OBJECTIVE: At the end of this presentation the nurse will:

BACKGROUND

With the advent of the internet and increased capability to access information on individuals, including health care information, the Federal Government has begun to initiate changes in both state and federal law regarding the handling of sensitive medical information. These changes are to be made by no later than April 14, 2003. The changes are required by various health care institutions including hospitals and must comply with strict new federal privacy rules issued by the U.S. Department of Health and Human Services (HHS) pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Under federal law HIPAA's privacy requirements are intended to guarantee individuals new rights and protections against the misuse or unauthorized disclosure of their health records. The intent of the federal law is also to protect patient right to privacy, reduce fraud and abuse, improve healthcare quality, reduce electronic transmission costs. The U.S. Department of Health and Human Services (HHS) has acknowledged, however, that certain aspects of the privacy rule may have the unintended effect of threatening access to, and the quality of, health care. In a July 2001 guidance document, HHS indicated that it plans to modify HIPAA's privacy requirements to correct those unintended results. This presentation discusses the modifications that HHS is likely to propose in order to continue providing care while preventing the unnecessary disclosure of information to unauthorized individuals.

HIPAA TERMINOLOGY

As with all federal statutes and mandates a certain jargon and acronyms are associated with HIPAA. The term protected health information (PHI) refers to the information that is sensitive and should only be shared with authorized individuals who will be named in this presentation. A covered entity (CE) is one of numerous health care entities which are germane to the initiation of HIPAA and include various health care providers. An organized health care arrangement (OHCA) is a specific term used for entities who must be in compliance with HIPAA. The designated record set (DRS) refers to the medical and billing records which are a part of a patient’s health care record. The accounting and disclosure (AOD) refers to the patient’s rights to have access to his records and the duty of the health care provider and organized health care arrangement to provide access and maintain a record of who has had access to the patient’s information. The directory is a daily list of patients that an institution such as hospital maintains. A patient has the option to "opt out" of such a list.

How will HIPPA affect you and your institution? Frequently, health care providers must share urgent and confidential information with various health care providers and other covered entities. Such communications may be oral or written. In written form this may manifest itself as a facsimile or other electronic transmission such as a e-mail. When disseminating information on a patient it is imperative to use a cover sheet which states clearly that the transmission is only for the intended recipient. A remedy should be included on the cover sheet in the event that the fax is sent to an unintended and unauthorized person. Confirmation of the fax number is highly recommended. Confirming the fax with another individual is also recommended. Once the nurse sends the fax a confirmation should be returned to assure that the intended recipient received the transmission and privacy was maintained. The fax confirmation should be returned in a secured folder or database.

Charts should be kept in a secure area at all times. HIPAA requires that a patient chart should be secured in an appropriate area. The "appropriate area" may be in the nurses’ station or other area which may be open to the public or other unauthorized personnel. Care must be taken that names and diagnoses are not left out in the open for unauthorized viewing. Additionally, it is imperative that extreme vigilance be taken to preserve the modesty of patients by never exposing them, disclosing their diagnoses in unsecured areas and any and all protected health information shall be secured. In the event that certain records need to be disposed of the process shall be conducted in a proper and secure manner (i.e. shredding of documentation; patient information shall be on a need to know basis only).

What if I am unsure of what areas are secure or which information should not be disclosed at all?

When in doubt it is imperative to relay your concerns to the facility privacy officer (FPO). This individual is assigned to handle all of the patient sensitive information and the conflicts and scenarios which may difficult to foresee. The initiation of HIPAA shall pose conflicts between health care delivery and the ability to obtain information in a timely manner for all health care providers and covered entities. Therefore, it is imperative that if there is any doubt as to whether or not to disclose information to an individual or entity the nurse should contact the FPO for a determination immediately. If the FPO cannot be contacted at the moment it is recommended to contact your facility supervisor on duty and notify them of the situation and document these actions accordingly.

What notice is given to patients? HIPPA mandates that a notice of privacy practices brochure or other form of literature shall be given to every client concerning the facility’s patient privacy protection policy. Patients will be given the option to "opt out" of an information directory (i.e., no acknowledgment to the outside world that they are our patient) and patients will also have a right to a copy of their medical record. Additionally, authorizations need to be obtained from the client to release the information for reasons other than for treatment, payment or healthcare operations. This notice should be given each time the individual enters the facility. The nurse should determine, and reinforce if necessary, the issue of privacy with the patient.

Client’s right to opt out of Directory: "Opting out of directory" means the client does not desire anyone to know they are receiving treatment at the facility. The client can opt out at anytime but should be provided with the opportunity to do so when admitted to services. If a client desires to not have his name or any information disclosed to anyone he is "opting out" and proper measures should be taken to ensure that this will occur. Increased vigilance commensurate with the requirements by HIPPA should be carried out. This information should be shared with all health care providers and key personnel within the facility in order to prevent any accidental disclosure of information to individuals or entities in the "outside world".

By opting out, the patient is requiring that ALL individuals in the facility maintain the strictest confidence. The patient is requesting that anyone outside the facility know of the patient’s admission. Care should be taken under these circumstances to obtain confidentiality documentation and ask whether the patient desires to list in writing the individuals he or she desires to know about the patient’s admission. In this way immediate family members and loved ones may be able to have access the patient while maintaining the strictest confidentiality. Therefore, you may not acknowledge the client is receiving services or give information about the client to a friend, family member or others unless the patient provides there is consent to disclose information form in place. Every facility should have the proper documentation to assure that confidentiality is maintained and the patient’s request to privacy respected.

Right to Privacy Restrictions: Clients have the right to request a privacy restriction of their private health information. All requests must be made in writing and given to the FPO to make a decision on what information can or cannot be disclosed. It is imperative that the nurse notify the FPO of any situations which may provide for an ethical dilemma or where a conflict may arise. A typical situation may be that there may exist family dynamics that the health care team may not be aware of such as a estranged wife or a blended family who may wish to have information and is not listed on any documentation as individuals who may have access to information regarding the patient.

What is protected by HIPAA? It is imperative that the nurse have concrete examples of what is protected under HIPPA. The list provided is not all inclusive, however, the more obvious areas include: The name of the patient, the patient’s address, names of relatives, names of employers, birth date, telephone numbers, fax numbers, electronic e-mail addresses, social security number, medical record number, health plan beneficiary number, account number, certificate/license number, any vehicle or other device serial number, Web Universal Resource Locator (URL), Internet Protocol (IP) address number, finger or voice prints, photographic images, any other unique identifying number, characteristic, code.

It is recommended that any and all information that involves the patient be carefully guarded against inspection or access by unauthorized personnel. Measures to safeguard this information include cordoning off a patient chart area and utilizing passwords whenever possible. Additionally, preventing even apparent innocuous access by family, friends or unauthorized personnel is prohibited.

What information may I share on the phone? This area is highly sensitive and is an area where the nurse and other health care provider must proceed with caution. In the event that a telephone inquiry or solicitation is made, careful consideration of information should be taken. Identify the person and determine if they are authorized personnel. If they are not authorized personnel or have not had clearance as such by the patient, it is recommended not to disclose any information other than the person being stable or unstable. If the patient has opted out NO INFORMATION should be given under any circumstance should be given to the caller. This includes information as to whether or not the person is even admitted to the facility!

What information can I share with authorized individuals without client consent? You can share information without patient authorization as it relates to treatment, payment or healthcare operations (TPO). Other covered entities will request only minimum information necessary to perform their job. You may request the minimal information necessary from other covered entities for reasons of TPO without patient authorization. It is highly recommended that you verify that the requestor identifies themselves properly prior to disclosing any information. This proper identification includes full name, return phone number, confirmation in writing that identifies the caller and any other relevant information that should be disclosed to verify that the person or entity has been verified as authorized to access information.

Verification of Requesters of Information: Requesters via phone will need to provide the client’s social security number, date of birth and one of the following: account number, street address, medical record number, birth certificate, insurance card, or policy number. Example: Unknown physician calling from a cell phone. Before HIPAA the nurse may have been able to be discretionary in the amount of information or the type of information that could be given out. Even if a physician is calling on their own patient the nurse must exercise caution to verify that the physician is indeed calling

External Faxing Guidelines:

Limit faxes when possible. The nurse should verify the fax number. The fax number may also be preset when applicable to avoid inadvertent misdialing of the fax number and the disclosure of crucial information occurs. As with medical records the staff should locate the fax machine in a secure area. Additionally, always use a cover sheet with a confidentiality statement for transmittals. Highly sensitive information should never be faxed (HIV diagnosis, drug abuse records, etc.)

Disclosing PHI to family members and friends who call your institution: The client will designate whom you may speak to on the consent forms.

What entities are covered under HIPAA? Surgery Centers, physician practices , insurance companies, hospitals, hospice services and home health agencies are all under HIPAA. These agencies must fully comply with HIPAA and maintain the standards required by the Act.

Patients/Client’s right to access: The request will be forwarded the FPO (Facility Privacy Officer) who must be able to provide access and/or hard copy of record. The patient has a right to amend the medical record but cannot change or omit documentation already in the medical record. If there has been an error in the documentation by the facility or personnel it should be handled in the traditional manner by striking through once which would indicate an error and continue the documentation. Once information such as a confirmed diagnosis is on the permanent record a patient cannot merely request that the information be removed.

Patient Privacy Complaints: The Facility Privacy Officer (FPO) must maintain a complaint log in accordance with the complaint process. All privacy complaints must be routed to the FPO. Responses cannot be accompanied by retaliatory actions by the facility. Disposition of the complaint must be consistent with the facility’s Sanctions for Privacy Violations. The complaint log must be maintained and can be disclosed to the patient with the proper authorization in writing.

Accounting of Disclosures (AOD) Right to an accounting of disclosures of protected health information, an individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures: for TPO, to the patient, or directory purposes, to law enforcement or correctional institutions, for national security. Inquiries made must be kept in a log and maintained on paper or on an electronic data base. Failure to maintain could lead to several federal and state penalties under HIPAA.

How will Accounting of Disclosures (AOD) affect me? A nurse or other authorized personnel must enter patient information into the AOD for: state mandated reporting such as suspected abuse victims, certain disease reporting such as STD’s, brain injury, organ and tissue donations, tumor registry reporting, and health oversight activities (AAAHC/JCAHO). The patient may request information regarding what parties received information, but mandatory reporting such as to governmental agencies and for public health have an overriding interest and do not necessarily have to be disclosed to the patient. The patient may information dating back six years regarding inquiries by individuals and health care entities. The nurse is not obligated to report inquiries made by governmental entities such as the police. However, the nurse must first ascertain that the person inquiring about the information is an authorized representative of the government or other regulatory agency.

Notice of Privacy Practices. Upon each admission the patient will acknowledge receipt of notice upon each admission. This notice outlines the right to access, right to amend, right to request confidential communications, right to privacy restriction and the right to opt out of the directory. Each of these rights should be delineated in your facility’s policy and procedure manual as well as in documents produced by the facilities FPO and other relevant committees. This notice must be given upon admission and the nurse should determine that the patient has been made aware of his rights under HIPAA.

Sanctions. There are 3 levels of violations that require disciplinary action: 1. Accidental and/or due to lack of proper education; 2. purposeful violation of privacy policy or an unacceptable number of previous violations; 3. purposeful violation of privacy policy associate potential for patient harm. FPO to review sanctions policy grid with examples. Each institution is currently developing guidelines and concrete examples of violations. REMEMBER: HIPAA is in its preliminary implementation; there are no hard and fast rules as to what constitutes an accidental or purposeful violation and this should be determined by the FPO and other managerial personnel on a case by case analysis.

Sharing information with other treatment providers. Nurses may share information with physicians and office staff, hospitals, or other treatment facilities just as they do today. You must verify the requestor as noticed on this in service. Patient information can be released for reasons of treatment, payment or health care operations (TPO). TPO is the exception that has been carved out in HIPAA to avoid hampered medical and nursing deliver and minimize any slowing down of the day to day operations needed to run a health care entity. TPO includes a broad range of activities but caution should be still maintained whenever disclosing any information over the phone or to individuals who have yet to establish they are authorized by the patient or the facility to receive ANY information.

Confidential Communications. In order to decrease the chance of inadvertent disclosure one technique recommended is to use an alternate address or phone number for future contact. In this manner individuals who call on the phone or need information who are part of the patient’s family or a significant other may be able to obtain information in a secure manner. In this way the nurse may be able to route information and be assured that the individual or entity they are in contact with is an authorized party. For example, a relative who will be out of town can leave an alternate number which can be verified by the patient or other authorized individuals on the patient’s consent sheet. Remember that when in doubt route any requests for confidential communication to the FPO.

Common Exposures for confidential information. Discussions of patient information in public places such as elevators, restaurants, shopping centers, church, school, hallways and immediately outside the home area, printed or electronic information left in public view, client charts left in open areas, PHI in regular trash, records that are accessed without following the need to know basis in order to perform job duties, unauthorized individuals hearing patient sensitive information such as diagnosis or treatment. Not only is this inappropriate pre and post HIPAA law but also demeans the nursing profession and the duty of confidentiality we have towards our patients. If it is absolutely necessary to discuss a patient in a common area, initials or a patient number should be used to identify the patient. The nurse must remember to speak in as low a tone as possible and safeguard ANY information in common areas at all times. This practice will eliminate not only the risk of a HIPAA violation but will also decrease the risk of liability for you and your facility.

CONCLUSION

The implementation of HIPAA is in the infancy stages. Much more research and amendments may be made. HIPPA was formulated to protect a patient’s privacy in an increasingly public world. Information that could lead to disclosure of any sensitive information should be carefully guarded. It is the nurse’s responsibility as the primary care giver to safeguard not only the client’s physical and psychosocial well-being, but also his private information as well.

About the author: Joe A. Flores is a nurse practitioner and a trial lawyer in Texas. He is currently practicing with the law firm Snapka and Turman, L.L.P. and is also a part-time nurse practitioner with the Complete Medical Care medical group.

FOR MORE INFORMATION GO TO: www.cms.hhs.gov/hipaa