Defining opt-out’ policies for HIPAA privacy rule

As hospitals design policies in response to demands of the new privacy rule under the Health Insurance Portability and Accountability Act (HIPAA), compliance officers are faced with implementing the fine points of the procedures that will be required.

Patients’ right to "opt out" of inclusion in facility directories and religious census directories, for example, has been identified as one of the provisions that is most directly under the access purview. Defining the details of how it will be implemented, some say, will be problematic, and the implications far-reaching.

Hospitals’ first order of business regarding the HIPAA opt-out provision is to look at their admission/discharge/transfer (ADT) systems and determine if those systems are equipped to handle the necessary documentation and dissemination of information, suggests Mary Staley, MBA, vice president of HIPAA operations for Healthlink Inc., a Houston-based consulting firm.

Admission screens need to have a field where it can be indicated that a patient has chosen not to be included in the facility directory, Staley says, so that information can be communicated to the appropriate staff. "If a field is not available in the current ADT system, [hospitals] need to create one. Then they need to train their folks on what that field is."

"Most of the time there is some kind of flag that would communicate that," she adds. "Most hospitals already have a confidential status’ that either can remove a patient’s name or give the patient an alias, so they already are able to handle the opt-out possibility."

Although the practice of opting out of hospital listings now is enforceable by federal law, Staley points out, it shouldn’t be new to most facilities.

"If Tom Cruise came into your hospital, it would be confidential," Staley says. "The press would do anything, including sending flowers, to confirm [he was there]. So this should not be an uncommon practice."

The best advice now, Staley says, is just to make sure everyone is aware of the provision, and to have a written policy in place. That way, she adds, if a receptionist, for example, accepts flowers for a patient who has opted out, the hospital can take the appropriate action, whether it is a warning or dismissal.

The challenge in regard to the release of information to the clergy, she says, has to do with the various interpretations of the term. "In different communities, clergy’ has different meanings. There are ministers, priests, and deacons. A Eucharistic minister is not really clergy, but may be there on behalf of clergy."

Her suggestion is that hospitals define what "clergy" is within their community. "I recommend you call them together and say, This is the issue. We need to come up with rules and guidelines.’"

There should be a flag within the computer system that indicates patients who don’t want their names released to the clergy, she notes. "If the flag goes in, [the issue is] how not to have that name appear on the list of room numbers and religious affiliation that hospitals are allowed to provide to clergy under HIPAA."