One year after federal regulations took effect on the confidential handling of personal health information, fewer than one in four healthcare organizations are in full compliance with the many requirements to protect privacy and account for information disclosures, a report to be released this week has documented.
But two-thirds of privacy officers and others charged with meeting regulatory requirements said their organization's level of compliance was between 85% and 99%, according to a survey by the American Health Information Management Association assessing adherence to privacy provisions of the Health Insurance Portability and Accountability Act of 1996.
That's good news considering the widespread concern in the months leading up to the HIPAA deadline about the complexities of the privacy regulations and predictions of high costs and confusion, AHIMA said in its report, released exclusively to Modern Healthcare. "Despite all the anxiety over this issue, it appears as if healthcare organizations are integrating HIPAA pri-vacy into their culture and are seeing positive results," said Linda Kloss, AHIMA's executive vice president and chief executive officer.View related web-exclusive charts.
Some 70% of those surveyed agreed that the HIPAA compliance process uncovered privacy problems within their facilities that were subsequently resolved.
Though most healthcare organizations concede they're less than fully compliant after two years spent preparing for the April 14, 2003 effective date and a year's worth of operating under the regulations, "Even the idea of 100% compliance is an illusion anyway," said Jill Callahan Dennis, an adviser to AHIMA on privacy compliance issues. "You're never going to be 100% compliant even if you think you are."
But AHIMA officials and hospital privacy officers warned that further progress could be difficult without help from HHS in modifying or lifting some of the regulatory requirements. A top HHS official, however, said the complained-about requirements are there for good reasons.
When hammered into final regulations three years ago, HIPAA's privacy provisions homed in on a healthcare culture in which details of patient conditions and history too often were discussed in the open and not treated with proper attention to confidentiality.
However, the biggest problem area reported by providers was not the issue of establishing privacy practices but rather the tedious and often frustrating quest to fully account for all disclosures and patient-initiated corrections of protected health information.
"It's laborious and seems to have very little value for the patient," Dennis said about the breadth of disclosures required under HIPAA.
In the survey of 1,192 healthcare privacy professionals, 39% said accounting for release of protected information was their biggest problem area, and 51% said it was the area most in need of modification by the federal government.
Managing the flow of information to and from outside contractors and partners, called business associates, also was a problem area for compliance efforts and an often-cited focus for federal review.
But other difficulties surfaced that providers will have to resolve among themselves. For example, one-third of surveyed professionals said they had a problem getting patient information from other healthcare providers, even though HIPAA restrictions on disclosure expressly exempted information-sharing among medical professionals for treatment purposes.
Another internal struggle, according to 32% of respondents, involved the release of information to a patient's relatives or "significant others."
HIPAA regulations list nearly a dozen types of disclosures that must be included when patients ask for a report detailing where their personal information has been sent. Providers do not have to include disclosures for purposes of treatment, payment or conducting healthcare operations.
Most hospitals don't have a central area for such information-people throughout the organization have a role in releasing it, said Donna Bowers, vice president of Baylor University Medical Center, Dallas. All these employees have to be educated on which disclosures have to be documented and which do not, and those disclosures have to flow to one place where they can be logged, Bowers said.
A significant percentage of those disclosures are beyond the power of patients to control whether they know about them or not, Dennis said. They're already required by governments for public health, law enforcement, Medicare and Medicaid certification, and social service purposes-from births and infectious-disease reports to cancer diagnoses and suspicions of child abuse. "Even if they wanted to object, they couldn't because it's required by law," she said. "It's really an illusory right."
Providers questioned the expense of nailing down every routine disclosure-which workers sometimes forget to do, and that affects a facil-ity's compliance, said Rita Bowen, chief privacy officer of Erlanger Health System, Chattanooga, Tenn. "We know if someone's born, they're going to be reported to the state. Is anyone going to look for that? I don't think so. So why should it be reported? It's so labor-intensive."
And very few hospitals have had requests for accounting, Dennis said. In the survey, less than 25% of facilities have had a single request. "It just seems like an awful lot of work-and it's expensive work," she said.
After excluding disclosures required by law, "There aren't too many things left to account for," said Dan Rode, AHIMA's vice president of policy and government relations. In testimony before a HIPAA advisory committee to HHS, healthcare representatives described the administrative burden and floated the idea of listing required disclosures in the notice of privacy practices handed out to all patients instead of going through the accounting of those disclosures for each patient, Rode said.
But HHS' Office for Civil Rights, the enforcement arm for privacy and confidentiality provisions of HIPAA, said the accounting requirements have value. "Many go to the question of disclosures made that a person wouldn't otherwise know are made," said Richard Campa-nelli, director of the HHS office. "It's a way for an individual to learn whether their information was safeguarded as the rule requires."
Merely listing those disclosures on a notice of privacy practices would not tell someone if his or her information actually was distributed, Campanelli said. "The rule requires a specific accounting," he said.
The lack of interest so far among patients doesn't mean the requirement should be reassessed already, HHS spokesman Bill Pierce said. "It's only been around a year, and arguably this is for the long haul," he said.
Besides the education it gives patients, the accounting process also helps them decide whether they need to clarify or correct information on them, Campanelli said. "It helps to know if the disclosure about them was accurate ... and how it was used."
The National Committee on Vital and Health Statistics, HIPAA's advisory panel, decided it wasn't ready to recommend changes to HHS Secretary Tommy Thompson, said Mark Rothstein, who chairs a subcommittee on privacy and confidentiality. "We're aware of the problems and are calling it to the attention of the secretary," he said. "But for us it's a bit premature and rather sweeping for the policies to be changed entirely."
Under HIPAA law, HHS has the authority to modify or amend privacy standards as it sees fit, but only once in a 12-month period. The vital and health statistics committee is the sole advisory agency to HHS on HIPAA privacy and confidentiality.
Correcting privacy deficiencies
Whatever the current problems, a clear benefit of HIPAA was "identification of deficiencies with existing business practices or procedures that put privacy of patient information at risk," the AHIMA report said. Those problems likely were part of caregivers' drive, "all with good intent," to treat patients-and to do that, they needed access to information, Bowers said.
But after going through the regulations, providers realized that the long-standing single-mindedness of healthcare workers on getting information from and about patients had to give way to other considerations. "After 100 years, maybe this wasn't the right way," Bowers said. "Maybe (patients) do care that I'm asking all these personal questions in front of all these people."
Two top privacy problems were singled out, identified and corrected during HIPAA implementation, both mentioned by 13% of respondents. One was unauthorized releases of information from areas outside the medical records department. The other was public disclosure of private information-in plain sight on department "whiteboards," computer screens or unattended desks, or overheard in conversation.
At Baylor as well as other hospitals, it was standard practice in surgery waiting areas for a physician to sit down wherever a patient's family was gathered and relate all the details about the completed procedure in a normal tone of voice, Bowers said. Now the family is directed to a private area where no one else can overhear the conversation, she said.
Other measures include privacy screens for all computers in clinical areas of Baylor's 11 facilities. Computer screens cannot be read unless the user is directly in front of the monitor.
About 6% of those surveyed said they had to tighten up their control of disclosures by standardizing practices related to the release of information.
At Erlanger, an internal assessment discovered weak spots that had to be fixed, Bowen said. "By mapping the flow of information we found lots of people really seeing information who shouldn't be," she said.
Editors note: This is the second of a two-part series on patient privacy. The first part, about the Justice Department's efforts to obtain abortion records, appeared in the April 5 issue (p. 6).View related web-exclusive charts.