July 2001 Newsletter

HIPAA Privacy and the Provider

I am using the term provider to designate the way it is used in the  Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).  A provider is any person or entity that performs health care services.  This includes all hospitals and physicians or allied health professionals.  The law also includes health plans and clearing houses which I will not address.  The law has several aspects including the technical aspects of how to transmit information.  I will not cover that either, but it goes into effect October 2002. Security is going to be very important as there needs to be physical barriers for unauthorized use of terminals. This includes quick logoffs and proper logons. This newsletter is only to cover the privacy aspect of the law and only superficially.  The actual law is 1500 pages long.

What is HIPAA?

HIPAA is a law passed in 1996 to address the portability of health insurance under COBRA.  Buried in the law was a statement about the privacy of health care information. For those of you who do not know, most of your health information is concentrated in a data bank in Massachusetts for the convenience of insurers.  This law is to protect the privacy of all health information.

Who and What Is Covered

The law covers all providers that transmit any healthcare information electronically.  That means it covers everyone unless you do everything on paper. Even then, if you do a card swipe to check eligibility or check the status of a claim on a touch tone phone you are a covered entity. Faxing alone is not considered enough to put you into the covered entity box. Remember, it is not just claims but basically if you have a computer, you're covered.  

Assuming that you are covered, the information protected is any individually  identifiable (private) protected health information (PHI)  in oral, electronic or written form.  This is true for this information whether it is stored or transmitted. This includes anything connected to the individuals past, present or future physical or mental health or that relates to the provision or payment of health care for that individual.  Deidentified information cannot have a name, geographic area smaller than a state, any date except a year referable to the individual, telephone number, SSN, account number, plan beneficiary number or a partridge in a pear tree. If you do business with billers, they will not be covered but are considered business associates.  Business Associates will be covered later.

Privacy Officer

You will need to designate a single Privacy Officer who will be responsible for all privacy matters and the keeper of all logs.  The officer will also have to know the State laws and follow which ever is the strictest. HIPAA is a national floor for privacy, not the end all. 

The officer should be senior management in order to effectuate change. In provider offices this person would have multiple positions. In larger organizations it should be a dedicated position. The privacy officer is also in charge of the required training of all employees, volunteers, trainees and anyone else you can think of that works for the entity, whether or not they get paid.  If you are already doing the compliance training, this will not be a big deal.  Records of privacy training must be kept for six years. HIPAA also requires the discipline of any person who violates the Act and all sanctions must be documented.

Consents

This is the main point of the law. All covered providers (those with a direct treatment relationship with the individual), not clearing houses or health plans, will need consents from every patient to release any information about the patient to anybody. Yes, that's anybody within or outside your entity.  All providers are required to have a privacy policy and it appears that this policy must be given to each patient at the time of their first appointment after the law becomes effective, April 14, 2003. If the policies change, patients must be told they have the right to see any changes. 

Along with giving the patient this policy you will need the patient to fill out a consent form to release information for treatment, payment or healthcare operations (TPO). this consent must be in plain language (no legalese). The definition of plain language is huge and may be found in the Federal Regulations. Basically it means the information must be organized to serve the reader not the writer, the use of short sentences with active voice, the use of common words and divisions into short sections. It must be available in several languages as obligated under Title VI of the Civil Rights Act of 1964. If your population is illiterate then you need to read the consent to them or have a video made. 

The consent will allow you to share information among your colleagues for the care of the patient.  This is different from your standard consent as it is now used.  It must state how the patient's information will be used and if disclosed outside of the TPO how the patient may find out to whom and for what reason it was disclosed.  This means you will need to keep a log of what information was disclosed, when and to whom and for what reason.  This consent is good for life or until revoked in writing by the patient.  If the patient refuses to sign the consent, the provider does not have to treat the patient. The patient may place restrictions on the use of the release of information.  The provider does not have to agree but is bound to anything it does agree to. 

Consent is not needed in emergency situations but must be obtained as soon as possible after the emergency. Providers who only interact with the patient tangentially, such as lab do not need consent.  Also, pharmacists may take prescriptions over the phone and get consent if the patient picks up the prescription.  If a family member or friend picks up the prescription, the pharmacist may give the medicine without the consent filled out.

Patients are entitled to see their own records and no consent is required. However, it would be prudent to keep a log of any time a patient asks and is granted access to his/her medical records.  

You must keep a log of all disclosures outside of the covered agency and show it to the patient upon request. These logs must be kept as with any consent revocation for at least six years. 

The patient has a right to ask to amend the medical record but the provider does not have to agree. The amendment may just be added to the medical record without comment and without removal of the original statements.

Faxes are also covered under this rule, both from the privacy and the transmission standpoint. If PHI is being transmitted there must be administrative safeguards in place.  This may include pre-programmed numbers in your fax machine, confirmation of delivery of information and preprinted confidentiality statement on all cover sheets.  Some people recommend placing machines in safe portions of the institution and to check periodically the fax transmittal summaries and confirmation sheets.

E-Mail is even more fun.  The questions are how do you know the person on the other end is who they claim to be and how do I get consent.  Consent is obtained when you see the patient and before the E-Mail or you may not even need consent since you are sending the patient's own PHI to the individual. The real problem is the required encryption.  This, unless changed, may force all providers to forego E-Mail with patients.

Consents do not apply to psychiatric notes.  These notes, in any medium, must have specific authorization from the patient to be released. It is probable that these psychiatric notes may need authorization even for treatment purposes within the same group. Psychiatric notes do not mean medication monitoring, start and stop times, the modalities and frequencies of treatments, results of clinical tests and summaries.  These items only need the consent.  

As of the time of this newsletter an direct appointment provider may not use PHI to set up an initial appointment without consent.  This is to changed. Other things to be changed include the inability to use signup sheets, call the patient's name in the waiting room or over the loudspeaker at the hospital and the use of bedside charts.

Minimally Necessary

The rule states that an entity will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. The provider shall only provide the minimal necessary information as defined in your policy and procedure, which is possibly role based disclosure, for payment and healthcare operations.  Treatment disclosures, disclosures to the patient, information for which the patient has signed an authorization (discussed later), use of information as required by law do not require the use of the minimum necessary standard. The feds are being reasonable and stating if you need the information for treatment, do it.  

If you are a small provider office, it may not be  reasonable to isolate employees from the entire medical record.  In larger organizations such as hospital it will be necessary to do the role based isolation of information.  The hospital should take necessary precautions but reasonable ones to protect patient privacy information.  This means not elimination but precautions for white boards with patients names, charts at the bedside or in slots next to the rooms, etc.

The onus for compliance is on the requestor.  If a patient requests release of his/her information to an insurer and in providing the information the provider is found to be in non-compliance, the requestor patient is still the one liable.

Authorizations

Authorizations are required for psychotherapy notes unless used for TPO by the originator of the notes, training programs or defending a legal action brought by the individual.  All authorizations must contain the description of the information to be disclosed, the name of the person to whom disclosed, the expiration date or the authorization, a statement regarding the person right and how to revoke the authorization along with the possible exceptions, the possibility of redisclosure and the signature and date. This, like the consent, must be in plain language. 

There are separate requirements if the authorization is for an entity's own use and disclosure, an entity's disclosure of the information to another and the use of the PHI for research.  The authorization must be a stand alone document some exceptions. Some plans may condition the payment for services upon the authorization, except for psychotherapy notes. Plans may require the authorization for information for determination of acceptance into the plan, except psychotherapy notes. Research based therapy may be withheld if no authorization is signed.

Oral Communications

Loose lips sink ships was the cry during WW II.  It now holds in healthcare.  Oral communication is not forbidden only reasonably restricted.  The usual prohibitions against speaking in public places about patients still hold. There is no need to build private hospital rooms nor not speak loudly if necessary due to the surrounding conditions, etc. If there is any recording of oral communication such as discussions between various healthcare workers, these are accessible to the patient. If oral disclosures are made to an outside agency they must be logged as part of the patient's disclosure history log.

A major change is the use of sending reminder postcards or leaving messages on answering machines.  For the postcard reminders the fold over type is permissible but with the return address not stating the name of the provider.  The use of the answering machine is now a no-no unless you have already given the patient your policy and received consent. Who will listen to the message?

Business Associates

Business associates are those entities that help the covered entity perform certain functions and utilize or come into contact with PHI. Examples are the entity's attorney, billing service including if the hospital bills for independent physicians with staff privileges.  An example of a business that is not a business associate is the cleaning service. They will not have access to PHI if there is a clean desk policy in the organization. If there is no clean desk policy or it is not being observed then a contract is needed. The real problem here is how to disclose to the patient when asked which janitor saw and disseminated the PHI as required under the patients right to see six years worth of disclosures.

 Any employee or independent contractor who perform most of their services on site are considered workforce and do not require business associate agreements. This is true of a licensed independent practitioner in a hospital. 

The information is only for the business associate to help the covered entity and can not be released to other business associates without a separately signed authorization by the patient naming the agency and how the information will be used.  The covered entity is not responsible for the business associates use of the information, but if there is pattern that is a material breach and it is not corrected or reported the covered entity may be liable.  This means there should be a contract or agreement between the two stating what penalty will ensue if the associate inappropriately releases information. The business associate of the covered entity should have agreements with their subcontractors.

Parents and Minors

The basic law is that parents have access to the children's medical information.  This is not true in states such as California where minors may give consent for certain treatments or if the parent relinquishes the ability to see the information. or if there is possible abuse by the parent that is to be reported.

Marketing

Marketing, the communication about a product or service to encourage its purchase or use, can only be utilized if there is a face to face meeting with the patient, they involve products of only nominal value, they concern products or services of the covered entity and that entity is identified and disclosed that the entity has paid for the communication, if it is true, the individual has been told how they have been targeted for the marketing, and the individual must be able to opt out after the first contact.  There must be a signed authorization for any other release of personal health information. Fund raising is also allowed but with most of the same caveats.

Research

Authorization is needed unless the covered entity is told that a review board has approved a waiver such as where it is impossible to find the people and obtain authorization, the information is only to prepare a protocol and no personal health information is removed or the research is on proven decedents.

Government Access

The Office of Civil Rights (OCR) has the right to enough information to investigate complaints and compliance.  Police and other law enforcement are more limited.  There will be no DNA without a warrant and entities must get authorization from victims of domestic abuse before reporting their information.

Payment

Payment under consent includes disclosures to consumer reporting agencies but this is limited to name, SSN, DOB and payment history. If covered entities use collection agencies a business associate agreement is required. 

Penalties

There is always the hammer.  The program is under the oversight of the Office of Civil Rights. The penalties are fines ranging from $100 per violation up to $25,000 per person per year for each requirement or prohibition violated and/or jail time. 

The jail time is for intentional violations.  The lowest is one year for obtaining or disclosing PHI.  This increases to five years for obtaining the information under false pretenses and ten years for obtaining with the intent to sell or use for commercial or personal gain or malicious harm.

Conclusion

HIPAA has two major long term advantages that completely overshadow the short term negatives. The first is in the privacy arena where, even though it is not perfect, it is a great start toward providing health information privacy.  The second is after the initial setup costs there should be significant savings due to all insurers using the same code sets  for payment purposes.

What should you do now? 

I would start by making sure the electronic transmission systems are compliant.  This must be done and working by October, 2002. I would also look at the external and the internal flow of protected health information in the organization, be it large or small.  The large organizations should have a HIPAA task force made up of the CIO, attorney, compliance officer, and the head of medical records along with some medical staff leaders and floor nurses. The group should also include the privacy officer as soon as one is designated.  They would look at all electronic data repositories including PDA, PCs, etc. They will also look at where the internal breakdowns may be and how to fix them.  The external things the task force will need to examine includes who you deal with that is not a covered entity such as your attorneys, banks, and vendors and with whom you will need to have a contract with as a business associate. These people would need to start being educated on the business of privacy and the law.

The group should look at the federal and state laws to determine which are a more stringent procedure and should be followed. The task force would also start on deciding what the privacy policies will be and what the consent and authorization would state.  I would not chisel them in stone as yet since this does not come into play until April 14, 2003.  There will probably be some significant changes up to and even some after that point.  Please remember as the final point not to get carried away in minutiae as common sense and responsibility are more important.

Some web sites that will be of help are the preamble and the rule, 1535 pages of which 200 are the rule at  aspe.os.dhhs.gov/adminsimp/index.htm
Another excellent site is 
www.ahima.org
The site for the AMA E-mail guidelines is 
www.ama-assn.org/ama/pub/category/2386.html