Is your practice ready for the new privacy rules?
From the June 2001 ACP-ASIM Observer, copyright © 2001 by the American College of Physicians-American Society of Internal Medicine.
By William Hoffman
Atlanta—At Ft. Edward Internal Medicine, the first casualty of the Health Insurance Portability and Accountability Act (HIPAA) will likely be the fax machine.
“The fax machine as it now stands will not stand up to HIPAA,” said Patricia L. Hale, ACP–ASIM Member, an internist with the small group in Ft. Edward, N.Y. and Chair of the College’s Medical Informatics Subcommittee. The problem? It is nearly impossible to make sure that incoming faxes are seen only by the intended receiver and not someone else.
At an Annual Session presentation on HIPAA’s privacy and confidentiality rules, Dr. Hale and other internists said that fax machines are only the beginning of physicians’ troubles. They said that internists will have to examine everything from e-mail accounts to the way staff handle telephone calls to prepare for the sweeping new privacy rules.
“Privacy protection started out as a wonderful little idea that has exploded into a huge mass of regulations.”
—Patricia L. Hale, ACP-ASIM Member
Despite vocal protests from the health care industry, the privacy component of HIPAA was formally implemented in April. And while the Bush administration has promised to change some of those rules before they fully take effect, physicians need to begin preparing their practices now.
Dr. Hale, for example, said that her practice does not have e-mail accounts at Web sites like Hotmail.com because privacy protections will not meet the law’s requirements. Her practice doesn’t even send patient appointment reminders on postcards because of concerns about confidentiality.
Other panelists said that physicians might consider changing the age-old practice of having reception area staff call out patients’ names in the waiting room. Steven S. Eisenberg, MD, medical director of Blue Cross Blue Shield of Minnesota, explained that lawyers at a recent HIPAA conference suggested that office staff instead distribute numbers to patients as they arrive in the office, on a first-come-first-served basis. Dr. Eisenberg explained that the lawyers said such a system will help protect the identities of patients waiting in your office.
That suggestion may seem like overkill, but Dr. Eisenberg said that many practices currently treat information now protected under HIPAA far too casually. During a recent routine trip to his personal physician, for example, he said he was dumbfounded by the number of potential HIPAA violations he witnessed.
He described the casual conversation about his medical care he had with the office receptionist, his medical chart hanging from the examination room door, and patient records left on physician’s desktops at night where inquisitive custodians might spy them. Under HIPAA, he said, these practices will have to stop.
Along those lines, Dr. Hale suggested that physicians should reconsider leaving recorded messages at patients’ homes. The fear is that unauthorized third parties may access the medical information in messages left on answering machines and voice mail.
“It’s really a question of whether you can say it’s a doctor’s office calling,” Dr. Hale explained. She recommended leaving only a phone number and a request that the call be returned.
Dr. Hale said she never thought she’d have to buy a paper shredder, but HIPAA will make the machines standard office equipment to dispose of anything that could be construed under the law as a medical record.
“It started out as a wonderful little idea that has exploded into a huge mass of regulations,” Dr. Hale said.
Preparing staff, patients
Despite some grumbling about the new regulations, panelists at the session agreed that the privacy protections will be good for medicine.
Bruce Slater, FACP, assistant professor of medicine at George Washington University Medical Center in Washington, said it’s about time physicians and other health care providers cleaned up how they handle patients’ private medical information. HIPAA’s blanket protection of patient information may be draconian, he noted, “but it’s probably right.”
And Dr. Hale noted that HIPAA’s overall provisions should not only make clinical information more portable and accessible but also help reduce costs for the entire health care industry.
The bad news is that to take advantage of these benefits—and to comply with the law—physicians will need to revamp parts of their practices.
Panelists said that to avoid the type of problem that Dr. Eisenberg witnessed at his physician’s office, physicians should train employees to avoid conversations with patients in communal office areas—like the waiting room—or outside of the office.
Physicians should also take a close look at their computer systems. Medical practices must protect e-mail systems, for example, from prying eyes and hackers. Portable computers such as personal digital assistants and handheld systems need password protection and other security measures to protect patients’ confidentiality. You should also install systems to establish audit trails when staff members access private medical information.
Panelists also suggested preparing your patients for the transition. Create forms that allow patients to authorize the release of medical information for procedures that require cross-specialty or out-of-office access to records and data. If patients refuse to sign releases, the panelists said, you are under no obligation to provide treatment.
You’ll also need to prepare your business partners. Obtain HIPAA—compliant confidentiality and security agreements from every pharmacy, lab, supply house, nursing home, group home, hospital, health plan and insurer with which your practice works. You should ascertain whether each is considering the implications of the new law, Dr. Hale advised.
Finally, the panelists said physicians should remember that HIPAA is in many ways a work in progress. Dr. Eisenberg pointed out that many of the HIPAA mandates include a “standard of reasonableness.” In other words, the regulations are supposed to balance the protection patients need against the difficulty and expense the health care industry must endure to give that protection.
“In law school,” he said, “you are taught that the word ‘reasonable’ means ‘will be decided in court.’ ” He noted that the word “reasonable” appears 44 times in the HIPAA law. n
William Hoffman is a freelance writer in Fairfax, Va.
Internist Archives Quick Links
New Leadership Webinars
The ACP Leadership Academy is offering FREE webinars covering the core tenets of leadership, leadership in hospital medicine, finance, and more.
Join ACP Today!
ACP membership connects you with like-minded colleagues and provides access to a variety of clinical resources, practice tools, and ways to earn MOC and CME.