collaborating with privacy officer

At Saint Joseph Regional Medical Center in South Bend, IN, Pearlena Robinson, CHAM, director of patient access, says she has worked hand in hand with the hospital’s privacy officer throughout HIPAA preparations.

As the implementation deadline approached, the two were making joint presentations on HIPAA implementation to patient access employees at the three hospitals for which she is responsible.

"There are always questions [from staff]," she says, "about a parent that brings in a child and wants us to bill a husband, or a pregnant [teen-ager] who doesn’t want her parents to know."

It’s been helpful, Robinson notes, for the privacy officer, who also is part of the hospital’s legal counsel, to hear firsthand about the issues that registrars deal with on a daily basis.

Robinson says Saint Joseph — part of the large Novi, MI-based Trinity hospital chain — is in great shape regarding HIPAA. "We’re fortunate in that our [computer vendor] has made changes to the system that will help."

"According to the HIPAA regulations, you only have to make the notice of privacy available to the patient once," she adds. "In our [computer] system, the acknowledgement of distribution of that document will be stored at the master-person-index level, so for any subsequent visits we don’t have to deal with the privacy notice."

Other changes in the system have been made to accommodate patients who request that a hospital visit be kept from family members, Robinson says, including an alternate address field in the registration screen.

"We also have the capacity to make note of it if the person says not to leave telephone messages," she adds. "The registrar just asks, Is it OK to leave a message at this number?’ If the answer is no, no messages are left."

The address and phone information is gathered on a visit-by-visit basis, Robinson says, and more often than not will be handled at the time of scheduling.

The multidisciplinary HIPAA team that has met biweekly for the past year or so was to continue after the implementation date, she says, both to ensure that all is in order regarding the privacy regulations and to begin preparations for the HIPAA security standard deadline.

[Editor’s note: Gillian Cappiello can be reached at (773) 878-8200, ext. 5051, or at gcappiel@schosp.org. Liz Kehrer can be reached at (815) 344-5000, ext. 4061, or at lkehrer@centegra.com.]