Even before the federal government made patient confidentiality an issue, Palo Alto (Calif.) Medical Foundation was pushing for action.
"It's needed," says Paul Tang, M.D., the medical director of clinical information. "The status quo provides inadequate protection for patients' information."
The 200-physician organization, which had between 150,000 and 200,000 patient visits in the past 12 months, has been urging the government to improve patient privacy and confidentiality protection.
And now HIPAA is about to arrive, and Palo Alto is getting ready by launching an extensive education program, Tang says.
HIPAA's reach is "so widespread. Privacy affects every member (of the organization) because it's mandatory. Everyone needs to be involved and needs to be trained. And there will be a sizable cost. The board of directors and senior management need to understand their responsibilities and accountabilities of implementing and complying with HIPAA," he says.
The board and senior executives already have been educated about HIPAA by committees established to address compliance with the expected security and privacy provisions, Tang says.
"We've revised our confidentiality policy agreement. We have, on numerous occasions, discussed with physicians their responsibility to protect patient data," he says.
"Privacy is going to touch all the employees. You have to re-educate physicians on the responsibility of protecting patient privacy."
The biggest point to drive home, Tang says, is that it isn't only information in electronic form that needs to be protected. It's all patient information whether it's communicated orally, in writing or electronically.
"We're trying to protect the confidentiality of the information, not just the media it's stored on," Tang says. "You try to protect the information in any way it's communicated or used. It applies to oral communication as well."
He also says the systems that feed end-user systems, such as a lab system that feeds into the main physician network, must be protected and no unauthorized users should be able to access them. In other words, find the weakest link in the chain and make it as strong as the other links.
"You have to go and re-examine your information systems," Tang says. "You have to make sure that the system has features that help you implement the policies to comply with HIPAA."
Office politics could become a problem, Tang says. People who once had unrestricted access to records may find they no longer have access to every patient record.
"You need to have leadership, physician leadership backing, promoting and supporting this," he says. The leadership must say that "we must revise our policies and implement these policies because it's a law."'