Volume 27 No. 2 February 2003
Learning to live with HIPAA
* * *
The new federal law called the Health Insurance Portability and Accountability Act - known to most of us as HIPAA - will require us to think differently about the way we handle patient information, and will require us to change some of our long-standing practices. As we approach HIPAA's effective date of April 14, consider these scenarios that will be affected by the law:
What health information can be shared with a patient's family and friends?
Under HIPAA, patients will have expanded rights to review their medical record
and request corrections or amendments.
A fundamental concept in HIPAA is "minimum necessary" disclosure of information.
This means that health-care personnel should obtain and disclose only the
minimum amount of health information needed for a specific task. While the
"minimum necessary" regulation does not apply to health-care professionals
in the course of treating patients, remember that health information flows
out of health-care settings for a variety of other purposes.
E-mail is becoming a ubiquitous part of our lives, including our clinical
You learn that a close friend or neighbor is in the ICU. Although you are
not part of this patient's care team, out of concern you stop in to check
on how the patient is doing. To your surprise, the nurse at the bedside refuses
to let you look at the patient's flow chart. She says her HIPAA training forbids
A patient asks that certain sensitive health information not be recorded in
You find it convenient and helpful to store some facts about patients on your
PDA or laptop computer. You also work on lectures involving case presentations
Members of your clinic
are interested in starting a new case management service and support group
for patients with a particular chronic disease. You want to mail an announcement
about these programs to all of your patients with this diagnosis. You also
anticipate that at some point you will invite financial contributions from
these patients to help defer some of the costs of this very helpful activity,
as no insurer will cover it. One of your staff says you can't contact these
patients for either purpose because of HIPAA.
You are faxing health information about a patient to another health-care provider,
but you accidentally press a wrong digit and send the information to a local
department store. You have heard there are severe financial penalties for
* * *
All of these situations are addressed in the HIPAA regulations and will be incorporated into SHC policies, and it's important that we as physicians know how to respond. In most of the aforementioned situations, the appropriate responses are not very difficult or disruptive when physicians understand what HIPAA requires.
That's why education is a key part of HIPAA. The law requires that all those in the health-care workforce receive training on HIPAA concepts and policies before April 14. This includes mandatory training of all members of the Stanford Hospital medical staff, including community physicians as well as Stanford physicians.
SHC is currently developing training materials as well as plans for disseminating this information to physicians and staff. We anticipate that all physicians will be required to complete a Web-based, online educational module that will take about 35 minutes. It will include a short test and will generate a record of completion for the medical staff office. Alternate formats, such as CD-ROMs or in-person seminars, are also being considered.
The ultimate goal is to enable physicians - along with all our health-care personnel - to deal with HIPAA successfully, so that it becomes a routine part of our practice rather than a disruption.