Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), one of the “administrative simplification” provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), provides comprehensive federal protection for the privacy of health information. It creates national standards to protect individuals’ medical records and other personal health information.
In anticipation of the April 14, 2003, compliance date for the Privacy Rule, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published Guidance for the Privacy Rule on July 6, 2001 https://www.hhs.gov/ocr/hipaa. According to this document, the Privacy Rule sets boundaries on the use and release of health records by establishing safeguards that healthcare providers and others must achieve to protect the privacy of health information. It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
The final rule was published in the Federal Register on Aug. 14, 2002, and a fact sheet summarizing the rule was released on Aug. 9. Both documents are available at https://www.hhs.gov/ocr/hipaa.
Neurosurgeons Share Patients’ Concerns
Right or wrong, the public sees patient data stored on paper as good for privacy and patient data stored on computers as bad for privacy. Today, a large majority of adult citizens in the United States lack confidence that their medical records are safe from unauthorized disclosure or use. They have reached that conclusion because they know that, without their consent, their personal health information easily and legally can be passed around for non-healthcare reasons to people who aren’t physicians.
The implications are sobering for neurosurgeons. As discussed in HIPAA Compliance for CMA Members, published in 2001 by the California Medical Association, if patients are worried that what they tell their physicians may fall into wrong hands, they may withhold information needed to reach the correct diagnosis. Also, if patients lack confidence that their personal physician can no longer protect their privacy, then the cornerstone of the practice of medicine-the trust-based patient-physician relationship-is in serious jeopardy.
Privacy Rule Provisions
Following are some provisions of the rule as described in HIPAA-Clinician/Senior Management Education and Training Materials produced by the California Healthcare Foundation in 2001. It is clear that individually identifiable health information may not be used or disclosed unless specifically approved by the patient or explicitly permitted under HIPAA. Further, patient consent will not be required for the use or disclosure of information for three purposes: treatment, payment and other healthcare operations (TPO).
The Privacy Rule requires most covered entities to provide individuals with adequate notice of the uses and disclosures of protected health information that may be made by the covered entity. This privacy notice must include the explanation of the individual’s rights, and the covered entity’s responsibilities with respect to covered health information. “Covered entities” include health plans, healthcare clearinghouses, and healthcare providers. The Privacy Rule also refers to patient consent and authorization. Patient authorization is disclosure of information for non-treatment purposes such as employers, underwriters or researchers. The rule also states that the use of health information for non-treatment purposes must be limited to the “minimum necessary.”
A written agreement must be in place that provides for appropriate safeguarding of health information with all “business associates.” These include practice management consultants, collection agencies, malpractice insurers, and accountants, among others. Eaaaach practice must designate a privacy officer, develop privacy policies and procedures, and provide staff training to ensure that health information is protected. Small offices do not have to develop elaborate systems, just basic protections and the office manager can be the privacy officer.
Consent is not required for sharing a patient’s medical record with another physician when referring the patient to that physician or when billing a patient referred for a specialty consultation. Privacy regulations will require authorization for disclosure of identifiable information in all cases when used for ancillary purposes such as research, either clinical or market. “Data mining” by which protected health information (PHI) is often sold for marketing will be effectively stopped unless authorized by the patient; legitimate research will not be affected.
Authorization will also be required for information given to employers or for employer group use. The Guidance for the Privacy Rule document indicates that treatment cannot be refused for failure to sign authorization. Authorizations must be written in specific terms and must identify the information to be disclosed, persons authorized to make the disclosure, persons authorized to receive the information and the “expiration date” of authorization.
For records that are subpoenaed for court use, the bottom line answer is that a properly issued records subpoena will generally be valid, and a physician who releases records under such a subpoena will be protected. This is explained in the Code of Federal Regulations 45:164.512(e).
Physicians must provide a “Notice of Privacy Practices” to each patient no later than the date of the first service after the compliance date, which is April 14, 2003. If the notice is revised, it must be provided to the patient at the first visit after revision. Patients have the right to inspect and receive a copy of their medical records and to request amendments to their medical records. Though providers have the right to deny inclusion of an amendment, that patient has the right to file a “Statement of Disagreement” which becomes part of the record. The provider can file a rebuttal to the Statement, should he/she so choose. Patients also have the right to receive an accounting of disclosures of protected information not related to TPO. Individuals may request restrictions on the use and disclosure of information that go beyond those provided in rule, but providers are not required to comply with these requests.
The Security Regulation
The companion to the Privacy Rule is the Security Regulation. The Security Regulation, which has not yet been finalized, will provide for physical and electronic protection of PHI in order to prevent unauthorized access. Spokespersons for HHS indicate the substance of the regulation will not change much in its final form. It is essential to understand and implement the Security Regulation in order to effectively implement the Privacy Rule. The following summary is taken from HIPAA-Clinician/Senior Management Education and Training Materials published in 2001 by the California HealthCare Foundation.
Security Standards for all patient-specific information can be grouped into four categories. These include administrative procedure safeguards; comprehensive security policies and procedures; physical safeguards, including data integrity, backup, access, workstation location and security training; and a technical security mechanism to guard against unauthorized access to data. Technical security services need to be in place in order to protect patient information and control, monitor and audit individual access to information. The security standards do not specify particular technology requirements. Each practice must assess its own risk and develop security measures accordingly.
Neurosurgeons must develop written security policies and procedures for their practices and employees must receive training on those policies and procedurreess. Access to data must be controlled through appropriate mechanisms such as passwords, automatic tracking of when patient information has been accessed, reviewed, created, modified, or deleted and by whom. Security systems must be certified to meet the minimum standards.
Security and privacy requirements are scalable. Thus, in a small office every staff member will need access to all medical records. This is permitted, while in large organizations with staff that has differentiated tasks, such unlimited access would not be permissible. The techniques will also depend on the size of the organization. While a large multi-specialty group with 100 staff might use biometric identification and smartcards with passwords, a four-person office might not do so.
It appears that most physicians, not only neurosurgeons, are woefully behind in preparation for HIPAA. Speaker after speaker at national meetings have enunciated this problem. It has been stated by many that Congress will repeal HIPAA, but no, it won’t. Some have said it is a Clinton program and with a new president it will go away. No, it hasn’t. Still others say there will be no HIPAA enforcement for many years. This is incorrect also; there will be. It is time to put anger and denial behind us and to get to work on compliance.
HIPAA Resources
|
| Important Dates for HIPAA Implementation Aug. 21, 1996 HIPAA becomes law. Dec. 28, 2000 Final rule “Standards for Privacy of Individually Identifiable Health Information” (Privacy Rule) is published in the Federal Register. Dec. 27, 2001 The Administrative Simplification Compliance Act becomes law, providing a means by which the administrative simplification provisions of HIPAA may be extended by one year. April 14, 2001 Effective date for the Privacy Rule. March 27, 2002 Health and Human Services proposes changes to the Privacy Rule https://www.hhs.gov/ocr/hipaa/propmods.txt. March 29, 2002 CMS issues a model compliance plan for filing a one-year extension to comply with the rule governing electronic health care transactions https://www.cms.hhs.gov/hipaa/hipaa2/ASCAForm.asp. July 6, 2002 The HHS Office for Civil Rights publishes “Guidance for the Privacy Rule” https://www.hhs.gov/ocr/hipaa. Aug. 14, 2002 Final Rule “Standards for Privacy of Individually Identifiable Health Information” (Privacy Rule) is published in the Federal Register https://www.hhs.gov/ocr/hipaa/finalreg.html. Oct. 15, 2002 Date by which a compliance plan for a one-year extension must be postmarked or filed electronically. Oct. 16, 2002 Original compliance date for Electronic Health Transactions and Code Sets. April 144, 2003 Compliance date for the Privacy Rule. Oct. 16, 2003 Compliance date for Electronic Health Transactions and Code Sets for those with a compliance plan filed by Oct. 15, 2002. |
John A. Kusske, MD, is chair of the Department of Neurological Surgery at the University of California-Irvine, chair of the AANS Professional Liability Committee, and a member of the AANS/CNS Washington Committ