By Les Roka
Huh? Hasn't medical information always been confidential and carefully protected? The new provision, which takes effect April 14, is part of a law enacted seven years ago by Congress. HIPAA -- the Health Insurance Portability and Accountability Act -- covers many aspects of health care administration, including key provisions to protect patient privacy along similar lines found in other industries, such as credit cards.
The privacy guidelines follow the widespread use of electronic records exchange between doctors, hospitals and insurance companies as well as other persons and organizations that may have a legitimate need for an individual's medical information. Most insurance claims are sent electronically and the transition to this procedure has accelerated recently. Later this year, Medicare will require all claims to be sent electronically.
HIPAA is a favorite target of management critics. It's costly, time-consuming, and burdensome in training and paperwork. Every health-care entity must designate a privacy officer.
On the other hand, HIPAA may alert patients who previously had little or no idea about what their medical records contain. At first, most patients might not likely notice the impact of the law but it will affect everybody at one point or another. And, it will trigger some nagging headaches for physicians, health insurance managers, and hospital administrators, especially in dealing with the media.
The new privacy rules set up specific procedures for requesting access to patient records, amendments to medical records, and confidential communications from the respective physician's office or health plan. Health-care organizations will be able to release an individual's medical information only after receiving the patient's signed authorization.
For patients requesting anonymity during a hospital stay, the institution will not be permitted to release any patient information to the media or even to family members. Only clergy have some leeway under the new privacy rules. The guidelines expressly stipulate that information cannot be confirmed to a police officer without a court order.
The new privacy guidelines perhaps will be most immediately noticed in automobile accidents or similar incidents. Information, for example, will be released to media only if they have the patient's name. The patient's condition and specific location in the hospital are the only pieces of information that may be released under the new law. In fact, the guidelines provide five single-word options for describing a patient's condition (undetermined, good, fair, serious, and critical).
In cases of patients in comas, staff members are permitted to use their discretion. They may rely on immediate family members to make the decision or wait until the patient is conscious.
The law provides some exceptions. For instance, information about patients with a reportable disease must be sent to the appropriate public health authority. To safeguard individual rights, however, the provider will be required to keep a log of all disclosures, and patients are entitled to a copy of it.
Extra care will be needed even in seemingly ordinary situations where, for example, a husband is calling for a prescription renewal for his wife and requests a voicemail message indicating when the prescription is ready for pickup. As long as the spouse has authorized the release of treatment information concerning her current illness, there is no problem.
The guidelines, however, could become a little sticky for some physician or clinical offices that have regular non-patient visitors, such as pharmaceutical sales representatives. For example, the staff will have to ensure that the salesperson cannot see or hear information about patients. Occasionally, staff may complete patient charts and files in open-access areas such as lunch rooms or doctors leave their office doors ajar while dictating patient information. Even front-room receptionists who normally talk with patients about how they are doing within earshot of the waiting room will have to exercise much greater discretion than what they had been accustomed to do.
The penalties for violating the rules range from fines to jail terms. All patients will receive a brochure that describes in detail the privacy provisions as well as procedures to file complaints if they believe their confidentiality has been breached.
Fortunately, I have spared the reader the avalanche of acronyms that HIPAA has generated. Who will benefit most prominently from HIPAA? If the recent experience of Y2K is any indication, attorneys and consultants should make out quite handsomely, thank you.
--Les Roka is an assistant professor of journalism at USU and formerly an information officer for hospitals in Ohio.