The new privacy: Rules, fines, prison
The new privacy: Rules, fines, prison
The burden is always on the front line’
The first federal standards for protecting the privacy of Americans’ medical records — issued in December by the Department of Health and Human Services — are more far reaching than first proposed and promise to significantly impact the operation of hospital access departments.
The rules cover not only electronic medical records — as was proposed by the administration a year ago — but paper records and oral communications. They require patients’ written consent for even routine disclosure of information, which was not covered in the earlier plan.
The new standards, which take full effect in two years, guarantee patients access to their health files, restrict the release of their personal information without their approval, and give them greater say about how the files are used.
"There are definitely going to be a lot of things [access professionals] will have to react to," says Nancy Farrington, MBA, CHAM, vice president of the National Association of Healthcare Access Management (NAHAM). "One of the most significant pieces in terms of access is that individual organizations make decisions about who is going to share information on the rules with patients," adds Farrington, who is MPI/CDR administrator for Main Line Health Data Center in Berwyn, PA. "Based on our experience with Advance Directives, it seems likely that will be done in access. To try to do it in other departments doesn’t make much sense."
According to the fact sheet issued with the rules, providers and health care plans are required to given patients a clear, written explanation of how those entities can keep and disclose patient information, she points out.
"That means that every hospital and outpatient clinic will have to have a handout available for patients saying, Here’s how we use your information, here’s how we store it, and here’s our process for disclosing it.’ That’s something that’s never been done before — proactively providing information to patients on how their health information is handled."
The requirement that providers must have patients’ consent before information is released will impact health care organizations differently depending on what they’re already doing in that regard, Farrington says. And, she adds, "how in-depth that [requirement] goes we won’t know until more rules are issued."
"In many environments at this time, health care providers have a blanket consent form signed that enables them to release information for payment purposes," Farrington says. "Patients sign it the first time they see the doctor and never see it again. The way this portion [of the new standard] is written there is the anticipation that [the obtaining of this consent] will be more specific and more frequent."
At present, she notes, many providers don’t ask patients coming in for routine outpatient services to sign any release because those patients come with a form from their HMO authorizing the visit. That may change, Farrington suggests, meaning the addition of significantly more paperwork for access personnel, as well as time spent explaining the provisions to patient. "The burden is always on the front line."
The patient’s choice
It also will be interesting to see what develops from the idea that a patient may be quite specific about restrictions on the use and disclosure of information, she says. Even now, Farrington adds, some patients at her organization refuse to provide their Social Security number, which Main Line uses as a primary identifier.
With the new privacy rules, she says, in theory, patients would have the ability to specify any piece of information and say that providers can’t share it with physicians or other providers. "[Hospitals] would have to develop all sorts of computer systems to determine what is shareable and what is not."
Another potential change in hospital computer systems, Farrington says, will involve the ability to monitor those who have access to patient demographic information. "Right now at our organization, we have the ability to identify which employees look at clinical data, but not those who look at demographic data."
There is a big learning curve, she notes, any time there are computer changes. Additionally, "someone will have to review who looked at the data and whether they had a reason to do so. That’s a burden on management."
The full implications of the regulations won’t be apparent, Farrington suggests, until experience and case law come into play. She cautions, however, that access managers "don’t have the luxury to wait and see" before taking action. Those who wait two years before making changes will be so far behind they’re likely to find themselves in gross violation of the law, Farrington predicts.
"We need to start immediately to prepare," she says, "so as the nuances of the regulations become reality, we’re most of the way there."
Penalties in connection with breaches of patient privacy "have been long anticipated," Farrington notes. "I’ve been warning registration staff for a long time about the mistakes they make that can violate patient confidentiality. If, for example, they put the wrong doctor’s name and the wrong doctor gets the patient’s results, they are potentially subject to fines. It will require a lot more accuracy not to have penalties."
Initially, the fines levied in connection with the privacy standard will be related specifically to intentional wrongdoing, she predicts. "But once all that happens, the feds will start looking for breaches that are just the result of error."
As to whether individual employees, or just their institutions, will be liable, Farrington notes, "We’ll need to see how it plays out, but it says here [in the regulations] that the penalty could be a year in prison. Obviously, a hospital can’t be put in prison, so at some point an access representative who deliberately disclosed patient information could be subject to time in a penitentiary."
One of the provisions of the new privacy standard that has garnered the largest public reaction, she points out, is that the umbrella has been expanded to cover not only electronic records, but written and oral information.
"That is absolutely logical and had been anticipated by many people," Farrington says, "and it [highlights] the need for continuous improvement in the culture of our health care organizations. If you walk through the corridors or the hospital parking lot, you routinely hear doctors talking about patients. In the past, that was not appropriate. Now it is illegal.
"This shouldn’t be shocking in that these are behaviors we should all have been mindful of in the past," she adds. "Now the potential is there for fines and imprisonment.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.