Article from the Boston Globe’s On Call Magazine, September, 2002

By Helen Osborne, M.Ed., OTR/L
President of Health Literacy Consulting

It is the responsibility of every healthcare worker to respect patients’ rights, making sure that he or she does not violate the privacy of patient information. It is also the law. Very soon, if you aren’t already, you will likely be receiving special training related to the Health Insurance Portability and Accountability Act (HIPAA) and its effect on patient communication. It is to your advantage to understand what HIPAA means about how you do your job.

Some of the rules affecting healthcare communication are about to change. Starting in 2002, the Health Insurance Portability and Accountability Act, commonly known as HIPAA, will take effect. Enacted in 1996 as the Kassenbaum-Kennedy Act, its provisions affect billing, medical records, patient privacy, and the electronic transmission of medical data. Healthcare professionals need to be ready for the changes it will bring about.

Once HIPAA is fully implemented, healthcare organizations will need to inform patients about their rights. Throughout this process, it is likely that there will be media attention about how HIPAA affects patients and providers alike. Your understanding of the law is important both to ensure your patients realize the benefits the law provides and to help you organization meet the new requirements. Failure to comply with the provisions will be costly, says L. William Katz, DMA, CMC, president of Katz & Associates. If a healthcare worker knowingly violates the regulations, there can be both criminal and civil penalties. Mistakes that are embarrassing now, says Katz, will be expensive under the new law.

The regulations under HIPAA are extensive and complex. Here is a brief overview of some of the major provisions regarding privacy of patient information and how they affect you. To learn more about how HIPAA applies to you, contact the privacy officer where you work.

Medical Privacy

HIPAA specifically addresses issues of patient privacy, protecting all identifying information such as a person’s name, birthday, social security number, phone number, or residence.

Under the medical privacy provision, patients need to give written consent before their medical information is shared with outside agencies. This consent is for short-term use only and cannot be revoked. Patients will also be asked to authorize that their medical information can be used for purposes other than medical care, such as public health studies. This authorization is for a specific timeframe, and the patient has a right to revoke permission at any time.

The privacy provisions will also affect how you interact with patients on a daily basis. Here are some steps you or your organization may need to take to ensure patient privacy:

• Keep a sign-in sheet behind the desk. When patients come in for an appointment, do not ask them to sign their names on a master list. A better alternative, says Katz, is to print a daily appointment sheet and keep it behind the reception desk. When a patient comes in for an appointment, the receptionist can simply check off the person’s name without letting others know who is waiting to be seen.
• Be discrete when calling out a patient’s name. Rather than saying, “Mrs. Jones, the gynecologist will see you now,” go up to the patient and call her by her first name only.
• Keep charts confidential. Many times, patient charts are kept beside exam room doors. Make sure to turn the chart so that the patient’s name faces the wall rather than the corridor.
• Keep phone conversations private. When you talk about patients over the phone, make sure that your conversation is private. Keep the phone in an area where others cannot overhear what you are saying. When you need to leave a message for a patient, state it in a way that only has meaning to that individual.
• Secure computer information. Make sure that your computer system requires a password or fingerprint ID before accessing patient information. When your computer is not in use, the screen should go blank after only a minute or two, and you should be required to log in again when you return.

The Medical Record Belongs to the Patient

Patients have a right to see, and insert changes in, their own medical record. The only exception to this rule is for psychiatric records. Before patients can insert a change, however, they need to fill out a form stating specifically what they want to do and why. This provision means that healthcare organizations need to:

• Have a policy about how to handle patient requests. Healthcare organizations need to determine what to do when patients ask to see their medical records. Each organization should have a system in place that clearly outlines who will answer patient questions and how they will respond to patient concerns.
• Follow procedures to determine if a patient’s proposed changes are correct. While patients have the right to request changes to their medical record, healthcare organizations have the right to refuse if the proposed changes are incorrect. If a patient’s request is denied, the organization needs to put a copy of the patient’s request in the medical record with a note explaining the actions taken. In all cases, nothing in the record should be erased or crossed out. The patient’s changes should be insertions and, if necessary, cross-referenced to the original information.
• Have a system to alert others to changes in the medical record. If changes are made to the medical record, healthcare organizations need to inform others who have access to this information.

Security Standard

Healthcare organizations need to identify someone as a privacy officer. This person is responsible to make sure that the organization complies with HIPAA standards. The privacy officer may ask healthcare employees to:

• Take an inventory of medical information. Organizations need to identify all ways they communicate patient information, including faxes, medical records, and lab slips. Healthcare workers should know where information is kept and where it is going, making sure that all these transmissions are secure.
• Respect the privacy reminders posted in public areas. Many healthcare facilities post signs in corridors and elevators, reminding employees to maintain patient confidentiality. Hopefully these signs are not needed, but they are useful reminders about the seriousness of the privacy standard.
• Participate in HIPAA training. All healthcare employees will be asked to attend HIPAA training sessions. You can help by letting your colleagues know the significance of the new privacy rules. Inform them that HIPAA is not just a law — it is also the right thing to do.

How To Find Out More:

L. William Katz, DMA, CMC, president of Katz & Associates, Inc. in Southborough, MA, consults with healthcare organizations on compliance and managed care matters. To learn more, contact Katz by e-mail at: lwkatz@aol.com

On Line Resources

• Massachusetts Health Data Consortium, Inc., www.mahealthdata.org
• HIPAA News Phoenix, www.hipaacomply.com/timeline.htm
• Federal web sites:
  • Understanding the HIPAA Law, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
  • HIPAA Resources and Links, www.olcsoft.com/hipaa_links.htm