Defining opt-out’ policies for HIPAA privacy rule is a challenge for providers
Idea shouldn’t be new, consultant says
As hospitals design policies in response to demands of the new privacy rule under the Health Insurance Portability and Accountability Act (HIPAA), access managers are faced with implementing the fine points of the procedures that will be required.
A survey of several access managers and HIPAA compliance officers revealed that while their departments are in various stages of readiness for the April 14, 2003, deadline, adherence to the privacy rule is being given high priority.
Patients’ right to "opt out" of inclusion in facility directories and religious census directories, for example, has been identified as one of the provisions that is most directly under the access purview. Defining the details of how it will be implemented, some say, will be problematic, and the implications far-reaching.
At Centegra Health System in McHenry, IL, says Liz Kehrer, CHAM, system administrator for patient access, if a patient chooses not to be included in the facility listings, "the patient’s not here. We’re mandated to honor that patient’s request."
"It’s going to be really difficult," she adds. "It’s going to affect the various departments differently. In our area, we have the patient access reception desk, but then there is a separate desk for guest services and then the switchboard."
Depending on how a patient inquiry — from a florist or a member of the clergy, for example — is received, it will be handled by one of a variety of gatekeepers, she notes. "How will employees know how to handle that request?"
Although Centegra has not yet finalized the step-by-step procedures that will be required, Kehrer says, "we are taking it very seriously."
Marne Bonomo, PhD, regional director for patient access at Milwaukee-based Aurora HealthCare, says her organization also is actively working on new policies to address the opt-out provision.
"We have decided, however, that if a patient requests not to be in our directory, we cannot provide information to anyone, including family members who might call," Bonomo says. "With all of our facilities, it would be impossible to provide for variances in patient preferences, so they will need to decide whether to opt out or not at admission."
The opt-out policy developed at Touro Infirmary in New Orleans is "relatively straightforward," says Wade Wootan, JD, the facility’s risk manager. "Upon admit, each patient signs a traditional consent form. The form has been updated to handle HIPAA privacy."
There are two boxes, he adds, that patients can check if they want to be excluded from facility directories or clergy/pastoral care listings. "If they check either box, they aren’t listed in the facility directory — which would preclude florists from finding out where they are — or in the basic information flowing through to the clergy."
Three separate forms have been designed to address the issue, he explains. The forms include the updated consent form, a policy regarding the use and disclosure of protected health information pursuant to facility directories, and a policy regarding the use and disclosure of protected health information to clergy.
At Ohio State University Health System in Columbus, people are afforded the opportunity at registration to decide whether they want information released to the "public" indicating their patient status, says Joe Denney, CHAM, director of the department of access and revenue cycle management.
"If the patient opts for no release of information,’ that means strictly what it says," Denney explains. "Flower vendors tend to verify that a patient is here prior to delivering flowers. They are considered part of the general public as well, so that information would not be divulged."
As for clergy specifically, he says, a question has been added to the computer system’s admission pathways so that patients are asked if it is OK to share their religious preferences with members of the clergy.
A daily report is given to the office of chaplaincy services, Denney adds, which indicates the patients who have said they do not want this information shared.
Although Philadelphia’s Presbyterian Medical Center already has in place a policy whereby patients can choose not to be in the facility directory. "We will make some revisions to make sure it has everything HIPAA requires," says Anthony M. Bruno, MPA, MEd, director of patient access and business operations. "We haven’t finalized anything yet."
Bruno said he has heard some discussion of developing an opt-out policy for outpatients, but says his organization is not interpreting HIPAA that way. "That’s not something that’s practical."
The hospital is in the process of determining what can be done with information systems regarding the release of information to clergy, he adds, noting that he developed a policy and procedure for obtaining religious information from patients while working at another facility. (See more on that process in the January 2003 issue of Hospital Access Management.)
Hospitals’ first order of business regarding the HIPAA opt-out provision is to look at their admission/discharge/transfer (ADT) systems and determine if those systems are equipped to handle the necessary documentation and dissemination of information, suggests Mary Staley, MBA, vice president of HIPAA operations for Healthlink Inc., a Houston-based consulting firm.
Admission screens need to have a field where it can be indicated that a patient has chosen not to be included in the facility directory, Staley says, so that information can be communicated to the appropriate staff. "If a field is not available in the current ADT system, [hospitals] need to create one. Then they need to train their folks on what that field is."
"Most of the time there is some kind of flag that would communicate that," she adds. "Most hospitals already have a confidential status’ that either can remove a patient’s name or give the patient an alias, so they already are able to handle the opt-out possibility."
Not a new idea
Although the practice of opting out of hospital listings now is enforceable by federal law, Staley points out, it shouldn’t be new to most facilities.
"If Tom Cruise came into your hospital, it would be confidential," she says. "The press would do anything, including sending flowers, to confirm that. So this should not be an uncommon practice."
The best advice now, Staley says, is just to make sure everyone is aware of the provision, and to have a written policy in place. That way, she adds, if a receptionist, for example, accepts flowers for a patient who has opted out, the hospital can take the appropriate action, whether it is a warning or dismissal.
The challenge in regard to the release of information to the clergy, she says, has to do with the various interpretations of the term. "In different communities, clergy’ has different meanings. There are ministers, priests, and deacons. A Eucharistic minister is not really clergy, but may be there on behalf of clergy."
Her suggestion is that hospitals define what "clergy" is within their community. "I recommend you call them together and say, This is the issue. We need to come up with rules and guidelines.’"
There should be a flag within the computer system that indicates patients who don’t want their names released to the clergy, she notes. "If the flag goes in, [the issue is] how not to have that name appear on the list of room numbers and religious affiliation that hospitals are allowed to provide to clergy under HIPAA."