|
|
For other articles and previous issues click here. May 3, 2004 ED
Confidential While patients may cry foul and be quick to suspect violations of the Health Insurance Portability and Accountability Act (HIPAA), and hospital staff may feel they’ve failed to comply with HIPAA, none of these leakages of private health information violates the privacy rule. Healthcare providers have more latitude than many realize to request, use, and disclose protected health information. Many times what could be considered breaches of privacy are in fact legal disclosures of information and therefore, according to the law, are permissible. The Standards for Privacy of Individually Identifiable Health Information issued by Health and Human Services under HIPAA remain a source of confusion for many healthcare providers and administrators. Misinterpretation of the so-called privacy rule and misguided attempts at compliance in some cases have confounded the provision of care, unnecessarily stymied the exchange of information, and brought about clumsy or unwieldy attempts to alter the physical setting. This is perhaps nowhere more true than in the emergency department (ED), where the focus puts patient care above all other considerations. Yet many people in the industry believe HIPAA hasn’t done much more than bring privacy and confidentiality to the forefront, observes Carol Ann Quinsey, RHIA, CHPS, professional practice manager, American Health Information Management Association. “Two things are happening,” she says. “One is that people are thinking that the rules have sort of changed when they really haven’t, and the other is that people sometimes use HIPAA as a fallback excuse when they’re not sure what to do. Instead of figuring out what they ought to do, they use HIPAA as an excuse not to do something.” It’s an assessment shared by a number of legal experts and many ED workers. To illustrate the extent to which confusion over HIPAA can negatively affect the delivery of emergency care, Quinsey points to a well-publicized case last year in which an Emergency Medical Services (EMS) crew was trying to reach a patient in a rural area. The dispatchers would give the crew only an address, not the patient’s name. EMS workers had to stop numerous times to try to find the address, all the while delaying the patient’s care and causing needless suffering. The dispatchers blamed HIPAA for their failure to provide a name—a gross misunderstanding of the law. “Knowledge of the name is critical for the EMS to get to the patient in such a setting,” says Quinsey, who adds that release of the name would not have been a violation of the law. At most hospitals, the scramble to come up with solutions to these issues began well in advance of the compliance deadlines. In some cases, facilities are still struggling to comply with the regulations without compromising appropriate and expedient care for patients. Bayhealth Medical Center in Dover, Del., which comprises two hospitals—Kent General and Milford Memorial—began putting together a game plan for HIPAA compliance back in 2000. According to Ethel Matney, HIPAA project leader/medical practice systems coordinator, “We started pulling together people in various departments to find an approach to tackling HIPAA issues, and from my perspective, one of the biggest challenges was educating everyone on the workforce.” Her team organized itself into groups devoted to HIPAA’s principal aspects: privacy, security, transactions, and code sets. Coming from a small state with few resources, they realized that networking would be key in their approach. “We buddied up with the Greater Philadelphia HIPAA Network and started exchanging information,” says Matney, who adds that they utilized invaluable online HIPAA databases and listserves, as well as resources such as the Workgroup for Electronic Data Interchange. Unable to find all the necessary information in one spot, the facility was relentless in its search for information. “At one point, we were feeling frustrated about where we were in our effort and what we should be doing,” Matney recalls, “so we actually invited our local representative from the Centers for Medicare & Medicaid Services to a Greater Philadelphia HIPAA Network meeting so that we could do a question-and-answer session.” Despite all this networking and a proactive approach to research and compliance, Matney’s team, like all that struggle with HIPAA, has not found all the answers. There continues to be problematic issues that Matney feels may not be resolved until they are brought to court. Among the thorniest of issues are those surrounding release of information, incidental disclosures, and the casual exchange of information among colleagues. RELEASE OF INFORMATION Field says the primary concern is the timely and appropriate care of the patient, and HIPAA does not and should not throw up any obstacles to that key goal. “It’s not meant to be a roadblock,” she says. “The Office of Civil Rights has reiterated strongly that treating providers do not need to get consent from a patient to get patient records necessary for the provision of care.” When friends and family members want information about patients in the ED, staff are often uncertain of what’s permitted under HIPAA. Some erroneously believe that hospitals can’t even acknowledge a patient’s presence. “I think facilities are tending to err on the side of not giving out information, which can be frustrating,” says Field. She tells the story of a patient dropped off for treatment who opted out—that is, who requested that no information about him be released. Because the patient asked that no one be told he was there, when his wife came to pick him up that afternoon, the staff could not tell her where her husband was or even if he was there. Matney acknowledges that even her staff would rather fault on the side of giving too little information for fear of giving too much. Patients at her facility are also given the choice of opting out. (Prisoners and psychiatric patients are automatically opted out.) Those who choose to exercise this prerogative are informed that they won’t receive phone calls, cards, or flowers and that no personal information will be released—not even acknowledgment of their presence in the facility. If a patient chooses not to opt out, however, the staff will acknowledge to callers or visitors that the patient is present and give a general account of his or her condition. If these policies are not communicated clearly to staff and patients, they can create more problems than they attempt to solve. Matney recalls the time the father of a privacy officer from another facility was a patient at her hospital’s ED. “When she called in initially, all we would provide was the father’s general condition,” she says. “She was furious with us because she wasn’t getting any more information.” The staff, however, was trained that if a patient is able to give permission to release information and identify to whom it could be released, it could then do so. Therefore, when the father verified that the caller was his daughter and gave his consent for her to obtain information, the staff could have obliged. Healthcare providers are required by HIPAA to make reasonable attempts to limit requests for information or disclosure of information to the minimum amount necessary to achieve the intended goal of the request. However, when the requests involve information necessary for the treatment of the patient, providers are not limited to the minimum necessary. HIPAA requires that providers obtain the consent of patients prior to using or disclosing protected health information for treatment, payment, or healthcare operations. In emergency situations, however, such consent isn’t always possible or practical. If the patient is not able to provide consent, healthcare providers are permitted to use or disclose patient information if, in their professional judgment, a delay would interfere with the timely and appropriate delivery of care. However, the provider is required to attempt to secure that consent as soon as possible after the delivery of treatment. The issues are more complicated when, for example, drug and alcohol abuse or domestic violence are involved. Matney says in cases where there’s suspicion that a patient has been abused or is at risk of physical violence, her facility goes back to state law for guidance and asks above all else whether or not the patient is going to be endangered if information is released. There have been instances, says Field, in which well-intentioned caretakers have passed on information about blood alcohol levels or divulged details without waiting to receive warrants or subpoenas. This, she notes, would have been a problem regardless of HIPAA, but in light of the privacy standard, there are now additional sanctions imposed on ED employees who make improper disclosures. For example, investigators may come to the ED to follow up on complaints of patient abuse and ask for the victim’s complete records. “Under HIPAA, we can’t just give them that absent some appropriate procedures,” Field says. Even then, she explains, the staff can’t just hand over the entire record—only the minimum necessary. “Certainly, if the patient is present and conscious and can give permission to let investigators see their charts, that’s perfectly fine,” Field explains. “But we’ve dealt with instances where the patient may not be present. We have to tell investigators that our reporting requirement is the minimum necessary, and if more information is necessary, a more formal process will be required.” That, she says, is clear under HIPAA. Similarly, when the patient’s condition results from drug or alcohol abuse, there’s reluctance to give a great deal of information even to the family. “In so many [of these] situations, you really can’t acknowledge a drug or alcohol connection,” Matney says. “You only give out information as to the patient’s condition without going into detail. A lot of our nurses feel uncomfortable giving out too much information anymore. There was a time when the nurse and the family kind of bonded together in terms of the care plan for the patient—and they still do that when it’s appropriate—but more and more they refer patients’ families back to the physicians.” INCIDENTAL DISCLOSURE Segregation of patients by movable curtains or screens that do not block sound is still allowed. After the final HIPAA rule was published in December 2000, explains Field, some modifications were made and published in August 2001. One of the major changes concerned incidental disclosure. Field says HIPAA dictates only that the facility take reasonable precautions to protect privacy. Incidental disclosures—those that occur in the course of allowable disclosures—are not violations of the law. Thus, the degree to which health information can and should be muffled is a matter of professional judgment. It’s not always possible to separate patients in a manner that fully protects their privacy, nor is it always possible or even desirable for healthcare providers to speak softly. It’s not required that the ED has soundproof stations, yet staff can make efforts to diminish the transmission of information. Field advises staff to use “inside voices” instead of shouting across the room whenever possible and be aware of unnecessary exposures. Simple measures and thoughtfulness may be all that’s necessary to meet the letter of the law. Take care to step into a room to dictate a report rather than dictating in the hallway where anyone can hear. Remove x-rays from light boxes or cover them when possible. At Bayhealth Medical Center, the waiting room is next to the triage room, which in turn is beside the registration area. “We put in a music system and a couple of televisions that take people’s focus away from everything else that’s going on,” says Matney. CHANGING RELATIONSHIPS
HIPAA raised concerns that EMS personnel might overhear information unrelated to their patients and that socialization would increase opportunities for patients to overhear information parried in conversation about other patients. “We had to limit the contact by restricting EMS’s access to certain areas,” Matney says. “They probably shouldn’t have had access to those areas in the first place, but because of the nature of their work and the intensity of that area, it wasn’t something that we focused on in the past.” Similarly, the relationship between the ED staff and law enforcement officers has changed. Casual exchanges of information pertaining to patients are no longer acceptable. “Police officers often want to know what happened to the patients they brought in earlier,” explains Matney, “even when there isn’t a legal case pending.” In the past, she says, the staff was more comfortable participating in such exchanges because they had close relationships with the officers, but in the age of HIPAA, there’s a new formality that must be observed. ONGOING CHALLENGES In the end, efforts toward maintaining patient privacy depend upon education, understanding, and professional judgment. “We’ve had a close relationship with our ER staff, but it’s been difficult for them because they’re busy and under a lot of pressure,” says Matney. It’s tough enough to have to be reminded about HIPAA when they’re in the midst of such heated activity, she says, yet ED staff members have taken it to heart, despite the lack of clarity and abundance of gray zones. “It’s a fine line,” say Matney, “but an individual’s privacy is just something that demands respect—particularly in the healthcare environment where you can have exposures that can leave people vulnerable. We really need to be sensitive.” — Kate Jackson is a staff writer at For the Record. Resources CMS’s Covered Entity Decision Tools Office for Civil Rights of the Department of Health
and Human Services’ Guidance Document |
 |
 |