Although it has been cooking for several years, on April 14th 2003, the privacy component of the regulation kicks in and agencies are scrambling not to be caught with their pants down. The regulation is HIPAA (Health Insurance Portability and Accountability Act) and it was passed in 1996 (sort of) and rolled out incrementally to most hospital professionals other than information systems staff and vendors over the past 7 years.
The intent in its first few iterations was to guide the proliferation of computer-based records maximizing efficiencies of passing information across entities, thereby keeping costs down, and at the same time protecting patient confidentiality (Maddox, 2003). The four objectives were to (a) improve portability and continuity of health care insurance; (b) reduce costs administering health care; (c) provide a standardized system of information exchange between employers, providers, payers, and beneficiaries; while at the same time (d) protecting patient's rights to control and access their private information (U.S. Department of Health and Human Services, 2002). What has resulted is the pervasive fear of HIPAA police hiding in elevators ready to pounce on poor, unsuspecting nurses discussing care of patients on their way to lunch. Although patient privacy is the centerpiece of the new regulations, it is important for all of us to know what HIPAA is and what HIPAA isn't so that we can confidently carry on our work.
What HIPAA Is
HIPAA was enacted to protect patient privacy and the confidentiality of health information. The regulation states '... the entire health care system is based on the willingness of individuals to share the most intimate details of their lives with their health care providers' (HIPAA, CFR 45 [section] 164.502[g]) (Maradiegue, 2002). HIPAA protects us as consumers and reminds us of our responsibility as providers. Privacy is a fundamental right. As such, it must be viewed with respect by all pediatric nurses and must be emphasized to new nurses as they begin to work. Their day-to-day functioning requires that they have information and use its appropriately and judiciously. I think we all learned that in our NURSING 101 classes, reemphasized in our first clinical experiences, and reminded periodically in the workplace. Violating patient confidentiality is akin to giving a wrong medication, although the consequences might not have been perceived as ominous, thus permitting unintentional slips through the cracks with privacy breeches in public places.
The new HIPAA rules to take effect will require providers and payers to develop and implement basic administrative procedures to protect health information and the rights of individuals with respect to that information (Lawson, Orr, & Klar, 2003). The proliferation of institutional policies will give the appearance of heavy enforcement of those rules with respect to patient privacy that have, as well, been translated into mild to moderate threats of fines imposed on perpetrators or information crimes. What we all know, however, is that we do hold these values to be self-evident: that patient confidentiality is a promise we make with our pediatric patients' families. In addition to a much-needed emphasis, the original versions of HIPAA purported to give patients more control over and access to their medical information, protecting them from real or potential threats of disclosure to persons or places that they have not authorized. But the devil is in the details, and what institutions may impose in a zealous move to compliance warrants careful consideration to prevent many activities perceived as unacceptable when, in fact, they are necessary to care for consumers.
What HIPAA Is Not
HIPAA is not intended to prevent the normal information acquisition that health care workers need to function. It is not intended to limit use of patient information for teaching purposes and the development of future providers. Institutions must develop methods of training all who work with information on what HIPAA rules are, what information is protected, and exceptions that have been identified. These are not intended to block exchange of information for patient care, analysis of information for continuous quality improvement, or allowances of student nurses to be trained in hospitals, although it may appear to be happening.
A careful understanding of the details will equip nurses to recognize the gravity of unintentional disclosures without compromising exchange of necessary information because of unreasonable fear of penalty. Health care administrators should be ready to document how patient health information is protected, alert patients to their rights as the rules are intended, but understand the intent of the law's protection rather than block the providers' normal routines of delivering and evaluating care. We should all be cognizant of the promise we make to consumers, but not limit the reviews we do to improve care, nor block the institutions' commitments to develop future providers who are, in fact, acceptable within the rules.
And yes, those elevator conversations are a violation of patients' privacy. We knew that ... but perhaps needed reminding.
References/Readings
Lawson, N., Orr, N., Klar, D. (2003). The HIPAA privacy rule: An overview of compliance initiatives and requirements. Defense Counsel Journal, 70(1), 127-150.
Maddox, P.J. (2003). HIPAA: Update on rule and compliance requirements. MEDSurg Nursing, 12(1), 59-64.
Maradiegue, A. (2002). The Health Insurance Portability and Accountability Act and adolescents. Pediatric Nursing, 28(4), 417-420.
U.S. Department of Health and Human Services. (2002). Standards for privacy of individually identifiable information. Retrieved March 31, 2003, from http://aspe.hhs.gov/admnsimp/final/ pvcguide1.htm
Ziel, S., & Gentry, K. (2003). Ready? HIPAA's here: Once the HIPAA privacy rule takes effect on April 14, you'll have to exert even more care than usual in guarding the confidentiality of patient information. RN, 66(2), 67-70.
Veronica Feeg, PhD, RN, FAAN Editor
