Critical Path Network: Is your ED ready for HIPAA? How to protect privacy

You’ll need strategies to avoid being noncompliant

Patient records left on a desk in full view. Interviewing a sexual assault patient in easy earshot of others. Answering a caller’s question about whether a certain person is being treated in your emergency department (ED).

These may be common occurrences in your ED, but as of April 2003, they also may be violations of the Health Insurance Portability and Accountability Act (HIPAA).

"It’s this year’s Y2K," says Jeanne McGrayne, director of emergency department strategies for VHA Consulting Services, a nationwide network of community-owned health care systems, based in Charlotte, NC.

"Ultimately, we’re all going to have to comply, just like with the Joint Commission [on Accreditation of Healthcare Organizations]," she says. "And the bottom line is: It’s the right thing to do."

Violations of HIPAA are a major concern, especially since the criminal penalty for disclosing patient information without malicious intent is up to $50,000, plus one year in prison.

The biggest challenge for ED case managers, says Jonathan Kent, RN, CEN, assistant director of the emergency center at Medical Center of Central Georgia in Macon, is protecting privacy in a crowded, noisy ED.

"Patients have as much desire for the world to know their medical complaints as they have to show them the color of their underclothes, but we are still not perfect at protecting the privacy of our patients," he says.

Here are effective ways to comply with HIPAA requirements for patient privacy:

Protect patient records from view.

You will need to have a secure place for all patient records, McGrayne says. She gives the example of digital X-ray systems that list patient names at the bottom and may be viewed at various workstations. "You need to consider where you put those screens and ensure that the patient’s name is not visible," she says.

She notes that one hospital has a practice of delivering medical records to the ED for all patients being treated. "This is a best practice because it’s better for the patients if their clinical history is available to providers."

However, HIPAA will require records to be secured, she says. "Right now, they are laying all over the place," she says. "Anyone could walk through the ED, pick up one of the records, and walk away with it. It can be very serious."

The front page of a patient’s chart may be visible, since many EDs keep charts at the bedside or the front desk, McGrayne says.

She offers the following solutions:

— scanning and automating access to old records;

— centralizing records;

— putting a cover page over demographic information;

— using binders that protect patient information.

Use a sign-in sheet that conceals patients’ names.

Medical Center of Central Georgia’s ED uses a triage sign-in sheet consisting of a multipart form with individual tear-off tickets. As each patient signs in, a list that is concealed behind a cover sheet is generated with the name, time, and chief complaint.

The form includes a place to write a telephone contact number, should the patient decide to leave prior to being seen by the triage nurse, Kent adds.

Limit what other patients can hear.

McGrayne warns of the common practice of ED physicians dictating patient outcomes in open workstations, which discloses sensitive information to those standing around the desk. "If planning for a new facility, ensure there is adequate space for dictation or telephone discussions, to allow for privacy," she says.

Another solution McGrayne offers is investing in automated documentation features that eliminate verbal dictation altogether. She suggests using the HIPAA requirements as leverage to obtain this resource from administrators.

Calling out names of patients waiting to be seen is another potential problem, McGrayne says. She refers to her own consulting experiences, when asked to pose as a patient to evaluate ED processes first-hand.

"When I have done mystery patient visits and someone yells out my name while I’m sitting in a crowded waiting room, I cringe," she says. "Regardless of HIPAA requirements, I feel it’s very inappropriate."

To address this concern, ED patients at Gunderson Lutheran Medical Center in La Crosse, WI, are given pagers by the triage nurse so they can be contacted confidentially, says Stephanie Swartz, RN, administrative director of emergency medical services.

There also is an added benefit because patients can leave the ED waiting room area and wait in the lobby, cafeteria, or outside, Swartz says.

She notes that the cost for a pager is $140 including the charger units and transmitters, and she says the ED has not had much of a problem with the loss of pagers.

"Our customer feedback shows that patients like the privacy and the increased mobility," Swartz says.

Give staff inservices specifically about privacy.

The way you educate staff about privacy requirements will be the biggest factor in determining whether you are HIPAA-compliant, according to Kent. "They are the ones who control information at the outset," he emphasizes.

All ED staff are required to complete an annual competency assessment on privacy issues and receive regular inservices on this topic, he says.

Dispose of health information properly.

Kent recommends placing receptacles wherever a document with the patient’s name or other identifying information is produced. He suggests using a document destruction company to empty them.

Staff are instructed to dispose of all protected health information, including embossers, plastic identification cards, floppy disks, CD-ROMs, and name bands, in one of the 10 locked receptacles located throughout the facility.

Kent notes that it’s very important to place a receptacle at the automated medication dispenser. "If a receipt is generated and not used for documentation, it must be destroyed, as it has the patient’s name and drug listed on it," he says.

Use a special code for increased privacy.

Kent says that ED patients at his facility are offered a No Press, No Info (NPNI) special code. "Patients under this designation will have their presence in our facility neither confirmed or denied by phone or in personal contact with visitors," he says.

He explains that if any ED staff member feels a patient may desire increased privacy, such as a community VIP or a victim of violence, the NPNI designation is offered.

Make every attempt to increase privacy by shifting the location of patients.

Kent says his ED staff make every possible effort to ensure audio and visual privacy for all patients, including shuffling placement in rooms and holding at least one room open for private interviews and exams.

He notes that staff may be used to needing a private space for physical examinations to protect a patient from being exposed to onlookers, but it’s important they understand that interviews also may require the same level of privacy.

"It is difficult at times to make these arrangements, but we do it to the absolute limit of our capability," he says.

[Editor’s note: Proposed changes to the "Standards for Privacy of Individually Identifiable Health Information," part of HIPAA, were published in the March 27, 2002, Federal Register. To view the proposed rules and a side-by-side comparison of this new proposal, go to: To order a copy of the Federal Register with the proposed rule, contact New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date requested. Credit card orders also can be placed by calling the order desk at (202) 512-1800 or by faxing to (202) 512-2250. The cost for each copy is $10. The Federal Register is available at many libraries and
on the web:]