Guidance assists providers' understanding of HIPAA
Guidance assists providers' understanding of HIPAA
HIPAA flexibility can cause problems
Oftentimes HIPAA standards are not as straightforward as a hospital leader might hope or expect but that's by design, says Beth Hjort, RHIA, CHPS, professional practice resource manager for the American Health Information Management Association (AHIMA).
Take, for example, the guidance issued this fall by HHS' Office for Civil Rights (OCR), titled "A Health Care Provider's Guide to the HIPAA Privacy Rule: Communicating with a Patient's Family, Friends, or Others Involved in the Patient's Care," which was aimed at helping health care providers avoid unnecessarily withholding patient information from those who are permitted to have it.
"HIPAA is written flexibly, and that's a good thing," says Hjort. "It's also necessary because there are different state laws that were in place before HIPAA was implemented."
However, she adds, in the quest to write the act reasonably and flexibly, specifics are often lacking and this is one of those instances. "In the case of this particular standard of HIPAA, every organization needs to come up with its own approach," Hjort says. "It's likely to come out in many different ways depending on how someone interprets what they read."
Ironically, she notes, this interpretability is in part what led to the guidance. "We've had media reports of situations where valid family members have not been able to get the information they needed to support loved ones, so in 2008 OCR under HHS wrote this guidance to help."
Responding to the guidance
The guidance, Hjort observes, is divided into two broad categories. The first deals with the sharing of information when the patient is present and has the capacity to make health care decisions. The second deals with cases where a patient is not present or incapacitated.
"The high-level message is that the patient decides whenever possible, but there will be times when the patient is not there," notes Hjort. "Sometimes, the caregiver will default to past preferences; for example, if they know that in the past the patient has decided a certain way or always gave permission to the ex-husband or spouse." At all times, she adds, the ruling consideration should be what is in the best interests of the patient. "To do anything less would impede care," she asserts.
In fact, Hjort continues, providers are guided to have reasonable assurance that the patient formerly has included this person in their realm of openness. "We would pause a little longer, and take more precautions, when dealing with who does not fall in that category such as an estranged relationship. Here, the caregiver must consider what they know and use their best professional judgment," Hjort asserts.
Taking the extra step
In cases where a standard or even a guidance is intentionally broad, Hjort says many hospitals will err on the side of caution. For example, this guidance refers to people claiming to be family members requesting information over the phone. "This can be sticky, because you have no idea who is calling," Hjort notes. "While HIPAA does say it is not the organization's responsibility to validate the truth, it does say that if the person on the phone does not state they are a family member or friend, special precaution should be taken."
What some organizations are doing, she says, is putting in place a system whereby the patient is in greater control and that, she notes, "is at the base of the privacy rule." Such a system works like this: The patient is given a code number say the last three digits of his or her hospital account number. "This way, access to information is controlled because the code is only given out to people the patient is comfortable sharing information with," Hjort explains. In addition to code numbers, a birth date or password might also be used, she says.
What about documentation?
Another area where the guidance is not proscriptive is that of documentation. HIPAA does not require the provider to document the decision to share information but doesn't that create the potential for liability exposure?
This is a judgment call, says Hjort. "I think, in a normal patient care setting where activity is significant and communication needs to move swiftly, many organizations would not find documenting every decision to be practical," she concedes. "However, if there was a circumstance that seemed unusual and documentation would serve as a 'memory,' I would err on the side of documenting those circumstances. By doing what is in the patient's best interest and keeping things moving along, that is the most practical way for the organization to deal with this element; that's one of the reasons it was written so flexibly."
Hjort strongly recommends that those who work in privacy and leadership roles stay up to date with any changes or additional guidance provided about HIPAA. "With the privacy and security rule, online guidance regularly comes out," she notes. "Once that information is known, the privacy program should call for updates, reminders, and keeping staff current in whatever manner you teach the staff. You might do it as an inservice at the department level, through online training, and you may update your policies and procedures so the changes are communicated throughout the work force. This can both help you clarify your policies and teach your staff at a more granular level, so they become more aware of how they might deal with these questions."
[For more information, contact:
Beth Hjort, RHIA, CHPS, professional practice resource manager, American Health Information Management Association. Phone: (312) 233-1123.]
Oftentimes HIPAA standards are not as straightforward as a hospital leader might hope or expect — but that's by design, says Beth Hjort, RHIA, CHPS, professional practice resource manager for the American Health Information Management Association (AHIMA).Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.