Hospitals and health care workers have gone to great effort to understand the patient privacy rules, but more needs to be done to educate the public, according to some health care providers. The Health Insurance Portability and Accountability Act (HIPAA) became effective for all health care providers and health plans starting in April 2003, with full compliance required by April 2004.
The rule was met with concern and questions from the health care community when it first was introduced, but according to a hospital representative who addressed a Department of Health and Human Services (HHS) panel in July, health care providers have devoted much time and effort to educating themselves about the rule.
However, Sara Howley, director of corporate communications for North Broward (FL) Hospital District, told the HHS panel that the public and media need more education about the rule. She told the National Committee on Vital and Health Statistics' Subcommittee on Privacy and Confidentiality, 'Hospitals have undertaken a great deal of effort to ensure that their staff, physicians, vendors, and volunteers understand the new rules and follow them,' according to an HHS press release. 'We believe that the HIPAA privacy rules are working, but there are areas where greater education is needed.'
Patients who have been in the health care system previously are more likely to be familiar with privacy and information issues, says Bob Norwicke, director of corporate compliance and performance management for Magee Rehabilitation Hospital in Philadelphia.
Norwicke, who serves as Magee's privacy officer, meets personally with patients in his 96-bed facility when they have questions about privacy and access to patient information. He says the questions he most often gets have to do with patients' wishes to see their own medical records. 'Before HIPAA, access to patients' own records was kind of an unclear area with the public, and there seemed to be a cultural belief that you couldn't see your medical records, that it was secret,' Norwicke explains. 'So now that seems to be the thing we deal with most--people wanting to see their own records.'
More complex are situations involving patients admitted with serious head injuries or who have been judged incompetent for other reasons, and determining who has the right to access those patients' records.
The suggestion that HHS provide more information to consumers in an easily understood format is not a bad idea, according to Judy Colby, RN, COHN, manager of Glendale Adventist Occupational Medicine Center in Burbank, CA.
'It's true, in the sense that patients who are more accustomed to a more streamlined, familiar approach, when they could just call up and say, 'Fax this to my other doctor,' might be having some difficulty with the new rule on privacy,' Colby explains. 'Or, for example, I have a 22-year-old child, and I might have a reason to ask [the child's physician] a medical question, and all of that is different now.'
Recognizing the need for public education, the American Medical Association developed a template for a letter it suggests health care providers personalize with their individual facility's privacy practice and send or give to patients. (See sample letter on p. 116.)
One aspect of the privacy act that some patients don't fully understand is that there are limits to their rights to access their records, Colby says. Although a patient has the right to access, copy, and inspect his or her protected health care information within a designated record set, there are limits and the patient's request, if it falls within exceptions to the right of access, may be denied. 'There are some times when patients do get frustrated,' she adds. 'They may think they have complete access to a record, when they don't.'
And while patients have a right to amend protected health care information within a designated record set, that does not mean that they have the right to change a medical record. This is an area that bears further education, Norwicke points out.
Other suggestions that have been made to HHS by providers, besides giving patients easy-to-understand information, are to encourage law enforcement and rescue personnel to tailor their limits on information to those imposed on hospitals, to prevent private information from being divulged through those agencies during emergencies; offering training to media representatives who cover health care issues, for their own education as well as to help them educate the public; and to provide health care providers with questions and answers pertaining to real-life scenarios involving aspects of the privacy rule that providers still struggle with.
Sample Letter for Patients about HIPAA Privacy RuleDear Patient:Physicians have always protected the confidentiality of healthinformation by locking medical records away in file cabinets andrefusing to reveal your health information. Today, state and federallaws also attempt to ensure the confidentiality of this sensitiveinformation.The federal government recently published regulations designed toprotect the privacy of your health information. This 'privacy rule'protects health information that is maintained by physicians,hospitals, other health care providers and health plans. As ofApril 14, 2003, your physician began to comply with the privacyrule's standards for protecting the confidentiality of your healthinformation.This new regulation protects virtually all patients regardless of wherethey live or where they receive their health care. Every time you seea physician, are admitted to the hospital, fill a prescription, or senda claim to a health plan, your physician, the hospital, and health planwill need to consider the privacy rule. All health information,including paper records, oral communications, and electronic formats(such as e-mail) are protected by the privacy rule.The privacy rule also provides you certain rights, such as the right tohave access to your medical records. However, there are exceptions;these rights are not absolute. In addition, we will be taking evenmore precautions in our office to safeguard your health information,such as training our employees and employing computer securitymeasures. Please feel free to ask your physician or our privacycontact about exercising your rights or how your health informationis protected in our office.The Notice of Private Practices attached to this letter explains ourprivacy practices. It contains very important information about howyour protected health information is handled by our office. It alsodescribes how you can exercise your rights with regard to yourprotected health information.Please let us know if you have any questions about our Notice ofPrivacy Practices. You may contact our privacy contact at --, ordiscuss any questions you may have with your physician.Sincerely,Health Care ProviderSource: American Medical Association, Chicago.
SOURCES
For more information about the HIPAA privacy rule, contact:
* Judy Colby, RN, COHN, Manager, Glendale Adventist Occupational Medicine Center, 2211 W. Magnolia Blvd., Suite 110, Burbank, CA 91506. Phone: (818) 526-1565. E-mail: colbyja@ah.org.
* Bob Norwicke, Director, Corporate Compliance and Performance Management, Magee Rehabilitation Hospital, 1513 Race St., Philadelphia, PA 19102. Phone: (215) 587-3000. E-mail: rnorwicke@magee rehab.org.
