Protecting patient privacy and confidentiality has always fallen in someone else's lap: Doctors relied on nurses who relied on clinic staff who believed it was the doctor's responsibility in the first place.
While always important, privacy and confidentiality haven't always been high priorities.
Physicians get sidewalk consults in stairwells and crowded elevators. Nurses often report from recovery rooms jammed with patients and visitors. Patient information is faxed from one office to another.
In the normal course of business, no one would think these practices violate the integrity of patient confidentiality.
A federal law is about to change the normal course of business.
HIPAA, the Health Insurance Portability and Accountability Act of 1996, and its accompanying regulations, make it a violation to share patient information with anyone not authorized to know or who has no need to know that information. And patient information isn't limited to name, health status or date of birth. HIPAA says any information that could identify a patient must be protected.
In other words, while a sidewalk consultation wouldn't automatically violate a patient's privacy, getting that consultation in a crowded elevator would.
But the regulations don't just apply to physicians. Anyone who handles identifiable patient information must keep that information secure and protect the patient's privacy.
Violate the rules and pay fines that can reach $25,000 per violation, with numerous violations per situation possible. Worse, those who break the law can spend up to 10 years in prison for each error. How exactly this will be monitored hasn't been spelled out. But one thing is clear: Unintentional disclosure won't be a defense. The law doesn't take into account whether the release of confidential information was maliciously intended or not.
"It's going to require the physicians to step back and look at their business process, whether it's technology-based or something as simple as a fax," says John Gimpert, a partner with Deloitte & Touche's National HIPAA Services and Enterprise Risk Services in Chicago.
HIPAA initially was written to allow workers to change jobs without having pre-existing condition exclusions in their new health plan coverage. Congress decided that since many sets of transaction codes are used to process claims, it would be easier to process insurance data if there were only one set of codes. That's why the administrative simplification for transaction standards--or the code sets--were written.
However, because of public concerns about the confidentiality of information transmitted electronically, Congress outlined privacy and security rules for the transmission of health information. Since being unable to agree on security regulations last fall, Congress has bounced that job back to HHS.
HHS and HCFA have proposed regulations protecting the privacy and security of patient information.
Security is defined as a technical means--either through electronic or physical barriers--of protecting data. The protection should guard against not only wrongful disclosure but also ensure accurate electronic transmission of information by encryption. Security also needs to ensure that any hacking or altering of information that occurs will be easily detected, i.e., the electronically transmitted data will appear obviously flawed.
Privacy relates to patients' rights to protect information about themselves.
No final rules have been published for any HIPAA regulations. The comment period has ended, and HHS received thousands of comments. It isn't known when the regulations will be finalized. Once they are published in a final rule, Congress then has 60 days to review the rules. After those two months expire, covered entities have 24 months to become fully compliant with HIPAA.
Since HIPAA mandates that all healthcare payers have the ability to process claims electronically, electronic connections and the computers that are used must be secured. There isn't a general clearinghouse that keeps track of how many claims are now submitted electronically. However, some large insurers such as AetnaUSHealthcare say 50% of their claims are electronic.
"One of the primary objectives is that HIPAA establishes standards for electronic health information systems," says Donna Gustafson, senior manager for the enterprise risk services division of Deloitte & Touche.
The electronic coding standards will eventually save millions of dollars. But it will cost millions to get to that point, consultants say. Exactly how much it will cost isn't known. Consultants are recommending groups plan on spending about twice as much for HIPAA as they did for the year 2000 bug. BlueCross BlueShield Association, the parent company of the national Blues programs, estimated a price tag of $40 billion over five years for all Blues plans to be HIPAA compliant.
Providers aren't required to process claims electronically and can get around that requirement by using a clearinghouse. However, using another entity to process claims doesn't exempt the providers from privacy and security regulation requirements.
While the process advances, physicians should educate themselves and their staff on HIPAA regulations and potential ramifications, consultants say.
They should develop a checklist of the regulations and cross off the items as they become compliant. They also need to develop a phased approach to coming into compliance, consultants say. By starting now and taking one step at time, medical organizations will stand a good chance of ensuring full compliance within the 24-month time frame.
If providers are doing what they ought to do anyway, there shouldn't be much of a change, says Margret Amatayakul, a consultant in Schaumburg, Ill.
"I think there's . . . a lot of to-do about nothing," Amatayakul says. "I don't mean that literally. I think privacy is extremely important. By the same token, you really would not (have) to alter your current practices that much by any new law. You should today be very careful about talking about a patient by name in a public elevator."
But, she says, "it happens all the time. That doesn't mean that it's right, even today."
The changes are "a small number of really big differences than what we're doing today," Amatayakul says. "It's not like we don't have any privacy laws in this country. It's at the state level. It varies among the states, and it's oftentimes buried in all sorts of different state statutes."
Generally when a patient's confidentiality is breached, the patient attempts to sue. Most times, the organizations try to settle out of court, and often those claims are tied in with malpractice cases, Amatayakul says.
In order to release information to an insurance company now, providers need to get a signature as authorization, something Amatayakul says doesn't make sense.
The signature before treatment makes some people believe they won't get treated unless they sign the release, she says. Other patients may be concerned about providing information about a disease or potential disease to an insurer. And sometimes patients are so sick they don't realize what they're signing, thus making the authorization invalid, she says.
Under the HIPAA privacy regulation, patients will automatically have their information released for patient care, payment and operations of the healthcare provider's organization. Every provider will have to supply notice to patients of how they use their information, Amatayakul says. That notice must be given before the patient is treated or at least at the first visit.
"This tells (patients) up front how (providers) are going to use the data," she says.
Any use of patient information outside treatment, payment and operation of business must be disclosed to patients, and providers must account for that use.
The second significant change is that patients are allowed access to their records, something not provided for in some states laws, she says. When HIPAA becomes effective, patients will have the right to look at their records.
Few expected the regulations to take this long to publish. Some of the regulations, including privacy, have been a political hot potato.
Amatayakul says one reason for the delay in issuing the final regulations is Congress appropriated no funds to HHS for any aspect of implementing HIPAA requirements. Secondly, she says, HHS received an overwhelming amount of public comments. Finally, Amatayakul says, defining privacy is difficult because divergent opinions exist about what privacy is and about all the related issues.
"We could get by forever without federal privacy requirements. Because of the growing use of the Internet and private networks, there's more concern about . . . the use of data, whether it's in electronic form or not."