|
External
Affairs
HIPAA:
What's True, What Isn't |
pdf >>
By
Simon Cohn, MD; Robin Dea, MD; Ted Cooper, MD
|
Preamble
to The Health Insurance Portability and Accountability Act of 1996
(HIPAA)
"Public
Law 104-191, 104th Congress--An Act to amend the Internal Revenue
Code of 1986 to improve portability and continuity of health insurance
coverage in the group and individual markets, to combat waste, fraud,
and abuse in health insurance and health care delivery, to promote
the use of medical savings accounts, to improve access to long-term
care services and coverage, to simplify the administration of health
insurance, and for other purposes."
You
can find this information at: http://aspe.hhs.gov/admnsimp/pl104191.htm.
|
Like motherhood
and apple pie, preservation of patient privacy is universally accepted
as a good thing. And yet, misconceptions about the Health Insurance Portability
and Accountability Act (HIPAA) range from the slightly odd to the ridiculous.
This article gives some examples of what's true and what isn't. Now that
the first HIPAA Administrative Simplification deadline passed on April
14, 2003, physicians continue to sort through fact and fiction of this
complex regulatory effort.
What Is HIPAA?
Using common-sense
requirements, HIPAA makes Permanente physicians more conscious of confidentiality
by supporting practice with added policies and procedures. Physicians
already know many of the HIPAA basics--from not discussing patient information
in elevators and cafeterias to making sure that computer passwords are
kept confidential. HIPAA helps start identifying instances in which people
might be inadvertently releasing protected health information (PHI). This
is a beneficial result of HIPAA.
Being aware
of our surroundings while completing routine tasks is crucial. Even the
method used to handle trash can be a HIPAA violation waiting to happen.
Physicians may have several trash bins--for recyclables, regular trash,
and shredded documents. We must make a concerted effort to put garbage
that may contain PHI in the right receptacle as well as to limit access
to those receptacles to follow HIPAA guidelines.
Common HIPAA Misconceptions
Q.
I've heard it said that one cannot say a patient's name in a waiting
room because that would be disclosing his/her PHI--that this is a no-no
under HIPAA?
A.
This is not a HIPAA violation; however, it is an example of one of the
more "far-out" misconceptions rolling through medical hallways.
Q.
I've heard that I won't be able to discuss my patient's case with another
physician. Would this violate HIPAA because I would be disclosing PHI?
A.
Since HIPAA is not intended to adversely affect quality or access to
care. You may need to consult with another physician or health care
professional regarding a patient's treatment, and this is allowed under
HIPAA.
Q.
Patient charts are stored in a room that is not directly supervised
by KP staff but is accessible to the public. The light is on in the room,the
door is wide open and unlocked. What do I do?
A.
To reduce the risk of a HIPAA violation, you should shut and lock the
door so patients' medical records are kept safe and secure. After locking
the door, you should report the incident by following your facility's
security incident reporting procedures.
Q.
Will hospitals where patients share rooms have to be remodeled to create
single-bed rooms?
A.
No, HIPAA does not require this, according to the Privacy of Health
Information/HIPAA Questions and Answers on the Department of Health
and Human Services Web
site.1 For more details, see Web
site.
Q.
In an examination room, a physician's pager goes off while a patient
is in the room. S/He steps away for a moment to use a
phone in another room. If the physician uses a computer with PHI in the
exam room, what should be done before leaving the room?
A.
Before leaving the room, the physician should remove confidential information
from the computer screen to prevent unauthorized disclosure and should
lock the computer session to prevent anyone from accessing health information.
Q.
I heard I can't leave my patient a voicemail because others may overhear
or retrieve the message before the patient does. Is this true?
A.
No. You can still leave your patient a message on his or her answering
machine. To safeguard the patient's privacy, however, you should limit
the amount of information you disclose on an answering machine. Unless
asked not to do so by your patient, you are allowed to leave a message
with a family member or other person who answers the phone when the
patient is not home.
Q.
I heard that, under HIPAA, families can no longer eat with a patient
they are visiting because they could find out additional information such
as if he or she is on a restricted diet. Is this true?
A.
This is not true. HIPAA does not state that families can no longer eat
with a patient. It's important to remember that HIPAA offers reasonable
guidelines.
HIPAA Security
Privacy
is just one part of HIPAA. HIPAA also has security standards (finalized
in February 2003) and that work in concert with the final HIPAA Privacy
Rule.
With a deadline
of April 21, 2005, work is underway about how we will comply with the
Security Rule. We have a lot of work to do. Right now we're examining
all parts of the Security Rule to create a plan to bring the organization
into compliance. We will be performing risk assessments and making management
decisions for appropriate security controls to make sure our patients'
electronic information is kept secure. We'll be refining Kaiser Permanente's
systems, policies, and procedures to take security to a new level to meet
the HIPAA deadline less than two years away.
We're also
waiting to see if the government will issue additional guidelines for
further clarification of the Security Rule. We'll keep you posted.
References
- 1. United
States Department of Health and Human Services. Questions & Answers.
Category: Privacy of health information/HIPAA [Web
site].
(accessed on: May 20, 2003).
- 2. United
States Department of Health and Human Services. Office for Civil Rights--HIPAA.
Medical privacy: national standards to protect the privacy of personal
health information [Web site]. Available from: www.hhs.gov/ocr/hipaa.
(accessed on May 20, 2003).
|
Failure to Comply
with HIPAA
Deliberately
breaking HIPAA's rules could undermine member trust in Kaiser Permanente
and could place staff and the organization at risk for penalties
under HIPAA as well as other laws.
- HIPAA
allows both civil and criminal penalties, including fines and
possible time in jail.
-
The Office of Civil Rights of the Department of Health and Human
Services enforces civil violations, and the Department of Justice
enforces criminal violations of the HIPAA Standards.
-
Civil penalties are usually monetary fines. HIPAA allows fines
of up to $100 for each violation of the law, to a limit of $25,000
per year for violations of the same requirement.
-
Criminal sanctions for knowing misuse or disclosures of PHI carry
fines of $50,000 to $250,000 and one to ten years imprisonment.
For
more on HIPAA Administrative Simplification, see the Department
of Health and Human Services Web site at: http://aspe.hhs.gov/admnsimp/
Also
see KP's HIPAA Intranet site at: http://kpnet.kp.org/hipaa/.
|
|
What is HIPAA?
In
1996, Congress enacted the Health Insurance Portability and Accountability
Act (HIPAA).2 HIPAA is a complex federal regulatory effort
that has far-reaching effects on the health care industry--including
health insurance portability and fraud prevention.
Although
it is primarily aimed at ensuring portability of health insurance
coverage, another part of HIPAA, called Administrative Simplification,
is aimed at reducing the administrative costs of health care and
includes electronic transactions standards, privacy, and security.
HIPAA
offers many opportunities and benefits for the health care industry.
It paves the way for full-scale use of electronic commerce by standardizing
electronic transactions. It eases the transfer of information between
health plans, providers, payers, and the government. It also provides
rigorous safeguards to protect the confidentiality of patient information.
|
To External Affairs contents list >>
To
full contents list >>
|
