New privacy rules leave EH records unprotected
New privacy rules leave EH records unprotected
Occupational groups urge Congress to close gap
New privacy rules will have a major impact on how hospitals handle medical information, but will leave employee health records largely unprotected. The rules enacted by the Department of Health and Human Services (HHS), designed to guard against misuse of medical information, largely apply to transactions that are conducted electronically. Since employees do not file medical claims when they receive immunizations or seek opinions from hospital employee health professionals, those records would not fall under the rule’s provisions, says Kae Livsey, RN, MPH, public policy and advocacy manager for the American Association of Occupational Health Nurses (AAOHN) in Atlanta.
AAOHN and the American College of Occupational and Environmental Medicine urged Congress to extend privacy protection to such employee health records. "What we would like to see is legislation that would extend the protections of this rule to all health care providers regardless of whether or not they’re engaged in what are called standard transactions,’" says Livsey.
According to the rules, which stem from the Health Insurance Portability and Accountability Act of 1996, hospitals, health plans, and other providers must:
- Educate patients on privacy, including a written explanation of how the information will be used and disclosed.
- Provide patients access to records and a history of all disclosures, and allow them to make amendments.
- Receive specific consent for nonroutine and nonhealth care uses of information and allow patients to restrict the use and disclosure of information.
- Provide the minimum amount of information necessary for disclosure for purposes other than treatment.
- Adopt written privacy procedures and ensure that "business associates" likewise protect patient privacy.
- Train employees and designate a privacy officer.
- Establish grievance procedures for privacy complaints.
At a Congressional hearing in February, a representative of the American Hospital Association asserted that the privacy regulation would be prohibitively expensive and burdensome.
"It is essential to fix requirements in the privacy rule that could impede patient care or disrupt essential hospital operations, and to that end, Congress should encourage HHS to re-open portions of the new privacy rule for comment," said John Houston, information services director, data security officer, and assistant counsel for the UPMC Health System in Pittsburgh.
Additional staff will be required
Tracking disclosures would require hospitals to install new information technology, Houston said. The regulation would require the hiring of additional staff to handle privacy issues and re-open contracts with "attorneys, auditors, vendors, suppliers, and consultants, to include the hospital’s privacy practices with which each business associate must comply," Houston said. Meanwhile, the AAOHN pointed out that the rules leave significant gaps that may require legislation to correct.
An employee’s medical information in a company wellness program or pre-placement physical wouldn’t be covered by privacy rules, notes Livsey. In fact, if another physician treated a patient for breast cancer, then sent the employee back to work on restricted duty, the information would no longer be covered, she says. "Once that information is sent to the employee health nurse, since the employee health nurse is not a covered entity, the information isn’t anymore, either."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.