April 9, 2003 MEDICAL PRIVACY BOOSTED HOSPITALS ARE UPGRADING SYSTEMS AND PRACTICES TO COMPLY WITH NEW LAW 04/08/2003 By ROGER YU / The Dallas Morning News Hospitals are learning to be more discreet. And as they do, patients will be signing more papers. Seven years after approval by Congress, the Health Insurance Portability and Accountability Act is set to take effect. Hospitals and other health care organizations nationwide are scrambling to meet an April 14 deadline. The first phase of the law, known in the industry by the acronym HIPAA, calls for tighter controls over patients' files. Unauthorized disclosure of personal medical data can bring up to 10 years in prison and a fine of $250,000. From the additional paperwork to costly upgrades of hospitals' information technology systems, the law is making itself felt throughout the health care system. It will touch everything from how flowers are delivered to which relatives can obtain medical condition updates to the records available to drug manufacturers for marketing purposes. Although the law is meant to safeguard patients' privacy rights, it also requires hospitals, pharmacies, doctors and insurance companies to ensure that any disclosure of records can be fully traced. "It's about what we can't do rather than what we can do," said Rebecca Hurley, vice president and chief HIPAA compliance officer at Plano-based Triad Hospitals Inc. "It makes the privacy procedure codified, standardized and federalized." Breathless doctors shouting out patients' conditions to nurses – as seen in countless TV dramas – are now more fictional than ever before under the new law. "When we're watching ER, my husband would ask me if I've spotted any HIPAA violations," Ms. Hurley joked. But enforcing HIPAA is no joking matter. Privacy principles Experts say that most HIPAA rules are stated in principle only and come with no clear-cut answers on implementation. Many of the mandates about privacy will require on the feet thinking and common sense as care is dispensed by front-line providers. Hospitals, doctors and others worry about whether they can provide enough training to avoid violating HIPAA. Many doctors and hospital administrators are confused about the rules and have yet to make operational changes, some analysts say. Baylor Health Care System, which has about 125 employees involved in HIPAA implementation, will spend about $7.5 million over five years to train and upgrade its IT systems for the law, said Jerry Hopgood, director of HIPAA compliance. Every Baylor employee will be required to attend a HIPAA class. Texas Health Resources, which runs 13 acute care hospitals in the region, has budgeted $10 million in capital spending for HIPAA compliance over five years, not including the cost for training, according to Pat Johnston, system privacy officer. Still, local health care organizations say that they've always been careful with sensitive information and that the law won't mark a sea change. "Many of the changes will be invisible to patients," said Beth Mancini, a senior vice president of nursing at Parkland Health & Hospital System. "They will not see the fact that doctors handle documents differently than before." For hospital patients, the first major change will come at registration, when they have to sign a "notice of privacy practices" that states consumers' privacy rights. From that additional paperwork will flow enhanced protection of patients' privacy – and changes in the procedures and culture of health care organizations, experts say. For example, a patient will be able to use the privacy notice to specify exclusion from the hospital directory, which would forbid the hospital from disclosing whether someone has been admitted. Under HIPAA, a friend calling to seek information about a patient listed in the directory would be given only a one-word condition. A close relative also might be similarly limited. Or perhaps not. If a hospital were already working with a patient's immediate family, those family members would be presumed to be the conduit for sharing information. But a distant relative might get that access if he or she is the first person to be identified as the next of kin. Health care practitioners would have to apply the legal "reasonable standard," meaning they would exercise professional judgment on whether the disclosure would be proper. "Professional judgment will be crucial," Mr. Hopgood said. "The nursing staff will have to see that if a patient comes in unconscious, you err on the side of conservatism." The privacy notice also informs patients that their medical information can be released if it is required for health care procedures. That would include disclosure to doctors, nurses, health care technicians and pharmacists for clinical decisions. A health care organization also can release patients' medical information to collect payments, and thus the government and insurance companies could be entitled to the data. HIPAA says the level of disclosure for clinical and payment operations is "the most minimum needed" to achieve the goal. At the same time, the law's language pulls providers in another direction because they must be able to document any disclosures that do take place. For example, if a hospital's radiology department provides records to a third party such as a medical specialist or an insurer, it would have to alert the medical records department. "Before, access to medical records were more open," said Parkland's Ms. Mancini. "They got the medical record, but now you only get the minimum amount of documents needed to do the work. "Do you need all the lab data? Who has the right to know? These are the types of questions that need to be asked." Culture changing The changes won't just affect those who move paper or electronic files through a hospital's bureaucracy. The culture of health care providers will change, too. Under HIPAA, care providers also are being cautioned to avoid overhearing information or stumbling into accidental disclosure. At Triad, that means doctors, nurses and others will take extra care to ensure that the curtain is pulled between beds in a semi-private room, that they speak in lower voices or that they ask family members to move. At Baylor's main campus, the hospital's ER inserted a partition between the triage area and the patient waiting area. Texas Health Resources, meanwhile, has concealed from public view the information boards that list patients, their locations and their physicians, according to Ms. Johnston, the privacy officer. These boards, typically located at nursing stations, in emergency rooms and in operating rooms, have dropped the types of procedures involved. Texas Health Resources also is directing its hospitals to shut the covers of chart holder bins near patient beds. Hospitals that have no bin covers are training employees to place charts with the cover page facing a wall. Employees are being trained to be discreet about conversations in public places, such as elevators, and the use of name badges for visiting vendors is being more strictly enforced. Texas Health Resources also installed encryption software for its e-mail system and is making changes to make sure that shredding bins are more secure. Consumers can exercise other rights, too. They'll be able to inspect their records, ask for corrections and challenge any entry. They'll also be able to ask for an accounting of how their medical records were disclosed to third parties. And if they're hospitalized, they also may see some benefits when they go home: They'll be able to ward off unwanted mail by shielding their names from fund-raising foundations and drug manufacturers. Baylor's Mr. Hopgood predicted, "Patients will see a decrease of marketing literature sent to them."