AMs report few problems with new privacy notice
But opt-out option still causing confusion
Implementation of the Health Insurance Portability and Accountability Act (HIPAA) privacy rule appears to be going surprisingly well, thanks to extensive planning and a public already used to being informed about privacy practices. That’s the consensus of a sampling of access managers who spoke with Hospital Access Management about their hospitals’ experience with the regulation, which became effective on April 14. Most say any glitches have been minor and have not posed a threat to patient confidentiality.
At Ridgecrest (CA) Regional Hospital, patients are very receptive to signing the Notice of Privacy Practices form, says Monika Lenz, CHAA, admitting/communications team leader. "It seems everyone has already been so deluged with these notices from all corners of commerce that our form is a nonissue."
Registrars there have patients sign the form, enter the date they signed in the registration, and then send the original signature to the medical records department, she notes. If the patient goes to a nursing unit, the form is sent there, along with face sheet and consent form, Lenz adds. If the patient wishes to opt out and not sign the form, she says, registrars check a field in the registration and that patient’s information does not appear on certain reports or the clergy census.
The clergy census, meanwhile, has become a more sensitive issue, Lenz adds, and one that has not been resolved completely. "We have a group of clergy that volunteer to be on call to our patients," she says. "These folks have been used to having the entire census available to them."
In an effort to comply with HIPAA, Lenz notes, the hospital decided to allow clergy of the Christian faith to see only the census for Christian patients, rabbis to see only the names of Jewish patients, and so on. The clergy, however, believe they should be allowed to have a listing of all patients, including those who have no preference listed in the religion field, she says. "The issue is still pending," Lenz adds, "and we are continuing to give the clergy our full census for now."
For the most part, implementation of the privacy rule is going smoothly at Swedish Covenant Hospital in Chicago, says Gillian Cappiello, CHAM, senior director of access services and chief privacy officer. "The biggest issues I hear about are more erring on the side of being overly cautious than potential breaches in confidentiality."
"For example," she adds, "although we are now relatively comfortable with our medical staff having access to all patients, we are still struggling with how to limit access to their office staff, who they rely on to obtain clinical and other protected health information [PHI]."
Concerns that do come up, Cappiello notes, are things such as faxes going astray, as in a recent instance in which the hospital’s administration office received faxed PHI with no cover sheet. "Fortunately, the sender’s information was programmed to print on the fax, and I called [the sender] — a doctor’s office — to explain what had occurred and ask who the intended recipient was."
Even though physician offices are responsible for their own privacy practices, she adds, it gave her an opportunity to remind the office staff why they should always use a fax cover sheet.
On the training and education side, Cappiello says, she does rounds in the departments and nursing units to check for any HIPAA concerns. "One thing I am finding, with nursing especially, is that each unit is not consistent with how it is handling things," she points out. "Once I have completed rounds, I will be compiling a list of issues that need to be addressed by unit. If another unit has come up with a best practice, this will be shared and implemented on all units, and the unit with the best practice will be recognized and rewarded."
"For example," Cappiello adds, "one unit purchased an enclosed container where specimens for lab pickup are placed; whereas, other units were still using open trays on counters where a label with PHI could be seen by a visitor to the nursing station." If a concern is common to all units, with no best practice identified, she says, the units will be challenged to come up with one, and the unit with the best idea will be rewarded.
Opting out’ confusing at first
After the initial stress of being worried about making a mistake, of having "to think about 10 times before they say anything," her employees are settling into a routine with HIPAA privacy compliance, says Lisa Marie Freiberg, team leader for admitting at the Lake Hospital System in Painsville, OH.
There was some confusion at first, she notes, with the process by which patients opt out of being included in the facility directory. The way the question was put in the hospital’s computer system, Star Navigator, staff had to think about whether the answer should be yes or no, if a patient did not want to be listed, Freiberg explains. In the computer system, the answer was "yes" if the choice was to opt out. On the consent form, the question was phrased so that "no" was the right answer, she notes. "Once they adjusted to that, everything was fine." Those who do opt out are given a form explaining what their choice means, Freiberg says, and social services and utilization review personnel follow up with patients to make sure they understand.
Encounters with irate family members who — after being unable to get access to the room — say the patient misunderstood also are dwindling, she notes. "Things are settling down. It’s just taking the time to explain to patients."
At Davis Memorial Hospital in Elkins, WV, most of the hassle associated with the privacy rule implementation also has had to do with the opt-out provision, says Pattie Weese, patient access supervisor. "A number of people will call and say, Do you have so-and-so there?’ and we explain that due to federal privacy rules, we can neither confirm nor deny that person’s presence in the hospital. The caller will often persist, she adds, saying, I know they’re there.’"
In many cases, Weese says, those calls come to the emergency department and are from people who have seen an ambulance on their street or witnessed an accident and want to know who might have been taken to the hospital. To minimize misunderstandings, she notes, the hospital gives each patient not only the notice of privacy, but also a separate sheet that summarizes the main points. In addition, Weese says, the director of corporate compliance put together another handout designed to answer patients’ HIPAA-related questions.
To ensure compliance, Davis Memorial’s computer system was changed so that a census prints out every two hours, containing only the names of those who have said it’s OK to include them, she adds. So far, Weese says, there has been only one patient at the small community hospital who chose not to be included in the list — and that was after the person had been admitted.
One hospital in the area has chosen to take absolutely no chances with privacy rule compliance, she adds. Even in the case of a patient who has not opted out of being included in the directory, Weese explains, that facility won’t let callers get past the switchboard unless they know the patient’s room number.
Planning and prep pay off
At Providence Health System in Portland, OR, extensive advance preparation — including training front desk employees at facilities throughout the state — helped ensure a seamless privacy rule implementation, notes Barbara Wegner, CHAM, director of regional access services. "We did work on developing and rolling out the new process for at least a year before the effective date," Wegner adds. "I believe all our planning and training paid off, because we have not really had problems when you consider how big our health system is and that all patients need to receive this privacy notice on admission."
A year’s worth of planning and preparation — along with the training and oversight provided by the organization’s privacy officer — also was the key to a successful transition at the University of Arkansas Medical System (UAMS) in Little Rock, says Holly Hiryak, RN, CHAM, director of admissions for the University Hospital. "Overall, it’s gone pretty darn well," adds Hiryak, who also credits work by the information systems (IS) department, which wrote reports allowing immediate monitoring of what was populating the computer system in regard to the privacy notice distribution. "If we saw something that was not right, we were able to immediately get back to the individual and educate," she says.
The system had been set up so that employees could indicate that the privacy notice was provided when the patient was on site receiving care or that a telephone encounter had resulted in a mail request being made, Hiryak explains.
Because HIPAA specifies that the notice be delivered at the time of the first service provided to the patient after the rule’s effective date, she says, in many cases that affects patients calling UAMS for medical advice or to have a prescription refilled. "We have a huge facility here and a lot of patients calling in, so we had to have a mechanism for getting the notice out to them," Hiryak says. "[What happens is] we flag the system with a mail request, and at midnight, the system goes back and looks at the fields with MR’ [mail request] and generates a letter that includes a [privacy] form and an acknowledgement."
Once the letter has been sent, the designation changes to "notice mailed," she adds.
The report designed by IS reads what is in the privacy field, Hiryak notes. If anything other than "notice provided" or "notice mailed" is in the field, employees have to ask the patient about the privacy notice. Because the privacy field is required, the business office — which sometimes needs to update an account when there is no patient care or contact — had to be given a code to use in the field, she says.
Since patients often come onto the hospital campus and have two or three appointments, the system is set up so that they are asked about the privacy notice only once, Hiryak adds. The privacy field is populated in real time so that the employee handling the patient’s second encounter knows he or she has already been given the notice.
As for patient reaction to the additional paperwork associated with the privacy notice, "we really didn’t hear too much," she says. "They’re getting [privacy information] so many other places that they’re used to it. The banks really helped pave the way for us. By the time hospitals came on board, we were just one more group."
Editor’s note:
- Monika Lenz can be reached at [email protected].
- Gillian Cappiello can be reached at [email protected].
- Lisa Marie Freiberg can be reached at [email protected].
- Pattie Weese can be reached at [email protected].
- Barbara Wegner can be reached at [email protected].
- Holly Hiryak can be reached at [email protected].
Implementation of the Health Insurance Portability and Accountability Act privacy rule appears to be going surprisingly well, thanks to extensive planning and a public already used to being informed about privacy practices. Thats the consensus of a sampling of access managers who spoke with Hospital Access Management about their hospitals experience with the regulation.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.