The trusted source for
healthcare information and
Under newly published federal standards regulating medical record privacy, you could be held liable if the privacy of patient records is violated by the insurers, accrediting agencies, or others to whom you provide records, according to the American Hospital Association in Chicago. The regulation is expected to cost the health care industry more than $25 billion. The regulation was required by the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
"The security regulation will require us to ensure security of information with business partners and to validate [secure computer] linkages to business partners and physician access to medical information," says Janice Roach, executive director of Tri-City Regional Surgery Center in Richland, WA.
In your contracts, include wording that indicates your business associates agree to protect health information, advises McDermott, Will & Emery, a law firm in Washington, DC.1 "The covered entity could be liable under certain circumstances if it knew that the business associate had violated the requirements of the final rules," the firm warns.
And that’s not your only concern. Civil penalties are $100 per incident, up to $25,000 per person, per year, per standard. Federal criminal penalties range from $50,000 and one year in prison for obtaining or disclosing protected health information to $250,000 and up to 10 years in prison for intending to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm.
Prepare yourself for sticker shock. The cost of complying with the regulations could dwarf Y2K compliance, experts warn. While the Department of Health and Human Services (HHS) previously estimated that it would cost $3.8 billion for the entire health care field to comply with the privacy rules, estimates from the international rating agency, Fitch in New York City, put the cost at more than $25 billion. According to the report, the cost includes modifying information technology systems or purchasing new ones, hiring and retraining staff, and changing existing processes for maintaining patient privacy.
Health care providers that don’t assess properly and budget for HIPAA requirements "will place themselves at risk for possible financial peril," warns Fitch analyst Rebecca Lageman. The new regulations will take effect in early 2003. Stronger state laws, such as those covering mental health, HIV infection, and AIDS information, still apply.
The two biggest changes for same-day surgery providers are that you will have to obtain consent for routine use and disclosure of patient information, and the privacy requirements apply to paper and even oral communications. However, health care providers who do not electronically transmit any health information are not covered by the rules. "The privacy regulations will require us to obtain proper authorization from patients and tightly control who can have access to protected patient information," Roach says.
You must receive patient consent before information is released for purposes of treatment, payment, and health care operations. "This is a major change from the proposed rules and is already being criticized by the health care community," according to McDermott, Will & Emery. "Health care providers and health plans also will need to obtain a second, separate authorization for any other uses or disclosures, including research."
For example, you must obtain specific patient consent before releasing information to financial institutions for loan approvals, employers for employment decisions, or life insurers for marketing purposes. "Patients have the right to request restrictions on the uses and disclosures of their information," according to HHS.2
The rules say patients must be able to see and obtain copies of their records and request amendments. In addition, you must have a history of most disclosures accessible to patients. (See "Some of the regulations bring encouraging news," in this issue.)
|Table: Information that can be disclosed|
|The Health Insurance Portability and Accountability Act of 1996 allows information to be disclosed for:|
|•||Oversight of the health care system, including quality assurance activities|
|•||Research, generally limited to when a waiver of authorization is independently approved by a privacy board or institutional review board|
|•||Judicial and administrative proceedings|
|•||Limited law enforcement activities|
|•||For identification of the body of a deceased person or the cause of death|
|•||For facility patient directories|
|•||For activities related to national defense and security|
|Source: Department of Health and Human Services, Washington, DC.|
So what should you do now? Here are some suggestions from people in the field:
• Set up a compliance team. BayCare Health Systems in Green Bay, WI, has set up a compliance team with a subteam assigned to address HIPAA assessment and implementation. "We have the wheels in motion," says Karen Kohler, health information manager. The team includes the information systems manager, a representative from a large clinic, a manager from a small clinic, the patient accounts manager, a representative from ambulatory services, and the director of operations. Assessment is the first step, she says. "We need to determine where we are, look at policies in existence, look at what we need to change, and assess our need for a formal education program for employees, particularly in the privacy issues." (See "Changing your policies and procedures," in this issue.)
• Establish audit trails. Limiting access to records isn’t sufficient, Roach says. "We already limit access on a need-to-know basis, but we will have to establish audit trails that can demonstrate our compliance."
Bartlett Regional Hospital in Juneau, AK, tracks every move regarding a patient’s medical record, says Patty Detjen, RN, staff nurse at the hospital. "Every time you enter information on the computer, you enter your initials," she says. Members of an information team randomly screen charts of patients who have requested that their names be kept confidential, she explains. "If they think you have no business being in there, if it’s a blatant breach of confidentiality, you are fired on the spot. If you have business being there, and you can explain, that’s acceptable."
• Train your staff. "There are new, more stringent requirements for demonstrating the training of our staff and ongoing assessment of their understanding and compliance with these regulations, " Roach says. You also are required to designate a privacy officer who is responsible for ensuring the procedures are followed, HHS says.
Bartlett Regional Hospital trains every employee once a year on medical record confidentiality issues. Detjen says, "We get down to the point at which we say, These are our guidelines; this is how you are expected to behave. If a co-worker is not doing it properly, you can call me, and we will check into it.’’"
The new HIPAA rules bring same-day surgery programs to new levels of security and confidentiality, Kohler says. "Some of those items for upper-level security will probably come into being," she says, referring to biological screenings, retinal scans, fingerprints, and voice scans. "It took a while for the health care industry, but they are already existing in the industrial world."
Although same-day surgery managers currently have to access paper for some information, the future is likely to be totally electronic, Kohler emphasizes. "But we have to realize that we also then need to work with our security to take it to even a higher level."
1. McDermott, Will & Emery. Health Law Update Dec. 27, 2000; 17(10).
2. Department of Health and Human Services Press Office. Protecting the Privacy of Patients’ Health Information — Summary of the Final Regulation. Washington, DC; Dec. 20, 2000.
To view the regulations, along with releases and regulation summaries from the Department of Health and Human Services, go to this Web page: aspe.os.dhhs.gov/admnsimp. Copies of the Federal Register can be found at www.access.gpo.gov/su_docs/aces/aces140.html. You can view the Federal Register at many libraries. To order by mail, the cost is $8. Specify the date (Dec. 28, 2000, for the privacy regulation), and enclose a check or money order payable to the Superintendent of Documents, or enclose your Visa or Master Card number and expiration date. Send your request to:
• New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Credit card orders can be placed by telephone: (202) 512-1800 or by fax: (202) 512-2250.