The Health Insurance Portability and Accountability Act's privacy rule raised fears and eyebrows long before Bill Clinton signed it last December. Detractors said the rule was so unwieldy and expensive that it would wipe out the U.S. government's projected savings from HIPAA, then pegged at $12.3 billion over the first 10 years.
In April 2001 a reluctant Bush administration let the rule take effect, choosing not to unmake a law that had been forged in more than five years of debate and 52,000 public comments. At the same time, the new administration's HIPAA point man, Health and Human Services (HHS) Secretary Tommy Thompson, promised changes that would make implementation easier on healthcare providers.
In a document published July 6, Thompson appears to have addressed some of their concerns. The government's First Guidance on New Patient Privacy Protections offers detailed advice on implementing the rule, and comes just in time for the compliance crunch. The rule takes effect April 14, 2003 for most covered entities, and a year later for some smaller providers.
The privacy rule -- part of HIPAA's administrative simplification provisions -- aims to protect the confidentiality of any medical information that might be used to identify a patient. In a nutshell, it prohibits the internal use of such information without patient consent, and bars external disclosure without expressed authorization.
But such information, known in HIPAA-speak as protected health information or PHI, gets thrown around a lot in medicine and its marketing. So doctors worried. Would a patient's friend be prohibited from picking up a prescription at the pharmacy? Would medical students be barred from making rounds with doctors? Would hospitals have to build a soundproof booth around every bed?
Thankfully, the answer is no to all of the above. The document gives providers (and other covered entities such as health plans and clearinghouses) practical information on implementing the rule. The HHS, mindful of the thousands of remarks received during a second public comment period in February, added some assurances that patient care would take precedence over some privacy concerns, while keeping the letter and spirit of the rule intact.
Last Friday, Helene Guilfoy from the healthcare consulting firm Phoenix Health Systems of Montgomery Village, MD, reviewed the just-published guidelines in cooperation with the Chicago-based Healthcare Information and Management Systems Society. In doing so, Guilfoy answered a long list of questions regarding implementation of the rule. The following are highlights of her electronic news conference.
First, Guilfoy said, it's important to remember that the rule relies on the patient's consent and authorization -- two different documents -- to use and release information. Direct treatment providers, for example, must obtain consent to use PHI before they begin treatment, payment, or healthcare operations (TPO) -- or as soon as possible thereafter in the case of a medical emergency, law enforcement action, or serious communication barrier.
Indirect providers such as health plans and clearinghouses do not need patient consent for TPO, but they must provide notice of how the information will be used. And a covered entity is not bound by the consent of another entity, except when a joint consent has been signed, Guilfoy said.
A signed authorization, on the other hand, lets entities use PHI for a specific purpose, such as giving the addresses of new mothers to a diaper service. An authorization has an expiration date, and states the purpose of the use or disclosure. The patient may revoke either document, but the revocation is not retroactive.
"Pharmacists may consult with a patient regarding medications without obtaining a consent, as long as they don't keep any records of the consultation," Guilfoy said. In addition, pharmacists may allow a relative or friend to pick up a patient's prescription, may assume that anyone who arrives to pick up a prescription is a caregiver, and may discuss the patient's medical information with that person.
"This is one of the confusing things that floated around about the privacy regulation," she said.
Patients may sign both consents and authorizations electronically, even though the electronic signature standard has not yet been defined under HIPAA. The provision is expected to be clarified further once the electronic standard is adopted. Signatures on the consent do not need to be verified, Guilfoy said.
Mental health patients have special rights regarding the release of information. Authorization (rather than consent) must be obtained for TPO of all psychotherapy notes, except for use by the originator of those notes. That means that if a provider needs to disclose PTO in order to obtain information from another health plan, the patient's authorization must be obtained first, she said.
"That's the only time the health plans come into play with getting signatures," she said.
Minimum necessary
The requirement that only the "minimum necessary" amount of information be disclosed -- even when such disclosure has been authorized in advance -- has also troubled providers, but the guidance document appears to offer a sliver of hope there as well.
First, the information in the HIPAA standard transactions, protocols for the electronic exchange of administrative and financial healthcare information, are exempt from the minimum necessary requirements of the privacy rule -- as is information disclosed to HHS for enforcement of the rule, and disclosures to law enforcement agencies.
"How else would HHS determine if a violation has occurred?" Guilfoy said.
In addition, a provider may release PHI to a drug company looking for research subjects. However, even with authorization to do so, only the minimum necessary information may be released.
"Soundproofing or other facility redesign is not required to accomplish the goal of minimum necessary disclosure. This is also something that's been floating around for some time," she said. "Reasonable precautions, however, must be taken to prevent unnecessary disclosure." This means that a doctor might want to take such common-sense measures as pulling the curtains around a hospital bed before discussing the patient's condition, practices that should be second nature anyway, she said.
In general, Guilfoy suggested that providers ask information system vendors to limit access to certain fields in the computer, and that they consider negotiating requests for information rather than refusing them outright. Routine or recurrent requests for information can be handled according to established policies, while non-routine requests need to be handled individually, even though they can and should be dealt with according to thorough pre-existing policies, Guilfoy said.
"The precautions do not mean removing the charts in patients' rooms -- I heard that one quite a few times. It does not mean that you have to shred empty prescription containers, nor does it mean that labs who identify specimen containers have to put them through special obliteration procedures," she said.
Role-based access is the key to complying with the minimum necessary standards, she said. "The major thing you need to remember is to make sure your policies and procedures are in line with the access that is being given," she said.
For example, medical students, nursing students, and allied health students rotating through a facility are allowed access to patients' entire medical records, as long as such access is specified in the institution's policies and procedures. Concerns that the rule would curtail medical education were unfounded, she said.
Policies and procedures regarding disclosure should be developed "with the input of prudent clinicians, so that access is limited without reducing the quality of care. It's a pretty important statement," Guilfoy said. "Remember, the word 'reasonable' is used 266 times in the privacy rule."
Oral communications
The oral communications provisions also appear to be more practical than what appeared in the proposed rule, according to Guilfoy. For example, the final rule doesn't prohibit nurses from verbally coordinating services at the nurses' station, nor does it bar nurses or other staff from discussing a patient's condition over the phone with the patient, another provider, or a family member.
Discussions of lab results in a joint treatment area are also allowed, as are discussions that take place during rounds. Again, it's prudent to install curtains in areas where more than one patient is being treated, and keep registering patients a few feet away from patients waiting to register.
Finally, there is no requirement for soundproofing of rooms, or encryption of telephone or wireless communications.
Business associates
When a facility gives information to a business associate who performs services on its behalf, the business associate may not use the information other than for the purpose for which it was given to them.
"They may not use it for marketing of someone else's product. They may not put it into a database ... so they can offer trending or forecasting information," she said.
However, because HHS cannot enforce the privacy rule on business associates, it's up to the facility to spell out the limitations to the business associate in its agreement, monitor compliance, and take steps to stop violations, including termination of the contract or contacting HHS if the violations do not stop, she said.
Next page: guardians, marketing, research, and the long arm of the law.
1, 2
