The trusted source for
healthcare information and
Final rules released for complying with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 could have profound changes on the way hospitals provide care, experts warn. Unfortunately, that means ethics committees will have to re-examine the policies and procedures in place for informed consent processes. (See "New privacy rules mean new requirements," in this issue.)
Some providers have expressed concern that the rule places an unreasonable burden on them to obtain consent from patients before disclosing medical information in almost any way. The requirement was strengthened from the original proposal so that now the patient must give written consent for just about any type of information release. Providers will have to retain the consent forms for a minimum of six years.
Under the new rule, patients may ask health care providers to restrict how medical information is used within the health care system for treatment, payment, or any other function. And after providing consent — restricted or not — for such purposes, the patient can revoke the consent.
The rule essentially gives the patient a great deal of control over how any medical information is used, and that will be a difficult change for providers, says Geri Amori, PhD, ARM, FASHRM, with Fletcher Allen Health Care in Burlington, VT. Even though providers have an ethical obligation to protect a patient’s medical information from prying eyes, Amori says they also have been the arbiters of who gets to look and who doesn’t. The HIPAA regulation takes that control from the provider and gives it to the patient. "We can no longer be the beneficent paternalist," Amori says. "This rule will fly in the face of a lot of old-style medicine. It will change a lot of the routine ways things are done."
Amori says the rule creates a lot of new exposures for ethics committees to consider. The government can impose fines for not adhering to the privacy regulation, and Amori says it is inevitable that hospitals will be hit with those penalties. It is uncertain how those fines might be covered by insurance policies, but Amori says she doesn’t expect they would be covered, since government fines usually are not.
As soon as the rule was released, health care organizations started protesting and promptly went to the new Bush administration for help. The Health Care Leadership Council, an association of 50 chief executives from large health care companies, immediately sent an appeal to the Bush administration, asking for "a more balanced approach to protecting privacy." The American Hospital Association also released a statement, saying it would ask the Bush administration for help in changing the rule.
The American Medical Association also expressed concern. The association agrees in principle with the Clinton administration’s latest effort to safeguard the privacy of each American’s medical records, according to Donald Palmisano, MD, of the American Medical Association’s Board of Trustees. However, Palmisano cautions patients and physicians will not know the real benefits, burdens, and costs until the complex maze of new rules and regulations is closely analyzed. "This is a big step, and the devil really is in the details this time," Palmisano says. "It’s important to make sure that good intentions don’t produce unintended consequences. We will be closely examining the new rules to make sure there are no dangerous loopholes or unexpected problems."
Palmisano, a surgeon and attorney from New Orleans who is a national expert on patient privacy and confidentiality issues, says there are three things he considers essential for patients’ medical information to remain secure. "Nothing should be disclosed without the patient’s consent," he says. "Unfettered access to a patient’s health information by government agencies and law enforcement is unacceptable. A patient’s physician must not be unfairly held liable for any misuse of confidential patient information by some third party who might also be doing business with that physician."
The HIPAA privacy rule was changed in some significant ways from its earlier proposal, and ethics committees are likely to find that some of the changes are good and others aren’t. Jack Rovner, partner and co-chair of the Chicago health law practice group for Michael Best & Friedrich, says he is impressed with how much the rule was changed in response to the concerns of health care providers.
"They paid a lot of attention to industry comments and the need to accommodate some industry functions that the proposed rule would have made problematic," he says. "They kept in the forefront the government’s idea that protections are necessary for the patient, so it’s still a strong piece of rule-making."
Rovner says two of the most talked-about changes aren’t likely to hit health care providers hard. The final version of the rule requires patients to give written consent for virtually every release of medical information in the course of treatment, even going from one hospital department to another. That may be overkill in some providers’ view, but it shouldn’t create too much of a problem because providers already do that or something very close to it, Rovner says. "You sign an informed consent when you first go for care," Rovner says. "How much you have to change that procedure to comply with this rule depends on how extensive the consent already is."
Rovner notes, however, that the rule now provides penalties for not obtaining proper consent. Many providers will not have to change their procedure much for the initial consent, but the ramifications of failing to do so may be much greater than before.
Some providers have expressed concern about a change that extends the privacy protections to all medical records, both paper and electronic. The previous proposal covered only electronic records. While that change may seem like it increases the compliance burden, both Rovner and Amori say providers won’t see much difference.
"The truth is that anything you have on paper these days, you probably have on computer, and vice versa," Amori says. "So that information would be covered in either case. The change could be more significant for some rural hospitals that don’t use computers much, making the rule have more effect for them than it would have before."
The final version of the rule includes a major change that ethics committees will welcome. In the proposed version of the rule, providers could make available only the "minimum necessary" information about a patient even when the patient gave consent for the information transfer. That provision raised all sorts of questions about how physicians would communicate with each other, with some analysts suggesting the primary doctor would have to be cryptic when talking with a specialist for fear of revealing too much patient information. No one in the health care industry liked that scenario, and it apparently won’t come to pass.
Now, the rule states that the "minimum necessary" provision does not apply to such physician-to-physician consultations. "That’s a major change and a good one," Rovner says. But the "minimum necessary" provision still applies to a great many situations. "The minimum necessary’ provision says employees should only see information they need to do their job. You can’t just hand over the medical record and let them find what they need," he says. "That’s going to require some major analysis of what everyone’s job functions are and how you can control information so they get what they need to do their jobs but nothing else. Claims processing doesn’t need to see the same information that the nursing staff does."
Other changes in the final rule allow integrated health care organizations to share information as if they were a single entity, even if they actually are several facilities. This changes recognizes the "real world of how health care is delivered," Rovner says. In a hybrid organization with both health care and nonhealth care members, the rule allows the information to be shared between the health care entities but not with others.
Also, protected health care information cannot be provided to any human resources department within the organization. The only exception is a situation, such as workers’ compensation treatment, in which an outside employer has purchased the health care, and the patient has consented to such a release.
For ethics committees, the work starts now. Rovner and Amori suggest ethics committees start assessing how much current policies and procedures will have to be changed to comply with the rule. Amori suggests the greatest impact probably will be felt on the financial side of the health care operation. The rule makes it clear that billing employees, for instance, must not have access to protected patient information. It is not sufficient to ensure they do not disclose or otherwise misuse the information; systems may have to be revamped to ensure they do not even have access to that information.
Much of the ethics committee’s work will involve assessing just what information is necessary for certain staffers to do their job. And risk management experts agree there are a lot of gray areas and unanswered questions that will not be settled until providers move forward and try to comply with the rule. "We recently looked at some of the envelopes we use to mail information to OB/GYN patients, and that got us wondering," Amori says. "If the envelope says OB/GYN on the outside, does that reveal too much information about the patient? We don’t know how far this is going to go. Questions are going to come up as we move along."