Final privacy rules create more questions
Final privacy rules create more questions
Changes will have impact on quality departments
Buried in the final patient privacy regulations released by the Clinton administration are a host of changes from the proposed regulations that will directly affect quality assurance managers, according to experts who have been sifting through the 1,500-page document since its release Dec. 21.
"I expected to see a significant rewrite, and there were a lot of changes," says Dan Mulholland, JD, a partner with Horty Springer & Mattern in Pittsburgh. "I think the costs of this, just at first glance, are going to be enormous." That is because hospitals will have to change almost any policy that deals with patient care and the release of information, in addition to establishing a host of new procedures, he warns. "From a practical standpoint, apart from the computer systems and the general policies, I don’t see how you police this," he adds.
Concerns with verbal communications
According to Mulholland, it probably makes sense for most hospitals to vest these new responsibilities with the compliance office. However, in some areas, responsibilities will have to be shared with other departments, including quality assurance, and that will lead to problems associated with dual accountability. Mulholland says that quality assurance managers should be especially concerned with the expansion included in the final regulation to cover oral communications. He says that is especially true if hospitals are dealing with an outsourced quality assurance or utilization review entity. "If you are giving them information over the telephone, that could come under the scope of this," he explains. "You always have to know the parameters of the patient’s consent, because patients are allowed to put restrictions on what can be disclosed from their records."
Mulholland also points to a requirement in the final regulation that requires patient-specific consent for certain routine disclosures. He says that happens routinely when a health plan comes in and audits patient records. "That seems to suggest that every time a health plan wants to perform an audit on a patient record, it has to have specific consent for the release of that information," he explains. "That would seriously compromise the ability to perform quality assurance and utilization review."
But not all the news is bad news. "The main thing that I liked is that it applies to more than just electronic medical records," says Paul DeMuro, JD, a partner with Latham Watkins in San Francisco. The final regulations cover paper records as well as electronic records. They also require that most providers acquire patient consent for even routine use and disclosure of health records.
Disease management affected
Another major change from the proposed rule is that business partner agreements do not have to give patients direct rights over the information that they have, adds DeMuro. "In other words, the notion of business associates declaring patients to be third-party beneficiaries is no longer necessary."
Mulholland adds that the final regulation includes a provision that allows providers to use the patient record for any purpose. "The rule regarding the minimum necessary to disclose does not apply for the purposes of treatment," he says. "That is good news because providers would have been hamstrung." For example, if an elderly person entered the hospital with a broken hip and the hospital learned he had a drinking problem, it might have been at risk if staff passed that information to another provider such as a home health agency. "All the other problems regarding substance abuse aside, that principle could have seriously compromised the ability to provide adequate continuous care," explains Mulholland. But he says that requirement seems to have gone by the boards, at least with respect to transfer of records for the purposes of treatment.
According to Karen Ignani, president of the American Association of Health Plans (AAHP) in Washington, DC, one potential victim of the final regulations could be emerging disease management programs. "We are very worried that these activities could be heavily impacted in a negative way," she says. For example, Ignani says, routine notifications to women in certain age cohorts that remind them about mammograms could be threatened under the final rule. Routine notification sent to diabetics reminding them to get retinal scans and regular examinations also could be jeopardized, she argues.
Reminders sent to individuals who have suffered a heart attack and require drugs to prevent another also are an example, according to Ignani. That is because that activity can be considered health care promotion, disease management, or simply care for the chronically ill. How this change in policy affects these programs will depend on how they are interpreted, she argues
Rick Smith, vice president of public policy and research at AAHP, argues that under the proposed rule it was clear that the intent was to facilitate this type of activity. "There was a recognition that this was a core activity," he argues. "We think that should have been sustained."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.