Privacy standard will increase regulatory chores

It means extra training, notice to patients

As the Clinton administration works toward a final rule protecting patient privacy, it’s not yet certain what the details of the new regulation will be. What is clear, leaders in the field say, that access managers will feel the impact in myriad ways.

Peter Kraus, CHAM, systems liaison manager for patient accounts services at Atlanta’s Emory University Hospital, suggests these likely results of new dictates on medical confidentiality:

• Staff data security training and continuing education requirements will increase.

• There may be more "rights" information to convey to patients, either verbally, through forms, or both.

• The way data are handled and displayed may be subject to scrutiny. Access to monitors and paper flow within an office or department may be subject to scrutiny.

• It may become more difficult to obtain and share information needed for patient care and billing.

• Authorization of release of information may require more specific documentation and explanation.

• System access granted a particular staff member may require more elaborate justification. Multiple log-in identification codes and other system access aids, useful to allow multitasking users to log in to one system without first logging out of another, may become a thing of the past.

• Software updates may be required to meet more stringent security expectations.

• Everything will have to be well-documented to protect against allegations of wrongdoing, as well as potential audits.

"In short," adds Kraus, "there will be more work to do, and the process will likely be more burdensome for patients and staff."

Kraus gives this possible example, which he says he hopes is exaggerated: "Suppose the law requires that every unattended personal computer that provides access to patient information be signed off. Whenever staff leave their workstations, even to pick up a form or escort a patient, they have to sign off, then sign back on again when they return.

"At Emory, a log-off takes over a minute, a log-on probably three or four," Kraus adds. "Staff leave their workstations many times each day, sometimes while in the middle of an on-line registration. The inconvenience would be almost unimaginable."

HHS picks up Congress’ slack

For three years, Congress had the self-imposed mandate to enact legislation outlining comprehensive national health care privacy standards. It failed, and on Nov. 3, 1999, the government proposed its own standards for electronic medical records. Because Congress missed its Aug. 21, 1999, deadline, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the Department of Health and Human Services (HHS) to issue final regulations by Feb. 21, 2000.

The standards would cover health care provid ers, health plans, and health care clearinghouses that transmit information electronically. Protection would start when the informa- tion becomes electronic and would stay with the information as long as it is in the hands of a covered entity. The regulations would allow patients access to information about how their medical information has been used and disclosed. "Redisclosure" could happen only with authorization from the patient.

"The regulations will require providers to become educated in the new privacy policy," says Bruce Fried, JD, partner and chair of the health law group at Shaw Pittman, an international law firm in Washington. "They will have to train themselves and their staff as to how to be compliant. They will also have to build processes that protect the privacy of their patients."

The Washington, DC-based American Health Information Management Association (AHIMA) supports the proposed privacy regulation, says Kathleen Frawley, JD, MS, RRA, AHIMA’s vice president for legislative and public policy services, because it is based on the "Code of Fair Information Practices" the association has supported for many years. "It places a number of obligations on the covered entities to maintain the privacy of individually identifiable health information," Frawley adds.

The regulations will affect access managers in several ways, she says. "When patients enter the delivery system, they will have to be given the Notice of Information Practices,’ which will describe how the organization uses the information [it gathers on patients]," she says. "It’s conceivable that a patient could come into the admitting office, and that [admitter] could provide the notice, which also has to be posted."

Also under the privacy regulation, access personnel will have to undergo training in privacy practices and be able to enunciate the policies and procedures involved, she says. "They must be familiar with the complaint mechanisms [for patients] within the organization and understand that violations could result in [the employees’] sanction or termination."

The patient complaint mechanism will be outlined in the Notice of Information Practices, Frawley notes.

"These are pretty landmark privacy requirements," she adds. "They certainly will pose challenges to health care organizations but at the same time will give patients some much needed protections."

Although the standards apply only to information transmitted electronically, Frawley says the protection extends to documents that are maintained or transmitted electronically and then printed out. "The protection also extends to documents that are originally paper and then become electronic. The paper record is protected."

In other words, she explains, "If the covered [health care] entity has a computer system, and information is entered there, it’s covered."

She points out that issues such as leaving computer stations unattended are actually covered in another set of requirements — the standard for data security. The Notice of Proposed Rule Making for that standard was issued in August 1998, and the final rule was expected in December 1999, Frawley says. "That standard will cover the administrative, technical, and physical safeguards that an organization must take."

The two rules will work together, Fried notes. "Data security is largely a technology issue. The privacy requirements are the human side of the protection."

Fried expected the final standard for data security to be strict. "In my conversations with senior officials who are involved with this, they [say they] believe protecting medical privacy requires an even higher standard of security than the security that is available for large financial transactions taking place on the Internet."

Regulations don’t apply to paper forms

HHS Secretary Donna E. Shalala acknowledges the limitations of the privacy regulations. "Under HIPAA, HHS does not have the authority to protect records that are maintained in paper form only," she has stated. "HIPAA also does not allow HHS to issue standards for records that are maintained by other insurers or by employers for workers’ compensation purposes. The proposed rule does not establish appropriate restrictions on the use or redisclosure of such information by likely recipients, such as researchers, life insurance issuers, marketing firms, or administrative, legal, and accounting services."

Congress has the responsibility of passing legislation that covers paper medical records, too, says Linda L. Kloss, MA, RRA, AHIMA’s executive vice president and CEO. "It remains incumbent upon Congress to pass comprehensive confidentiality legislation that protects all information equally — whether it’s in paper or electronic format — and establishes a single, stringent national standard that serves as the law of the land."

In addition, only Congress can provide consumers with the right to take action in court when their medical information is used inappropriately.

Another concern is that the policy sets a federal floor, allowing states to develop more stringent privacy regulations. "We could end up with a hodgepodge of medical privacy regulations that would be difficult to administer," Fried says. Consumers would find they have different privacy protection depending on where they live. Organizations that operate over the Internet or across state lines would find the different levels of protection inefficient and chaotic, he adds. "I think it’s a difficult standard."

Fried points out, however, that the health care industry has time to prepare for the implementation of the standards. "The regulations that were published [Nov. 3] are proposed. The final regulations aren’t due out until the end of February, and providers then have a two-year implementation period."

In addition, the February date is probably not even realistic, says Frawley, "in terms of the number of comments that will be received and the time needed to redraft."