April 14th has come and gone, and with it implementation of the Health Insurance Portability and Accountability Act, or HIPAA. Many aspects of this unfunded and complex federal regulatory mandate are troublesome, but the underlying rationale is sound. Patients must be assured that their caregivers will use discretion when disclosing often embarrassing information associated with providing care. Nowhere is this principle more applicable than obstetrics and gynecology.
The original 1996 legislation contained three basic components; the first two are already extant and the third became law on April 14th:
Because the mandate for privacy protection inherent in HIPAA is so broad, there is potential for overzealous and misinformed bureaucrats to use the legislation to restrict access to vital patient data and thus adversely impact patient care. Doing so would exacerbate the current spiral in health-care costs, further erode the patient-doctor relationship through conflicts over disclosures of patient information, and further frustrate already over-regulated, overworked and increasingly dispirited physicians, who could be faced with harsh penalties for noncompliance. In the first half of this two-part editorial, I'll review the basic tenets of HIPAA; we'll look at the potential problems next month.
HIPAA brings a marvelous new set of Orwellian phrases and abbreviations. For example, the HIPAA privacy standards apply to any "covered entity," a term that includes health-care providers, researchers, and administrative staff who create, receive, or distribute health information electronically or in any other format. The standards also apply to employees who may have incidental exposure to such information.
The second term you need to be acquainted with is "Protected Health Information" or PHI. This is any information that identifies an individual and relates to an individual's past, present, or future physical or mental health; provision of health care; and past, present, or future payment for his or her health care. Information is deemed protected if it includes either the patient's name or any other identifying data (such as address, age, birth date, Social Security number, medical record or account number, telephone or fax number, e-mail address, photograph or any other characteristic that could uniquely identify the individual).
The third key phrase/abbreviation to remember is Treatment, Payment, and Health Care Operations or TPO. PHI can be used without specific patient preauthorization for TPO!
HIPAA requires health-care providers and group health plans to post notices outlining their privacy practices and informing patients about their rights. The "Notice" should tell patients about the provider's or plan's privacy policies and explain how PHI will be used. It should also inform them about their rights, such as the right to access their own records and request additions or amendments to them. Patients must receive the "Notice" before they begin receiving care or as soon as is practical thereafter. Special rules apply to emergency care, but anyonewhether a patient or notcan request a copy of the "Notice" at any time. Finally, patients must be asked, but are not required, to sign an acknowledgement of receipt. Sample forms are available from the American College of Obstetricians and Gynecologists.
HIPAA regulations specify how PHI can be shared with business associates (defined as any entity outside your practice involved in activities that require the use or disclosure of PHI). This includes data used for claims processing, data analysis, billing, practice business management, transcription, legal services, and electronic/paper medical record management. Before you give PHI to a business associate, you must have a contract in force that includes certain assurances, such as confidentiality clauses that hold associates accountable for protecting PHI and prohibitions against use or further disclosure of PHI in violation of the privacy rule. When a contract ends, your business associates must return or destroy all PHI within a reasonable amount of time. Business associates are required to report any breaches to the provider, while the provider is obligated to address such breaches and ensure that an associate's subcontractors also abide by the law.
Rights guaranteed by HIPAA can be summarized by the acronym CAAAR: Confidential handling of PHI by the provider; Access to PHI, including obtaining copies for a modest fee within 30 to 60 days; Amendment of PHI subject to your approval and with the right to appeal your denials; an Accounting of certain disclosures you make; and Restriction of use and/or disclosures you can make of PHI. HIPAA does permit you to deny access when you determine that access may endanger the patient or others. The accounting of disclosures must list all those outside your health-care organization who have seen a patient's PHI for purposes other than TPO and their reasons for doing so.
As noted above, PHI can be used without specific patient preauthorization for TPO. For example, PHI can be freely used to care for a patient (such as calling for or reporting ultrasound findings, a lab value, or a consultant's recommendations). PHI can also be used to bill patients or their insurance companies for services rendered, or to fulfill related administrative and support functions. Health-care operations covers a fairly broad range of uses, including information about what services patients should receive (such as EKG, ultrasound, CXR), or data used to review the quality of their care. Disclosure of PHI is also permitted without authorization in certain other situations, such as:
A patient must authorize the use and disclosure of his or her PHI for most other purposes, such as research not covered by an Institutional Review Board waiver, marketing, or an attorney's request for records. This authorization must include a specific and meaningful description of the PHI to be used/disclosed, name(s) of the persons or organizations to whom the PHI will be disclosed, the purpose and duration of the use/disclosure, notification of the potential for re-disclosure to others not subject to the privacy rule, a statement that the authorization may be revoked, a notice that you may or may not condition treatment or payment on the individual's signature, and the signature and date.
You and your staff must make a reasonable effort to disclose or use only the "minimum necessary" amount of PHI in order to do your jobs. You can disclose information requested by other health-care providers if the information is vital for treatment.
HIPAA requires each organization to appoint a "Privacy Officer" who is responsible for developing the organization's privacy policies and enforcing them. These policies must be maintained for at least 6 years after implementation. There must also be a compliance process contact person and a patient rights administrator who processes requests for access and amendments of PHI by patients. You will also need to change the mindset of your staff and possibly the physical configuration of your practice.
There is no doubt in my mind that quite soon our genomes and proteomes will be scanned and our entire medical future rendered predictable. When that day comes, patient privacy will be of paramount concern. Unfortunately, as you can easily see from the previous description, HIPAA extracts a steep price in an effort to protect medical privacy. In Part 2 of this editorial, I will lay out my concerns about the practicality of implementing HIPAA regulations and the potential adverse impact on physician workload, health-care costs, patient-physician relations, and research.
Charles J. Lockwood, MD
Charles Lockwood. Editorial: Addressing the HIPAA debacle, Part 1.
Jun. 2, 2003;48:8-12.