VUMC departments launch patient privacy assessments, prepare for HIPPA compliance
With new federal patient privacy regulations going into effect in April, each VUMC department has begun or will soon begin a self-assessment to evaluate uses and disclosures of patient information and to uncover any actual or potential sources of inadvertent exposure of this information.
The new federal regulations are a result of the Health Insurance Portability and Accountability Act of 1996, also known as HIPAA. The regulations concern all health information – whether electronic, written or verbal – that can be connected with individual patients. HIPAA also gives consumers greater control over their medical records, and mandates an administrative structure that hospitals and other providers must use to implement and monitor compliance with privacy regulations. The law carries criminal penalties for knowingly misusing patient information.
HIPAA places patient information on a need-to-know basis, but there’s nothing in the regulation that would inhibit sharing of information for purposes of treatment, said Jim Hollender, privacy official for VUMC.
“HIPAA requires reasonable effort to limit incidental exposures of patient information,” Hollender said. “The intent was not to interfere with normal standards of practice. HIPAA privacy provisions are a challenge, but they’re largely an administrative challenge rather than any sort of impediment to treatment.” As the medical center strives to create an optimum environment for protection of patient privacy, Hollender stresses that, “We need everyone to be sensitive to these issues, and take the necessary steps to achieve compliance, but we also need to be reasonable and maintain our focus on quality care.”
VUMC’s HIPAA compliance strategy includes a number of new enterprise-wide patient privacy protections, many of which are already being implemented, the department self-assessments now in progress, which will point the way to further measures to protect privacy, and an ongoing patient privacy training program now in development for all VUMC staff and faculty. Vanderbilt departments that frequently disclose patient information to outside groups – to payers, to government entities, to law enforcement – warrant added evaluation and training.
Departments are guided through the privacy assessment by an 18-page form devoted to uses of patient information and to any intentional or unintentional disclosures of this information. The assessment results in a list of department tasks for achieving HIPAA compliance. Most departments will complete the assessment by Thanksgiving.
Staff and faculty patient privacy training will begin by the new year and will be completed by April 1. Training will take 20 to 30 minutes, with longer versions for departments that disclose information to outside groups. A one-page workplace checklist has been developed as a quick reference to support day-to-day compliance.
As for establishing patient control over information, Vanderbilt will ask patients to read and sign a notice describing permitted uses and disclosures of patient information. Any use or disclosure of patient information not listed in the notice will require special permission from the patient.
Another section of HIPAA standardizes electronic transactions involving patient information. This immense initiative, comparable to standardization of financial transactions within the banking industry, has a compliance deadline of October 2003.
For more information on VUMC’s privacy program contact Jim Hollender at jim.hollender@vanderbilt.edu. For more information on HIPAA transaction standards, contact Grace Upleger at grace.upleger@vanderbilt.edu.