Medical records privacy: Buzzword for 1997
Medical records privacy: Buzzword for 1997
Plugging the leaks
This may come as a surprise to most health care professionals as well as the general public, but no federal law currently protects the privacy of medical records in nongovernmental institutions, with the exception of drug- and alcohol-abuse records.
"Hospital quality managers handle confidential records," says Mary Brandt, professional practice manager with the American Health Information Management Association in Chicago. "Often I see patients’ names recorded in peer review notes. That’s completely unnecessary. People doing quality management and dealing with sensitive information should be aware of what is considered confidential and under what circumstances that information can be disclosed. They should recognize that the cases they’re working with and taking to committees don’t have to be identified by patient name. It’s certainly appropriate to identify records by the assigned medical record number. There’s no need for patient’s names to be discussed or recorded in meeting minutes."
The Kennedy-Kassebaum Act
Despite the need for confidentiality, little legal guidance is available. The 1974 federal Privacy Act pertains to medical records that are maintained by government agencies, including Public Health Service hospitals and those operated by the Veterans’ Administration and the Department of Defense. The lack of laws may be coming to an end, however, now that Congress is required to work on confidentiality legislation. The Health Insurance Portability and Accountability Act of 1996 also is called the Kennedy-Kassebaum Act after its two chief sponsors, Sens. Nancy Kassebaum (R-KA) and Edward Kennedy (D-MA). The law may cause Congress to be more assertive regarding confidentiality, but some say the law still is disappointing on those grounds. Signed by President Clinton in August, the law directs Congress to enact laws to implement improved personal access to and privacy of all medical records. If Congress doesn’t act on recommendations addressing privacy rights of individuals within 36 months of the law’s enactment meaning, by August 1999 the secretary of the Department of Health and Human Services is authorized to act alone and publish final regulations on the subject.
"The act doesn’t go far enough, however," says Jill Dennis, JD, of Winfield, IL. "The Health Insurance Portability and Accountability Act of 1996 is limited to the protected transmission of claims-related information that related for payment purposes."
Immense networks of doctors, hospitals, laboratories, and insurance agencies use computer databases containing medical records. Information leaks can occur through providers or agencies that have direct access to information or through consumers themselves as they order medical supplies with credit cards, using 800 numbers, or over the Internet. Some say records containing medical information are seen by more institutions and individuals than any other personal record.
"Federal controls don’t exist, and the legal requirements for maintaining the confidentiality of medical information vary from state to state," says Brandt. "Hospital employees need to be aware of the requirements outlined in their state laws or health care regulations."
Quality improvement staffers should be told that information storage precautions can be short-circuited by the whims of an easily distracted or convinced watchdog. "Any security problems we may have had have not been with members of the press or the occasional hacker who finds his or her way in," says David Cochran, MD, associate medical director of Harvard Pilgrim Health Care Plan in Boston. More typically, someone on the staff has allowed unauthorized access.
"Maintaining the privacy of medical records often has a lot to do with making sure everyone understands the importance and consequences of security, including the clerk giving and withholding access. Depending on the nature of what an employee has done, he or she can be fired and given no protection from any liability that may come from the injured party afterward," says Cochran. Make sure your hospital has training in place on this and that staff are aware of medical records confidentiality issues. Be sure clerks are made to understand the importance of their function and the seriousness of the consequences.
How states see it
All states address confidentiality of medical records. Most offer basic protection by shielding data on mental health, AIDS, dependence on chemical substances, and genetic information. "Some state laws have very little to say about privacy or are silent on some aspects of those matters," Dennis says. "Or a state law may contain language related to a hospital, but not information collected in other sites, such as a physician’s office.
"If you’re associated with a large provider that has multiple locations in many states, be sure to be aware of the nuances and understand that differences exist. Until we have a comprehensive federal law governing this area, the state law controls the collection, transmission, and release of that information."
When will a federal law be in place? The issue has bipartisan support in both Houses. There are powerful interest groups aligned against it, however, including corporations that have a commercial interest in using the data in individual’s medical records. "A federal law offering protection is inevitable," Dennis says. "Every time a legislative attempt is made, we move a little closer. Slowly, Congress is realizing the extent of public concern about privacy, and probably within five years, something will be on the books. But maybe that’s wishful thinking."
Harvard Pilgrim Health Care Plan tightened its confidentiality protocols regarding commingling psychiatric and physical records following an incident involving a patient who was shocked to learn her medical file included her psychiatric history. The plan now segregates mental and physical medical data, but is restricted somewhat by a Massachusetts law that requires reference to psychiatric history in all medical records. The medical record includes reference to a mental health visit, but no other information about the visit except for prescriptions. Including prescriptions on the physical medical record is necessary so drug interactions can be avoided, and for the evaluation of complications that can arise from the medications.
"We have sequestered our mental health information from access to any but mental health providers," says Cochran. "The records are not in a physically different place, but have secured access. Any discrete piece of the mental health record cannot be accessed by anyone except a person with a security code. In addition, we have audit trails on our records so that if there is concern about inappropriate access by someone within mental health who had the correct security clearance, that incident could be checked. The records are computerized, but discussions are under way to decide if we should deautomate the detailed notes that are a part of the record in addition to sequestering them."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.