Volume 26 • No. 8
As hospitals prepare for new medical privacy rules, physicians can expect changes
Online incident-reporting system will allow hospital to respond more quickly, identify trends
Gerardi appointed as new patient safety program manager
Profile: Michael Bellino (chief of Stanford's orthopedic trauma service)
Infectious disease specialist helps launch AIDS training program in Uganda
SF Giants event raises liver transplant funds
As hospitals prepare for new medical privacy rules, physicians can expect changes
Starting in April, health-care providers nationwide will need to comply with the medical privacy regulations of the Health Insurance Portability and Accountability Act, a 1996 federal law. The regulations aim to ensure that patients' medical information is kept confidential, is used for medical purposes only, and is used and disclosed only to the extent necessary for patient care or certain related business purposes.
For Stanford Hospital & Clinics and its medical staff, that means several changes are on the horizon - changes in how computer systems operate, how patient information is stored, how physicians communicate with patients and each other, and how patient information is used in education and research.
Stanford and Lucile Packard Children's Hospital are in the middle of an extensive effort to gear up for the April deadline. While the effort involves much work on the information-technology side, it will also have a significant impact on physicians' daily practice, said Joseph Hopkins, associate chief of staff.
"We need to be more conscious and sensitive about issues of privacy," said Hopkins, who is heading Stanford's compliance efforts relative to physicians. As a starting point, he said, "I invite physicians to think about their own health information, or that of a spouse, and how they would want it used." HIPAA applies to a broad range of health-care entities, including hospitals, clinics, pharmacies, health plans and all providers including physicians, nurses, pharmacists, technicians and more. Aside from the privacy rules, HIPAA contains other regulations regarding computer security standards and the electronic transfer of health information - regulations whose compliance deadlines are further off.
The medical privacy regulations require providers to:
Adopt comprehensive
privacy policies, and communicate these to patients.
Obtain
patient consent for the use and disclosure of identifiable health information.
Let patients
access their medical records and request corrections.
Limit
the use and disclosure of medical information to the minimum amount necessary.
In response, physicians will have to:
Ensure
that patients receive information on the hospital's privacy policies and acknowledge
in writing that they've received this information.
Make
sure that when medical information is discussed with patients and families,
the discussion is conducted out of earshot of other individuals not involved
with the case.
Make
sure they're using and disclosing only the minimum amount of information necessary
for patient care. That means some hallway conversations may no longer be appropriate.
Avoid
handling patient records - on paper or on a computer - in a way that might
allow them to be seen by people not involved in the patient's care.
Apply
these principles to medical education and research activities.
To apply these principles, the hospital recently formed 11 task forces to formulate specific procedures and policies in such areas as patient authorization, transactions and code sets, education and training, and research.
In addition, Hopkins will lead a physician working group, which will review the proposed policies to make sure they're workable. The group, to be formed this fall, will include representatives from each of the hospital's clinical departments. Two other physician working groups will be formed to address policies regarding research and education.
As part of the HIPAA readiness effort, the Information Privacy Office recently completed a comprehensive inventory to identify all of the hospital's computer applications and the security controls they feature. D'Arcy Myjer, director of health information management services and the information privacy officer for Stanford and Packard hospitals, said the inventory revealed that there are 117 different computer applications at the hospitals containing personal health information, and that many need beefed-up security controls implemented - an effort that's now under way. This means physicians and other personnel will soon be required to use more passwords and other computer security controls.
Hopkins stressed that HIPAA requires "reasonable" efforts toward compliance - not extreme or burdensome efforts. "This will require a very important change," he said, "but it's doable."
He also emphasized
that safeguarding patients' medical information is crucial to maintain the
public's trust in physicians and health-care institutions. And, he noted that
medical privacy is discussed in the Hippocratic Oath. "The bottom line is,
this privacy stuff isn't new - we just need to do it better."
"What
I may say or hear in the course of treatment or even outside of the treatment
in regard to the life of men, which on no account one must spread abroad,
I will keep to myself holding such things shameful to be spoken about."
- from the
Hippocratic Oath
