The Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) goes into effect on April 14, 2003. One of its many stipulations is that all staff in a 'covered healthcare entity' must receive training on HIPAA. Do frontline workers need to know all the legal aspects of HIPAA? No, they do not. Do they need to know the intent of HIPAA? Yes, they do.
Why? On one hand, the maintenance of privacy and security of patient/client/consumer data is one of the primary ways that we, in healthcare, build a relationship of trust with our clients. On the other hand, the failure to adhere to HIPAA requirements carries the possibility of both civil fines ($100 fine for each violation up to $25,000 a calendar year) and criminal prosecution, with a possible prison sentence of up to 10 years and a $250,000 fine--good reasons for frontline staff to understand, with as much clarity as possible, just what they're getting into with HIPAA. This is a complex law, with many ramifications, and you should by all means seek professional counsel to guide your organization's particular response to it. The basic requirements, though, can be expressed in fairly straightforward language--my intent with this article.
It's conceivable that you've already engaged in some HIPAA-related activity pertaining to the Privacy Rule. Someone in your organization has probably already determined by now that your agency/practice is a covered entity. Someone has probably already been named as your organization's HIPAA privacy officer. Someone has probably analyzed your agency's policies and practices regarding HIPAA and has revised existing or written new required policies. Someone has probably written the privacy notices that must be clearly displayed in your practice by April 14, 2003, and given to all patients/clients/consumers.
Furthermore, someone has probably written and/or obtained business associate agreements with any other businesses your agency/practice has relationships with, as appropriate. Someone has probably created a mechanism to track information releases that do not require authorization (e.g., coroner's requests). Someone has probably modified or created a HIPAA-compliant authorization (the HIPAA term for the signatory form that allows the release of protected health information [PHI]).
What exactly is PHI? It is denoted by a specific set of personal identifiers that any healthcare operation has or will ever have on a patient/client/ consumer, for example: name, address, names of relatives, name of employer(s), birth date, telephone or fax number, e-mail address, Social Security number, health plan beneficiary number, vehicle or other device serial number, finger--or voice prints, photographs, and any other unique identifying number, characteristic, or code.
If PHI is requested by the individual receiving treatment (and the right of the individual to his or her own treatment information is acknowledged by HIPAA) or by those involved in that treatment or related operations, an authorization is not required. For other releases of PHI, a signed authorization is required. This is really nothing new for frontline staff in behavioral healthcare organizations--state laws have long required this. Moreover, a stricter state rule always takes precedence over the HIPAA rules. Authorizations, however, might be unfamiliar territory for new employees just entering the field, and they must be brought up to speed quickly. The following example may help new staffers to understand the concept:
If Mary Jones calls the practice, clinic, or hospital to inquire about her neighbor Sally Smith's diagnosis, it is reasonable to expect that a receptionist, secretary, or healthcare professional would not release the information without an authorization. HIPAA, however, takes this further: If Mary Jones calls the practice to inquire if her neighbor, Sally Smith, is present at the office, this information also could not be given without ensuring that Sally Smith has signed an authorization for release of PHI to Mary Jones. Or, a more likely scenario: If a pharmaceutical company requests names and addresses of everyone receiving a certain prescription, authorizations for the release of these names and addresses would have to be obtained beforehand.
If, on the other hand, a radiologist's office calls and seeks Mary Jones's address for billing purposes after her x-ray has been read, an authorization is not required. Similarly, if the radiologist calls and wants to discuss the reading of the x-ray with Mary Jones's personal physician, an authorization is not required, nor is it required if the practice calls the radiologist to schedule an appointment for Mary Jones. However, if the radiologist's office calls a behavioral healthcare practice and wants to discuss Mary Jones's prognosis, state laws (which, as mentioned, tend to be stricter than HIPAA) will most likely require an authorization.
It is important to note that educational records and student health records are excluded as PHI.
Reception staff and telephone operators, as well as practitioners, must be very careful to ensure that authorizations have been completed before any information is released, other than for treatment or treatment-related purposes. Neglecting to do so is to truck with the possibility of fines and imprisonment.
Who Are 'Personal Representatives'?
Of particular interest to many behavioral healthcare providers might be the fact that HIPAA has a special set of regulations that relates to parents, referred to in HIPAA language as 'personal representatives.' (This term also applies to other adults who might have a caretaker relationship with a client/patient/consumer, and includes consumers who are developmentally disabled or otherwise incapacitated.) Generally, parents do have the right to receive PHI regarding their children, but there are exceptions, e.g., to prevent serious harm or threats to a child. Furthermore, professional staff may elect not to treat a parent (or spouse) as a personal representative if there is a reasonable belief that abuse, domestic violence, or neglect is taking place and might ensue with release of PHI. Again, as with a system for authorizations, some mechanism should be developed whereby frontline reception staff is quickly notified if any of these hazardous situations exist so they can respond appropriately and quickly to requests for PHI.
Emergencies and 'Accidents'
HIPAA continues to permit the release of PHI during emergencies or in cases of imminent threat to a person or to the public at large.
What about 'accidental sightings' of PHI on case records, physician's notes, etc.? Would these be considered violations of the HIPAA Privacy Rule? Although this is not explained in HIPAA regulations as clearly as one might like, we should consider it a best practice, in any event, to prevent this kind of accidental disclosure to the extent possible. Many practices are adopting the 'facing the wall/face down on the desk' rule to avoid this type of accidental disclosure. Simply put, any notes, bills, or other papers containing PHI should be left face down on the desk. All charts, if left in door or hallway containers, should face the wall. In this manner, one adheres to the spirit, if not necessarily the letter, of the law.
This gets back to the initial point made in this article: Adhering to the spirit of HIPAA is of overriding concern.
Randy A. Hayes, MS, LCPC, is the director of quality assurance at Sinnissippi Centers, Inc., Dixon, Illinois. Sinnissippi was the JCAHO 2002 Codman Award winner for behavioral healthcare. Hayes is the coauthor of A Handbook of Quality Change and Implementation for Behavioral Health (C&R Publications, [781] 485-0880). He can be reached at rahayes@essex1.com.
