January 31, 2003

VUMC to protect patient privacy, complying with new legislation

Featured Image

Jim Hollander stands in front of patient records at the hospital. HIPAA, which goes into effect April 14, will further protect patient confidentiality. (photo by Dana Johnson)

VUMC to protect patient privacy, complying with new legislation

With new federal patient privacy regulations going into effect April 14, VUMC is taking broad new measures to protect patient information. The new federal regulations are a result of HIPAA, the Health Insurance Portability and Accountability Act of 1996.

The regulations concern all health information, whether electronic, written or verbal, that can be connected with individual patients. HIPAA also gives consumers greater control over their health information and mandates an administrative structure for compliance monitoring. The law carries criminal penalties for individuals who knowingly misuse patient information.

HIPAA places patient information on a need-to-know basis, but there’s nothing in the regulation that would inhibit sharing of information for purposes of treatment, said Jim Hollender, privacy official for VUMC.

“HIPAA requires reasonable effort to limit incidental exposures of patient information,” Hollender said. “The intent was not to interfere with normal standards of practice. HIPAA privacy provisions are a challenge, but they’re largely an administrative challenge rather than any sort of impediment to treatment.”

As the medical center strives to create an optimum environment for protection of patient privacy, Hollender stresses that, “We need everyone to be sensitive to these issues, and take the necessary steps to achieve compliance, but we also need to be reasonable and maintain our focus on quality care.”

Each VUMC department has undertaken a self-assessment to uncover actual or potential sources for inappropriate use or disclosure of patient information. The assessment creates a department roadmap for helping Vanderbilt achieve HIPAA compliance.

Departments are supported by staff and faculty training and other enterprise-wide compliance solutions. A standard Notice of Privacy Practices is being prepared for patient signature. The notice informs patients of their rights under HIPAA and outlines how Vanderbilt will be using their information for treatment, billing, administrative functions and other routine uses that are provided for under the law.

Staff and faculty have their choice for training formats: on-line training got underway in mid January, and classroom sessions will be offered beginning in February. The training is required for annual performance evaluation and salary adjustment; it takes about 25 minutes to complete the on-line version, 30 minutes for the classroom version. Vanderbilt departments that frequently disclose patient information to outside groups — to payers, to government entities, to law enforcement — may warrant added evaluation and training. Contact your manager for more information about training.

In addition to expanded rights to review and obtain copies of their records, patients will have the right to opt out of the hospital phone directory and to request that access to their information be restricted in other ways. “The question of when you can agree to restrict access to a patient’s information will be answered as we begin to get requests and learn what the practical limitations might be for fulfilling them,” Hollender said. The law doesn’t force hospitals to agree to patient requests to restrict access to information; enforcement patterns will provide eventual additional guidance about practical application of the new law. For the time being, all patient requests to restrict information will be funneled through Hollender’s office.

Two issues that may require special attention are patients stumbling into each other’s information at high-traffic areas such as clinic check-in, and, on hospital units, the practice of giving patient updates to family members over the phone.

HIPAA compliance will be an evolving process rather than a one-time fix, and Hollender foresees individual clinics and hospital units developing their own solutions to some compliance issues, with standard solutions developing eventually. “We’ll continue to work to provide tools to help groups make those judgements,” he said. “The training sessions will help start dialogue about these issues, and we recommend that people do the training sooner rather than later so that solutions can be in place well ahead of the compliance date.”

Another section of HIPAA standardizes electronic transactions involving patient information. This immense initiative, comparable to standardization of financial transactions within the banking industry, has a compliance deadline of October 2003.

See your manager for more information. Information is also available at www.mc.vanderbilt.edu/HIPAA. For more information about standardization of electronic transactions, contact Grace Upleger at grace.upleger@vanderbilt.edu.