The trusted source for
healthcare information and
New privacy rules will have a major impact on how hospitals handle medical information, but will leave employee health records largely unprotected. The rules enacted by the Department of Health and Human Services (HHS), designed to guard against misuse of medical information, largely apply to transactions that are conducted electronically. Since employees do not file medical claims when they receive immunizations or seek opinions from hospital employee health professionals, those records would not fall under the rule’s provisions, says Kae Livsey, RN, MPH, public policy and advocacy manager for the American Association of Occupational Health Nurses (AAOHN) in Atlanta.
AAOHN and the American College of Occupational and Environmental Medicine urged Congress to extend privacy protection to such employee health records. "What we would like to see is legislation that would extend the protections of this rule to all health care providers regardless of whether or not they’re engaged in what are called standard transactions,’" says Livsey.
According to the rules, which stem from the Health Insurance Portability and Accountability Act of 1996, hospitals, health plans, and other providers must:
At a Congressional hearing in February, a representative of the American Hospital Association asserted that the privacy regulation would be prohibitively expensive and burdensome.
"It is essential to fix requirements in the privacy rule that could impede patient care or disrupt essential hospital operations, and to that end, Congress should encourage HHS to re-open portions of the new privacy rule for comment," said John Houston, information services director, data security officer, and assistant counsel for the UPMC Health System in Pittsburgh.
Tracking disclosures would require hospitals to install new information technology, Houston said. The regulation would require the hiring of additional staff to handle privacy issues and re-open contracts with "attorneys, auditors, vendors, suppliers, and consultants, to include the hospital’s privacy practices with which each business associate must comply," Houston said. Meanwhile, the AAOHN pointed out that the rules leave significant gaps that may require legislation to correct.
An employee’s medical information in a company wellness program or pre-placement physical wouldn’t be covered by privacy rules, notes Livsey. In fact, if another physician treated a patient for breast cancer, then sent the employee back to work on restricted duty, the information would no longer be covered, she says. "Once that information is sent to the employee health nurse, since the employee health nurse is not a covered entity, the information isn’t anymore, either."