hospitals tailor policies for ‘outsiders,’ from drug reps ... · time. outsiders have...

13
Published by Atlantic Information Services, Inc., Washington, DC • 800-521-4323 • www.AISHealth.com 3 Rules on Facility Directories and Incapacitated Patients 4 Verbal Agreements Are Trouble 4 Hospitals Agonize Over Students’ Career Shadowing Under HIPAA 5 Wireless Networks Can Create Major HIPAA Vulnerabilities 6 ’Minimum Necessary’ Creates Maximum Complexity 9 Patient Privacy Court Cases 11 HIPAA Myths Can be Dangerous 12 Privacy Briefs Misinterpreted Facility Directory Rules Confuse Patients, Thwart Clergy Members In the first six months of HIPAA privacy implementation, one of the most confus- ing and problematic sets of provisions in the new privacy rule has evidently involved facility directories. Some patients who’ve exercised their right to not be included in the facility direc- tory have been surprised and disappointed their friends and loved ones had no way to find them. Many members of the clergy — accustomed to easy access to hospitals for visiting sick parishioners — have had roadblocks thrown in their way due to misinterpreta- tions of what the new privacy law requires. Contents Volume 3, Number 10 • October 2003 Practical News and Strategies for Complying With HIPAA Rules Managing Editor Nina Youngstrom Assistant Editor BJ Taylor II Editorial Assistant Lauren Flynn Executive Editor James Gutman Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps to Law Enforcement Some pharmaceutical sales reps were riding the elevators at Deaconess Hospital all day long to make sure the captive physician audiences inside would hear their spiel on new drugs. When word of this got back to Candace Foster, HIPAA team leader at the Evansville, Ind., hospital, she put an end to the elevator sales pitches — and, like other privacy officers, generally cracked down on drug reps’ access to the hospital. “Regard- less of the point of entry, drug sales reps are supposed to register at the pharmacy, get a name tag and confine themselves to certain locations. We don’t want them to wander or hang around the corridors. We don’t want them to go on rounds with doctors. They must register and stay put until someone escorts them,” Foster says. Drug sales reps are one of the categories of “outsiders” whose access is being re- considered under the HIPAA privacy rule. These outsiders — including vendors, clergy, volunteers and law enforcement — are in a category unto themselves, distin- guished from employees and medical staff members, who have broad access to the hospital, and patient visitors, who enter patient areas but just for a limited period of time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may require more controls under HIPAA. “We need to maintain direct control over a lot of these people,” says Melissa Cornwell, privacy officer at Floyd Medical Center in Rome, Ga. continued on p. 7 Call (800) 521-4323 to order a free 30-day trial of AIS’s brand-new HIPAA Security Compliance Guide. Business Strategies to Minimize Cash Flow Disruptions Due to October 16 TCS Deadline: Call AIS at 800-521-4323 for tape of highly practical October 1 audioconf- erence featuring Steven S. Lazarus, Ph.D. (president of Boundary Information Group and past-chair of the WEDI Board); J. Robert Barbour, J.D., MPS (VP Finance for Physician Services at Montefiore Medical Center); and Harry Reynolds (VP of HIPAA and Informa- tion Compliance Officer, Blue Cross and Blue Shield of North Carolina). continued

Upload: vandien

Post on 27-Mar-2019

215 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps ... · time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may

Published by Atlantic Information Services, Inc., Washington, DC • 800-521-4323 • www.AISHealth.com

3 Rules on FacilityDirectories andIncapacitated Patients

4 Verbal AgreementsAre Trouble

4 Hospitals Agonize OverStudents’ CareerShadowing Under HIPAA

5 Wireless Networks CanCreate Major HIPAAVulnerabilities

6 ’Minimum Necessary’Creates MaximumComplexity

9 Patient Privacy Court

Cases

11 HIPAA Myths Can beDangerous

12 Privacy Briefs

Misinterpreted Facility Directory RulesConfuse Patients, Thwart Clergy Members

In the first six months of HIPAA privacy implementation, one of the most confus-ing and problematic sets of provisions in the new privacy rule has evidently involvedfacility directories.

Some patients who’ve exercised their right to not be included in the facility direc-tory have been surprised and disappointed their friends and loved ones had no way tofind them.

Many members of the clergy — accustomed to easy access to hospitals for visitingsick parishioners — have had roadblocks thrown in their way due to misinterpreta-tions of what the new privacy law requires.

Contents

Volume 3, Number 10 • October 2003

Practical News and Strategies for Complying With HIPAA Rules

Managing EditorNina Youngstrom

Assistant EditorBJ Taylor II

Editorial AssistantLauren Flynn

Executive EditorJames Gutman

Hospitals Tailor Policies for ‘Outsiders,’From Drug Reps to Law Enforcement

Some pharmaceutical sales reps were riding the elevators at Deaconess Hospital allday long to make sure the captive physician audiences inside would hear their spiel onnew drugs. When word of this got back to Candace Foster, HIPAA team leader at theEvansville, Ind., hospital, she put an end to the elevator sales pitches — and, like otherprivacy officers, generally cracked down on drug reps’ access to the hospital. “Regard-less of the point of entry, drug sales reps are supposed to register at the pharmacy, get aname tag and confine themselves to certain locations. We don’t want them to wanderor hang around the corridors. We don’t want them to go on rounds with doctors. Theymust register and stay put until someone escorts them,” Foster says.

Drug sales reps are one of the categories of “outsiders” whose access is being re-considered under the HIPAA privacy rule. These outsiders — including vendors,clergy, volunteers and law enforcement — are in a category unto themselves, distin-guished from employees and medical staff members, who have broad access to thehospital, and patient visitors, who enter patient areas but just for a limited period oftime. Outsiders have legitimate purposes for routine, ongoing hospital visits, but theirpresence and access may require more controls under HIPAA.

“We need to maintain direct control over a lot of these people,” says MelissaCornwell, privacy officer at Floyd Medical Center in Rome, Ga.

continued on p. 7

Call (800) 521-4323 to ordera free 30-day trial of AIS’sbrand-new HIPAA SecurityCompliance Guide.

Business Strategies to Minimize Cash Flow Disruptions Due to October 16 TCSDeadline: Call AIS at 800-521-4323 for tape of highly practical October 1 audioconf-erence featuring Steven S. Lazarus, Ph.D. (president of Boundary Information Group andpast-chair of the WEDI Board); J. Robert Barbour, J.D., MPS (VP Finance for PhysicianServices at Montefiore Medical Center); and Harry Reynolds (VP of HIPAA and Informa-tion Compliance Officer, Blue Cross and Blue Shield of North Carolina).

continued

Page 2: Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps ... · time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may

2 Report on Patient Privacy October 2003

For example, misleading information has spreadthrough many communities that, under HIPAA, clergycould no longer visit their sick parishioners in the hospi-tal, or print their names in church newsletters. Somechurch bulletins carried requests for parishioners to callthe church if they knew of parishioners who were hospi-talized, since hospitals were no longer allowed underHIPAA to tell clergy about patients.

Rather than barring the clergy from hospitals, thedrafters of HIPAA rules and regulations took great painsto add language that would preserve the clergy’s right tocomfort sick parishioners in health care facilities. Therights of the clergy to continue their work in health carefacilities are embodied in two exceptions to HIPAArules. But first, what are the general rules governingpatient information in facility directories?

Consenting or Opting OutThe final privacy regulations (Sec. 164.510) permit

covered entities to include four elements of protectedhealth information in facility directories if patients do notobject or wish to place restrictions on disclosures: (1) the

patient’s name, (2) his or her location in the facility, (3) thepatient’s general condition (in terms that don’t revealspecific medical information, using terms such as “fair,”“critical” and “stable”), and (4) religious affiliation.

Covered entities must get a patient’s verbal consentto list this information in the directory. And patients candecide to be excluded from the directory altogether, tomerely having their names listed (which would permitphone calls), to omit their location (which would inhibitvisitors), and so forth. They may withhold their religiousaffiliation if they don’t want to be visited by the clergy,who are the only ones permitted to learn a patient’sreligion.

If patients decline to be listed in the facility directory,their family and friends (and the clergy and others)won’t be able to find them when they stop at the recep-tion desk or try to telephone them. It’s easy for a hospitalpatient, who may be in pain and/or uneasy about his orher physical appearance, to reply: “I don’t want to see orhear from anyone.” But it’s essential that you help pa-tients understand that “opting out means you won’thave any visitors or get any phone calls, flowers or otherdeliveries. No one will know you are here.”

If patients opt out of the directory, a computer entrycan be made indicating that the patient wishes to beanonymous. In some cases involving domestic disputes,patients may be admitted to a hospital under a pseud-onym.

Who Can Access Directory Info?HIPAA privacy regs also require you to inform pa-

tients of the persons to whom you may disclose direc-tory information, and permit patients to object to all orcertain specified disclosures (e.g., to an abusive spouse,the clergy, the press). Unless modified by patient prefer-ences, covered entities are expected to release directoryinformation to any person who asks for a patient byname, except for members of the clergy, who can accesspatients of their denomination without knowing theirnames.

These disclosures to the clergy alone represent aslight change from the original privacy Notice of Pro-posed Rulemaking, “which did not require members ofthe general public to ask for a patient by name in orderto obtain directory information and which, in fact,would have allowed covered entities to disclose theindividual’s name as part of the directory information,”according to the final rule preamble. In the final rule,population-wide data of this nature are now reserved forreligious purposes only.

Despite popular misconceptions to the contrary,HIPAA architects included separate language that guar-antees continued free access to sick parishioners by theclergy. In fact, covered entities would not be permitted to

Report on Patient Privacy (ISSN: 1539-6487) is published 12times a year by Atlantic Information Services, Inc., 1100 17thStreet, NW, Suite 300, Washington, D.C. 20036, 202-775-9008,www.AISHealth.com.Copyright © 2003 by Atlantic Information Services, Inc. All rights reserved. Nopart of this publication may be reproduced or transmitted by any means,electronic or mechanical, including photocopy, FAX or electronic deliverywithout the prior written permission of the publisher.

Report on Patient Privacy is published with the understanding that thepublisher is not engaged in rendering legal, accounting or other professionalservices. If legal advice or other expert assistance is required, the services of acompetent professional person should be sought.

Managing Editor, Nina Youngstrom; Assistant Editor, BJ Taylor II;Editorial Assistant, Lauren Flynn; Executive Editor, James Gutman;Publisher, Richard Biehl; Marketing Director, Donna Lawton; Circula-tion Manager, Kristin Mulcahy; Production Director, Andrea Gudeon

Call Nina Youngstrom at 1-800-521-4323 with story ideas for futureissues of RPP.

To order Report on Patient Privacy:

(1) Call 1-800-521-4323 (major credit cards accepted), or

(2) Order online at www.AISHealth.com, or

(3) Staple your business card to this form and mail it to:AIS, 1100 17th St., NW, Suite 300, Wash., DC 20036.

Payment Enclosed* ❑ $352

Bill Me ❑ $377*Make checks payable to Atlantic Information Services, Inc. D.C. residents add 5.75% sales tax.

E-ALERTS FOR SUBSCRIBERS ONLY: E-mail alerts are rushed toRPP subscribers when timely news breaks. To receive this freesubscriber-only service, send an e-mail to “[email protected]”and say “sign me up.” You’ll also receive a free e-mail edition of RPP

on the day of publication, in addition to the print copy.

EDITORIAL ADVISORY BOARD: JOHN BENTIVOGLIO, Esq., Arnold & Porter, Wash. D.C.; TED COOPER, MD, National Clinical Information Systems Security & Confidentiality Consult-ant, Kaiser Permanente, Oakland, Calif.; MICHAEL DOSCHER, Senior Manager, Global Healthcare Div., Covansys Corp., Glendale, Calif.; BRIAN GRADLE, Esq., Hogan & Hartson L.L.P.,Wash., D.C.; JAMES PASSEY, MPH, Director, Compliance & Risk Management, Valley Health System, Hemet, Calif.; DAN RODE, Vice President of Government Policy, American HealthInformation Management Assn., Wash., D.C.; ERIC S. TOWER, Esq., Associate General Counsel, Advocate Health Care, Oak Brook, Ill.

Page 3: Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps ... · time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may

October 2003 Report on Patient Privacy 3

include religious affiliation in their directories at all if theintent was not to have members of the clergy access thisinformation. No one else is permitted to access religiousaffiliation.

Members of the clergy can ask facilities for lists ofpatients in their denomination without having theirnames. In a Q&A devoted to this subject, HHS indicatesthat: “…a hospital may disclose the names of Methodistpatients to a Methodist minister unless a patient hasrestricted such disclosure.”

The term “clergy” is not defined in the HIPAA rule,but will most certainly include priests, rabbis and minis-ters of all denominations who work in the community.

The preamble to the Dec. 28, 2000, final rule (FR82522) clarifies that “... the rule in no way requires acovered health care provider to inquire about the reli-gious affiliation of an individual, nor must individualssupply that information to the facility. Individuals arefree to determine whether they want their religious affili-ation disclosed to clergy through facility directories.”

The preamble goes on to explain, “Although thissection provides a special rule for members of the clergy,it does so as an accommodation to patients who seek toengage in religious conduct. For example, restricting thedisclosure of an individual’s religious affiliation, roomnumber, and health status to a priest would cause sig-nificant delay that would inhibit the ability of a Catholicpatient to obtain sacraments provided during the lastrites.”

Protections for Victims of AbuseIn its preamble to the Aug. 14, 2002, final regulation

(FR 53213), HHS responded in this manner to acommenter who suggested that the now-abandonedconsent requirements be retained to protect victims ofdomestic violence: “... the provisions that provide realprotections to victims of domestic violence in how infor-mation is used or disclosed ... are provisions that allowan individual to object to disclosure of directory infor-mation ... that provide an individual the right to request

Go to www.AISHealth.com to sign up for 4 different FREE e-mail newsletters —Business News of the Week, Government News of the Week, Today in E-Health Business and MD Practice Alert.

When, due to emergency circumstances or inca-pacity of the patient, the patient has not had a chanceto decide whether he or she wants to be listed in thefacility directory, these disclosures may continue tooccur, if such disclosure is (a) consistent with anyknown prior expressed preference of the individualand (b) in the individual’s best interest as determinedin the professional judgment of the provider. In thepreamble to the Dec. 28, 2000, final privacy regulation(FR 82521), HHS listed several factors that the govern-ment “encourages covered entities to take into ac-count when making decisions about whether toinclude an incapacitated patient’s information in thedirectory:

“(1) Whether disclosing that an individual is inthe facility could reasonably cause harm or danger tothe individual (e.g., if it appeared that an unconsciouspatient had been abused and disclosing the informa-tion could give the attacker sufficient information toseek out the person and repeat the abuse);

(2) Whether disclosing a patient’s location withina facility implicitly would give information about thepatient’s condition (e.g., whether a patient’s roomnumber revealed that he or she was in a psychiatricward);

(3) Whether it was necessary or appropriate togive information about patient status to family or

Rules on Facility Directories and Incapacitated Patients

friends (e.g., if giving information to a family memberabout an unconscious patient could help a physicianadminister appropriate medications); and

(4) Whether an individual had, prior to becomingincapacitated, expressed a preference not to be in-cluded in the directory. The preamble stated thatif a covered entity learned of such a preference, itwould be required to act in accordance with thepreference.”

The privacy rule preamble indicates that whenincapacitated individuals “subsequently gain theability to make their own decisions, health facilitiesshould ask them within a reasonable time period forpermission to include their information in the facilitydirectory.”

The final rule on Dec. 28, 2000, expanded thecircumstances under which covered entities can dis-close directory information without a patient’s agree-ment. Whereas the proposed privacy rule allowedsuch exposures only for patients who are incapaci-tated, the final rule also permits such disclosures inemergency treatment circumstances. The preamble tothe final rule (FR 82522) indicates that disclosures arealso permitted “when a patient is conscious and ca-pable of making a decision, but is so seriously injuredthat asking permission ... would delay treatment suchthat a patient’s health would be jeopardized....”

Page 4: Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps ... · time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may

4 Report on Patient Privacy October 2003

restrictions and that grant an individual the right torequest confidential communications.”

Important caution: When it comes to protecting therights of all patients — and especially victims of abuse— it’s important to be sensitive to whether disclosing apatient’s location is tantamount to disclosing his or hermedical condition (e.g., if he or she is in the psych ward).

What should your organization do if/when a gunshotvictim requests exclusion from the facility directory, and thepolice are asking you about him? Disclosures to law enforce-ment, which have spawned equally confusing scenarios forsome covered entities, will be addressed in the November 2003Report on Patient Privacy. ✧

Hospitals Agonize Over Students’Career Shadowing Under HIPAA

As people who are passionate about health care,privacy officers dread the thought of shutting downobservation programs for high school students inter-ested in a career in medicine because these programs arean effective recruitment tool. But with HIPAA imple-mentation, some privacy officers are worried whetherthese programs — which generally involve high schoolstudents shadowing clinicians — can continue .

“This might prove to be one of the stickiest wicketsfor HIPAA,” says Candace Foster, HIPAA project leaderat Deaconess Hospital in Evansville, Ind. “We are strug-gling to keep these programs going without compromis-ing privacy.”

There are two sides to this coin. On the one hand,Foster says, these are not medical or nursing schools, sothe students aren’t typical work-force members. On theother hand, “they are members of specific, health care-oriented high school classes — and HIPAA allows us touse PHI for educational purposes.”

Foster informally surveyed hospitals about theirshadowing programs and found mixed responses to theviability of shadowing under HIPAA. Some hospitalsabandoned their shadowing programs on the groundsthat patient authorizations are necessary under HIPAAand too cumbersome to obtain. Other hospitals areworking on ways to maintain shadowing, such as classi-fying students as members of the work force.

Lourdes Hospital in Binghamton, N.Y., will continueits “New Visions” program, in which 25 high schoolstudents spend one to two hours every day at the hospi-tal during the entire school year learning about all as-pects of the hospital, says Anne Wolanski, assistant vicepresident of risk management and corporate responsibil-ity. These future physicians, nurses, etc. “are well-ori-ented to policies and procedures, and confidentiality isvery drilled in.” To minimize the risk of breaches, NewVisions participants receive the same orientation as newemployees.

Riverside HealthCare in Kankakee, Ill., doesn’t al-low high schoolers to shadow clinicians in the hospital.Instead, it takes the health care show out on the road,visiting high schools to educate about the profession andinterest kids in health care careers, says Chief PrivacyOfficer Karen Block.

O’Bleness Hospital in Athens, Ohio, has tightenedits procedures for student shadowing. “We have in-formed all staff, including physicians, that if they wantto sponsor a shadower, they must first report their intentto our volunteer resources department. The shadowergets a brief orientation about confidentiality, HIPAA,

Call 800-521-4323 or visit www.AISHealth.com to order a 30-day free trial review ofthe 1,000-page looseleaf HIPAA Patient Privacy Compliance Guide (with quarterly updates).

Verbal Agreements Are TroubleSection 164.510 of the final privacy regs per-

mits a covered entity to ask verbally, and obtainverbal direction from patients regarding, whetherthey agree to being listed in the facility directory(or object to being listed or wish to restrict disclo-sures). While you are permitted to inform a patientof your directory policies verbally, and you can“hear” a patient’s verbal consent for (or restric-tions on) disclosures, covered entities would bewell advised to:

(1) Provide patients — in their Notice of Pri-vacy Practices, or in another buck slip provided atregistration — with a very brief, monosyllabicwritten summary of what it means to be excludedfrom the directory (e.g., a piece of paper nursescan refer to if patients insist on opting out), and

(2) Document, and maintain records of, theirpatients’ consent, objection or restrictions re thedirectory — not by having patients sign anything,but by having a presiding employee initial anddate some record of their witnessing of consent.

Absent this type of recordkeeping — which iscertainly not required by HIPAA and which somemay find excessive — formal proceedings later oncould boil down to little more than playground-style “he said, she said.”

Is this worth the effort? If covered entities windup defending themselves against HIPAA allega-tions, the charges may well include violations ofpatients’ rights. There are only a few places inHIPAA regulation where covered entities can vio-late a patient’s rights in a blatant (and potentiallyharmful) way, and this is one of them.

Page 5: Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps ... · time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may

October 2003 Report on Patient Privacy 5

Copyright © 2003 by Atlantic Information Services, Inc. All rights reserved. Reproduction by any means — including photocopy,FAX or electronic delivery — is a violation of federal copyright law punishable by fines of up to $100,000 per violation.

safety, etc., and signs a confidentiality form. They arethen allowed to shadow,” says Privacy Officer TammyJohnson. “If they are coming into direct contact with thepatient, we always get the patient’s authorization first.”

Contact Johnson at [email protected], Foster [email protected], Wolanski [email protected], or Block [email protected]

Wireless Networks Can CreateMajor HIPAA Vulnerabilities

A hospital or medical group with its electronic medi-cal records available on a wireless computer network isat far greater risk for unauthorized entry (and ultimately,HIPAA breaches) than are facilities with LAN lines.

Within a certain range of a hospital’s unsecuredwireless network, all a hacker needs to gain access toconfidential patient information is a personal computerand a wireless card, which can be purchased at a com-puter store or on the Internet for under $100. This prac-tice is called “wardriving,” by which hackers essentiallydrive around searching for wireless access points (WAPs).

Just last month, the vulnerabilities of a medicalgroup’s wireless network were exposed when a hackermailed copies of checks and insurance forms containingpatients’ names and procedures to a local televisionstation. WRAL, a television station in the Raleigh-Durham area, reported that an information securityconsultant was arrested for allegedly accessing patients’confidential information through the unsecured wirelessnetwork of Wake Internal Medicine Consultants Inc. inNorth Carolina. According to WRAL, he wanted to ex-pose the company’s “lax” computer security.

How does this affect HIPAA compliance? Since HIPAAprivacy standards require the protection of individuallyidentifiable health information, anything that is trans-mitted electronically through a wireless network andcontains PHI is vulnerable. But HIPAA doesn’t set anyspecific guidelines on how to secure wireless, saysMarne Gordan, director of regulatory affairs forTruSecure Corporation, a Herndon, Va.-based companythat provides information security intelligence and ser-vices. “Any organization that uses wireless technologyhas a potential to open up vulnerable areas in their envi-ronment. HIPAA is a measure of how well you managewhatever you have in your environment,” she says.

Gary Miliefsky, president and CEO of Predator-Watch, Inc., in North Chelmsford, Mass., which suppliesnetwork vulnerability management tools, explains thatmany wireless networks are enabled as “ad hoc” with-out the proper level of management. “Security has beenan afterthought in the wireless network space,” he says.

But wireless networks for some applications arevery compelling, and in most cases covered entities canimplement relatively simple methodologies to reducerisk to an acceptable level, says Tom Hanks of the healthcare sector of IBM Business Consulting Services. Hanksexplains that for many environments, securing a wirelessnetwork can be achieved through WEP (wireless encryp-tion protocol) encryption that is integrated with thewireless equipment. Newer wireless cards and routerscome with an option to enable encryption between thePC and the router, but the encryption feature is usuallydefaulted to “off” when purchased, he says. Some sys-tems may also have older equipment that does not fea-ture encryption, but a simple system upgrade canusually do the trick.

Contact Gordan at [email protected], Hanks [email protected] or PredatorWatch’s DebraAngeloni at [email protected]. ✧

NEW! A Guide to Auditing and MonitoringHIPAA Privacy Compliance, how-to-do-it guidanceon installing effective HIPAA auditing andmonitoring systems. Includes practical templates,tools and documents on a companion CD.NEW! Sarbanes-Oxley: Best Practices for Private& Nonprofit Health Care Entities, an easy-to-understand, highly practical book detailing specificactions and strategies compliance officers can putin place to achieve organization-wide adherence tothese new best practices.✔ Report on Medicare Compliance, the industry’sleading source of weekly news and analysis onwhat you can do about billing problems, costreport errors, bad documentation, HIPAA, DRGupcoding and other complex compliance issues.✔ A Guide to Auditing Health Care Billing Prac-tices, step-by-step guidance on one of the mostchallenging problems in Medicare compliance.✔ HIPAA Patient Privacy Compliance Guide,1,000 pages of practical guidance and “how-to“tools from the nation’s top HIPAA experts.✔ HIPAA Security Compliance Guide, easy-to-understand summaries of the complex newsecurity regulations, along with sample policies,procedures and other practical compliance toolsfrom top health care security experts.

Visit the AIS MarketPlace atwww.AISHealth.com

More Compliance Resources From AIS

Page 6: Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps ... · time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may

6 Report on Patient Privacy October 2003

Call 800-521-4323 for information on METROPOLITAN AREA MARKET REPORTSfor different U.S. cities and the complete HEALTH INDUSTRY MARKET INTELLIGENCE database.

‘Minimum Necessary’ Creates Maximum ComplexityOne of HIPAA’s most challenging requirements is the “minimum necessary” standard, which mandates that

the PHI that is used or disclosed be limited to the minimum PHI necessary to accomplish the intended purpose.While this principle sounds relatively simple, implementing “minimum necessary” over a large, complex orga-nization has been a trying task for even the most experienced privacy officers (RPP 7/03, p. 3).

At Casa Grande Regional Medical Center (CGRMC) in Arizona, employees are assigned to one of threelevels of PHI access, depending on what they need to get their work done, says Privacy Officer Becky Buegel.These three levels, which are defined in Procedure 4 below, are: (1) full health information access, (2) selectiveaccess, and (3) incidental access. For example, many physicians, nurses and other clinicians will have “full ac-cess”; people in the billing office and materials management probably need “selective access” because they mayneed the patient’s name and diagnosis; and the custodial staff will have “incidental access.”

At CGRMC, the challenge of deciding which level of access is appropriate for each job code/position num-ber falls to the department managers as it pertains to their supervisees. Access levels may vary widely from onedepartment to another, even if job titles are the same. For example, the receptionist in the medical imaging de-partment has needs that are somewhat different from those of the receptionist in admitting, Buegel says.

Contact Buegel at [email protected].

CGRMC’s Policies and Procedures for Minimum Necessary

I OBJECTIVE:Casa Grande Regional Medical Center (CGRMC) isrequired by the HIPAA Privacy Rule to make a “rea-sonable effort” to limit requests for uses and disclo-sures of protected health information (PHI) to theminimum necessary to accomplish the intended pur-pose of the use, disclosure, or request. While CGRMCis committed to ensuring privacy and security of PHI,it is important to recognize that there must be a bal-ance between avoiding disclosure of more patientinformation than is necessary against having suffi-cient patient information in order to assure propercare. To support its commitment to patient privacyand confidentiality, CGRMC will ensure that appro-priate steps are taken to disclose only the minimumamount of PHI needed to accomplish the particularuse or disclosure, as required under CFR §164.502(b),as well as other pertinent local, state, and/or federallaws and regulations.II POLICY:(1) The CGRMC workforce will follow proper proce-dures to ensure that only the minimum amount ofPHI necessary to accomplish the specific purpose of ause or disclosure is actually used or disclosed.(2) The CGRMC workforce will request only the mini-mum amount of PHI necessary to accomplish thespecific purpose of the request.(3) This policy does not apply to the following uses ordisclosures:

(a) Disclosures to or requests by a provider fortreatment;

(b) Uses or disclosures made to the individual whois the subject of the information;(c) Uses or disclosures pursuant to an authorization;(d) Uses or disclosures required for compliancewith HIPAA standardized transactions;(e) Disclosures made to the Department of Healthand Human Services when disclosure of informa-tion is required under the rule for enforcementpurposes;(f) Uses or disclosures required by law; and(g) Uses or disclosures required for compliancewith applicable laws and regulations.

III DEFINITIONS:Protected Health Information – means individuallyidentifiable health information that is transmitted byelectronic media; maintained in any medium de-scribed in the definition of electronic media; or trans-mitted or maintained in any other form or medium.IV PROCEDURE:(1) All proposed uses or disclosures of PHI will bereviewed by persons having an understanding ofCGRMC’s privacy policies and practices, and suffi-cient expertise to understand and weigh the necessaryfactors.(2) The entire medical record will only be used, disclosed,or requested when the entire record is specificallyjustified as being reasonably necessary to accomplishthe purpose of the use, disclosure, or request.(3) The following categories have been assigned to theCGRMC workforce:

Page 7: Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps ... · time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may

October 2003 Report on Patient Privacy 7

Limiting PHI Access to Outsiderscontinued from p. 1

Sometimes outsiders are lumped in with othermembers of the work force (e.g., volunteers) or desig-nated as business associates (e.g., vendors); sometimesthey stand alone. “For any of those people, they have tohave a good reason to be there,” says Tammy Johnson,privacy officer at O’Bleness Hospital in Athens, Ohio.“And they must sign a confidentiality agreement. If not,they shouldn’t be there” — a decision generally made bythe department manager or nurse supervisor.

How do hospitals approach the application of theprivacy rule to these outsiders? The first step forLourdes Hospital in Binghamton, N.Y., was to categorizeoutsiders, says Anne Wolanski, assistant vice presidentof risk management and corporate responsibility. “Out-

Copyright © 2003 by Atlantic Information Services, Inc. All rights reserved. Reproduction by any means — including photocopy,FAX or electronic delivery — is a violation of federal copyright law punishable by fines of up to $100,000 per violation.

siders can be categorized first based on the notice ofprivacy practices, which indicates who is part of yourorganized health care arrangement,” she says. This in-cludes physicians on the medical staff, providers al-lowed to write in the patient’s medical record andvolunteers who are permitted to help patients while theyare in the hospital or receiving care at a Lourdes site.

The next layer is the patients’ visitors and clergy.Access is essentially determined by expressed patientpreferences (e.g., opting out from the directory). Thethird layer is everyone else — notably these outsiders.They prompt a variety of responses, from vendors whoare closely tracked (e.g., register, wear a badge) to volun-teers subject to extensive privacy-rule training and writ-ten confidentiality statements.

To help her think through the management of vari-ous classes of outsiders, Johnson does an informal risk

(a) Healthcare Provider – A licensed healthcareprofessional who provides direct or indirect patientcare or consulting service. This includes, but is notlimited to: physicians, nurses, respiratory thera-pists, social workers, etc.(b) Patient Care – Staff who provide direct or indi-rect patient care at the request of or referral from aHealthcare Provider. This includes, but is not lim-ited to: admissions, dietary aides, unit clerks,housekeeping, etc.(c) Healthcare Operations – Staff who work withinthe organization providing a variety of servicesthat support the delivery of patient care orhealthcare operations. This includes, but is notlimited to: risk management, finance, businessoffice, health information management, etc.(d) Administrative – Staff who work within theorganization providing administrative support.This includes, but is not limited to: HR, communityrelations, etc.

(4) The following levels and conditions of access willbe assigned to the categories of workforce noted innumber (3), above:

(a) Full Health Information Access shall begiven to members of the workforce who,based on their duties, need ongoing, regularaccess to PHI in all forms, while the individual ison duty and performing within the scope of his orher job; such access must be for cause, consistentwith job responsibilities, and related to a patient,claim, audit, review, or other legitimate businesspurposes.

(b) Selective Access shall be given to members ofthe workforce who need access to certain auto-mated or hard copy PHI on a regular basis forpurposes such as directing a call or letter, sortingmail, filing, typing, and similar activities with thescope of his or her job.(c) Incidental Access shall be given to members ofthe workforce who do not necessarily need accessbut may see PHI through incidental use such as faxand copier machines, filing, typing, etc.

(5) Requests for disclosures of PHI will be reviewedon an individual basis in accordance with criterialisted in the policy.(6) CGRMC may reasonably rely on requests by

(a) Public health and law enforcement agencies indetermining the minimum necessary informationfor certain disclosures;(b) Other covered entities in determining the mini-mum necessary information for certain disclosures;or(c) By a professional who is a member of itsworkforce or is a business associate of CGRMC forthe purpose of providing professional services toCGRMC, if the professional represents that theinformation requested is the minimum necessaryfor the stated purpose.

(7) In the event of disclosures for research purposes,CGRMC will review the documentation of requiredInstitutional Review Board or other approval in deter-mining the minimum amount of PHI necessary.(8) Knowledge of a violation or potential violation of thispolicy must be reported directly to the Privacy Officer.

Page 8: Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps ... · time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may

8 Report on Patient Privacy October 2003

Call Brenda at 800-521-4323 for rates on bulk subscriptions or site licenses, electronic delivery tomultiple readers, and customized feeds of selective news and data…daily, weekly or whenever you need it.

analysis. “I think to myself, what is the worst-case sce-nario that could happen if we disclosed PHI to this par-ticular person who is not a work-force member?” Forexample, what is the relative risk of a drug sales reptalking to nurses for 15 minutes and then leaving, versusbringing in lunch for a 90-minute education session withthe nurses in the department? “I analyze the risks andtalk to my risk manager and tell her what I think, and wehash it over. Then I take it back to the departments in-volved and ask for their feedback because nursing knowsnursing, etc,” she says, before a final decision is made.

How Certain Outsider Categories Are ManagedHere is a sampling of how hospitals are managing

various categories of outsiders:(1) Volunteers: They are treated as members of the

work force, but volunteers need extra support enforcingHIPAA’s privacy protections. “They are at the socialcenter of a hospital,” Cornwell says, because of theirexposure to non-treatment-related information aboutpatients, their role in comforting patients and their inter-action with friends and families through staffing thefront/information desk. Volunteers may be weak links inthe privacy chain when asked for patient information.“Some of these ladies have been in our auxiliary for 30years. They know all the patients and nurses and doc-tors, so there is a huge likelihood for that information tobe used socially,” Cornwell says. For example, supposethey run into a friend at the grocery store, and the friendasks about a mutual acquaintance who’s been admittedto the hospital. The volunteer may feel weird and pre-tentious saying what she has been instructed to say —something along the lines of “I’m sorry, I’m not at libertyto discuss that” — especially to a close friend. Cornwellsuggests volunteers cope by answering a question with aquestion. If the visitor says “How is Mrs. Smith doing? Iheard she is in the hospital,” then the volunteer can re-spond, noncommittally, “Have you spoken with herhusband?”

It can get even tougher when volunteers are man-ning the front desk, which means disclosing either onlydirectory information or, if the patient opted out, noth-ing. It’s awkward for a volunteer to say “I’m sorry; wedon’t have a patient by that name” when the volunteerknows it isn’t true — especially if the visitor is sure thepatient is there. Visitors who are told that black is whitemay become belligerent. And volunteers are miserablehaving to lie or be rude. As an alternative, Cornwellsays, volunteers at her hospital now say “We don’t havea patient by that name in our public directory.” And theycan always call Cornwell for help.

To enhance volunteer safeguards, “we are carefulnot to put volunteers in certain sensitive areas,” such as

risk management and quality assurance, where theycould access highly confidential information associatedwith, for example, case reviews, Wolanski says. “Thetypes of tasks that a volunteer is assigned to probablywon’t have them directly involved in looking at a patient’smedical records,” Wolanski says, noting the hospital hasalways taken that precaution, even before HIPAA.

(2) IT and other certain vendors: Hospitals monitorvendors more closely now, and some vendors are busi-ness associates. At Lourdes, “vendors are expected tohave an appointment to visit a particular department.We have a vendor policy regarding their need to sign inand wear a badge identifying who they are and theirdestination. If they do not follow this policy, they can berefused further access to our hospital,” Wolanski says.

Riverside HealthCare in Kankakee, Ill., has obtainedbusiness associate agreements with its IT vendors be-cause they have access to the computer systems thatstore patient information, says Chief Privacy OfficerKaren Block. It’s been a real challenge, she says, becausethe health system uses a lot of vendors. When Riversidepresented its HIPAA-compliant business associate agree-ment for signature, some vendors responded by insistingon using their own business associate agreement —especially because they feared any attempt to include anindemnification clause. “No one wants to sign that,” shesays. Usually Riverside persuades the vendor to sign thehealth system’s version of the business associate con-tract, but if the vendor digs in its heels, it may relent.“We have our HIPAA legal counsel review it to makesure we don’t sign our lives away,” Block says.

Consistent with her risk analysis, Johnson evaluatesvendor access depending on their contact with PHI. Forexample, if IT vendors “will just be in MIS and have noaccess to patient information, then we don’t worry aboutit. If they will have any access to our clinical informationsystem, we make sure they sign a confidentiality agree-ment.”

As for other kinds of vendors (e.g., building contrac-tors, electrical), generally the main goal is to verify theiridentity and keep track of them, Foster says. They wear abright orange vendor badge with a unique number butnot a picture. Sometimes their work takes them intolocations where there are patients and/or medicalrecords, but “my impression is they are way too busy topay attention to anything except the work and theirsafety” or there are employees present (e.g., health infor-mation management department) to keep an eye onthem. “The contracts we sign with vendors contain con-fidentiality agreements. We hold them accountable fortheir own employees,” which means the vendor handlesthe discipline if one of its employees breaches confidenti-ality, Foster says.

Page 9: Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps ... · time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may

October 2003 Report on Patient Privacy 9

(3) Medical device sales reps: Depending on thenature of the device, medical device reps are treateddifferently than drug reps because they may need accessto PHI or the patients themselves and may even bepresent at surgery. But they still must check in with thematerials management department and wear badges.For example, orthotics and prosthetics suppliers mayneed to examine medical records and fit patients directly.There are also vendors who attend surgery because theirinput is needed by the surgeons who are implanting thedevice (e.g., pacemaker) or using some new technology(e.g., laser) manufactured by the sales rep’s company.

The sales rep may be a part of the treatment team, soPHI disclosure is proper under the treatment, paymentand operations exception, according to guidance fromthe HHS Office for Civil Rights. Therefore, patient au-thorization isn’t required — though some hospitals seekit anyway or add a line to the surgery consent form stat-ing that the vendor’s sales rep will be present duringsurgery.

One privacy officer isn’t totally comfortable puttingsales reps under the TPO exception. Block says her hos-pital “doesn’t necessarily consider device reps membersof the treatment team.” She says she doesn’t think it’s

Copyright © 2003 by Atlantic Information Services, Inc. All rights reserved. Reproduction by any means — including photocopy,FAX or electronic delivery — is a violation of federal copyright law punishable by fines of up to $100,000 per violation.

This monthly column is written by Rebecca C. Fayed of the Washington, D.C., office of Epstein, Becker, & Green, P.C. Itis designed to provide RPP readers with a sampling of the types of patient privacy cases that courts are now hearing. Itis not intended to be a comprehensive monthly survey of all patient privacy court actions. Contact Rebecca C. Fayed at(202) 861-1383 or [email protected].

tice for the psychiatric profession and protect thepublic from those not qualified to practice medi-cine, which is the goal of the Medical Practice Act.”(John Doe v. Illinois Department of Professional Regula-tion)

� The Appellate Court of Connecticut held thatphysician expert could disclose medical recordsduring a deposition without a patient’s authoriza-tion. While the plaintiff in this case called Dr. Will-iam Gerber as her expert witness in an actionagainst her employer, she filed this action allegingthat during a deposition in that case, Dr. Gerber“wrongfully… disclosed confidential and privateinformation about her.” The Appellate Court dis-agreed with the plaintiff, explaining that “the dis-closure of the plaintiff’s medical records took placeduring the deposition of the plaintiff’s expert,Gerber, and that the disclosure was pursuant toapplicable rules of court.… Thus, because the dis-closure was made pursuant to applicable courtrules, it clearly fell within the exception set forth”under Connecticut law. As the court stated, Con-necticut law generally prohibits the unauthorizeddisclosure of medical records. However, one excep-tion to this rule is that a patient’s consent is notrequired for a disclosure “pursuant to any statuteor regulation of any state agency or the rules ofcourt.” Accordingly, the court found that the expertphysician did not wrongfully disclose the informa-tion during the deposition. (Alexandru v. West Hart-ford Obstetrics and Gynecology, P.C.)

� An Illinois appellate court held that a patient’smental health records could be used by the De-partment of Professional Regulation during adisciplinary proceeding against the patient’s psy-chiatrist without the patient’s consent. The Illi-nois Department of Professional Regulationappealed a circuit court decision issuing a prelimi-nary injunction barring them from disclosing at anyhearing any information related to the patient with-out first obtaining a confidentiality release from thepatient. The department argued that because ofIllinois law, the lower court should not have foundthat the patient had a right to nondisclosure ofmental health information. Rather, the departmentargued, Illinois law authorized the use of redactedmental health information in a disciplinary pro-ceeding against the patient’s psychiatrist, withoutthe patient’s consent. On appeal, the AppellateCourt of Illinois reversed the lower court’s opinionfinding that when the Illinois “Confidentiality Actis read as a whole it is clear that the legislaturecontemplated the use of mental health records forwhich no consent has been secured in certain judi-cial proceedings.” Explaining that its statutory in-terpretation promotes the goals of both the IllinoisConfidentiality Act and the Illinois Medical Prac-tice Act, the court stated that “[p]atients remainanonymous, thereby preserving a sufficient level ofprivacy necessary to encourage other people toseek mental health treatment, which is the goal ofthe Confidentiality Act.… At the same time, it en-ables the Department to enforce standards of prac-

PATIENT PRIVACY COURT CASES

Page 10: Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps ... · time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may

10 Report on Patient Privacy October 2003

feasible for the device rep to attend surgery unless thereis patient authorization. There’s always a chance thepatient will say “no,” and then she says it’s up to thesurgeon to convince the patient to green-light the devicerep’s presence.

Lourdes Hospital requires device sales reps to fillout various forms before they’re permitted in surgery.For example, the sales rep signs a confidentiality state-ment and a form attesting to proper immunizations.“The patient is always given the opportunity to refusehaving them there,” Wolanski says.

But it’s essential not to let HIPAA anxiety interferewith patient access to life-enhancing devices, says BeckyBuegel, privacy officer at Casa Grande Medical Center inArizona. “You want patients to get new medical devices.You just have to tighten up [privacy safeguards],” shesays. “You either consider them part of the treatmentteam and document accordingly, or get patient authori-zation.” As for the abuses with salesmen in the operatingroom, those were not issues of privacy as much as pa-tient safety.

(4) Drug sales reps: The privacy rule prompted hos-pitals to crack down on drug sales reps. How much theiraccess is curtailed depends on the way they deliver theirsales presentations. “We designed a confidentialityagreement for drug reps and then left it up to unit super-visors whether it’s necessary [to get the rep’s signature],”Johnson says. “If they just drop off samples and leave,then it’s not necessary. But if they will be there for a pe-riod of time, then a confidentiality agreement may benecessary.” For example, if the drug rep is giving a 90-minute presentation in the nurse education room whilenurses change shifts and give reports, it’s wise to get aconfidentiality agreement signed.

The privacy officers generally said that stringentprivacy protections for drug reps are more important intheir physician clinics, where the reps tend to be in closerproximity to PHI.

(5) Medical and nursing students: They are treatedas members of the work force, so they receive full-fledged HIPAA education.

(6) Clergy: This has been one of the biggest adjust-ments under HIPAA because this class of outsiders —external clergy, not hospital chaplains — was accus-tomed to virtually unfettered access, and now must bemonitored (the same as all other outsiders) to make surethey aren’t exposed to PHI unnecessarily.

For example, at Riverside, the hospital identified the40 or so clergy members who routinely minister to hos-pital patients, and assigned each a unique log-in numberfor the computer located in the pastoral care depart-ment. The log-in number gives the clergy member accessonly to the names of patients who attend his or her

church/temple/mosque, etc. How do patients make it tothe list? At registration, according to a script that Blockhas given registration clerks, patients are asked theirreligion and the name of their congregation, and then aretold that “By answering the name of your religion andcongregation, your name will appear on a list for visitingclergy.” (The staff chaplain is available for patients whocan’t see their own minister, etc., such as if they are visit-ing from out of town.) Obviously patients who opt outwill not appear in the computer.

Clergy members who aren’t at the hospital oftenenough to merit a log-in number can get a printout oftheir congregation members from the switchboard, as-suming they have proper ID.

Riverside HealthCare also wants to make sureclergy is informed when patients ask for them, but safe-guards are necessary when passing along information.For example, the hospital doesn’t want to leave a mes-sage for the clergy member that parishioner Clark Kentis in the hospital if the answering machine is located inthe clergy member’s family room. So the hospital sent aform to about 120 clergy members asking them who thehospital can leave a message with (e.g., spouse, secre-tary, on a secure answering machine) when a parishionerrequests the clergy member’s presence but the clergymember can’t be located.

Local clergy isn’t thrilled with the new procedures,Block says. Some clergy members have complained thatthe nearby competing hospital isn’t subjecting clergy tothe privacy restraints. But the hospital is sticking to itsHIPAA guns.

Deaconess Hospital also treats outside clergy thesame as any other visitors, Foster says. When clergymembers show up, they generally check in at the reli-gious life office and collect a list of their hospitalizedparishioners (if those persons request a clergy visit). Ifthe religious life office is closed, they ask for the patientby name at the front desk. If it is after hours and thepatient has an emergency, clergy members identifythemselves to security and explain who they are there tovisit. Trust is essential; “our religious affairs director saidit would be a big task to keep clergy identificationbadges up to date with photos,” she says.

(7) Employee friends/family: The privacy officers sayemployees generally know that when spouses, friends orfamily plan to take them to lunch, they should be met inthe lobby or cafeteria and not enter patient areas. There’san occasional transgression. For example, Johnson en-tered the transcription area one day to find a strangewoman sitting at an employee’s desk, leafing throughnames on the transcription sheets, “She was waiting forher cousin,” an employee, Johnson says. After that,Johnson told employees to meet friends and family in

Call 800-521-4323 or visit www.AISHealth.com to order a 30-day free trial review ofthe 1,000-page looseleaf HIPAA Patient Privacy Compliance Guide (with quarterly updates).

Page 11: Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps ... · time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may

October 2003 Report on Patient Privacy 11

over information to people accompanying the guy tojail.” HIM is coordinating with the ED “because theywill be presented with more circumstances, and then wewill put together a grid” that dictates PHI disclosurespermitted in response to various law enforcementcircumstances.

Contact Johnson at [email protected], Wolanskiat [email protected], Buegel [email protected], Foster [email protected], Cornwell [email protected], Block [email protected] and Jensen [email protected]. ✧

more public areas. Since HIPAA took effect, that alsobecame a more official stance at Casa Grande RegionalMedical Center. “We now ask them to wait in the cafete-ria,” Buegel says. “We want employees to start thinkingin terms of whether this person needs to be here orwhether they can go to the cafeteria with them and getout of a patient area.”

(8) Law enforcement: This is a complex area andhospitals are grappling with it (RPP 9/03, p. 1). They aretrying to live by the HIPAA constraints on PHI disclo-sures as law enforcement situations arise and articulatethem in policies and procedures, but real life is a lotmore ambiguous than the scenarios written into theprivacy rule. For example, the rights of law enforcementofficers to obtain PHI gets muddled in employees’ mindsdepending on whether the patient is a victim, witness,suspect or fugitive. And where do state laws fit in? Forexample, Block says that Illinois state law requires pro-viders to turn over drunk-driving blood test results tothe police, so they are acting on the assumption thatmandate takes precedence over HIPAA.

Hospitals are developing procedures to put somebrakes on police access to PHI. “Law enforcement al-ways comes in and wants to talk to patients if there’s anaccident and we don’t want them just to open curtains,randomly looking for the right patient,” Johnson says.“They are now required to stop at the nurse’s station andtell us who they want to see and why. Then the clerkchecks with the physician if the police officer doesn’tknow the patient by name. Then we ask the patient if itis OK for the police to come and talk to them. SometimesI tell the police they have to wait until the patient comesout of the hospital unless the police officer has a courtorder.”

Christine Jensen, HIPAA project manager at DenverHealth, says state law also governs a lot of her healthsystem’s interaction with law enforcement. For example,state law requires hospitals to report victims of crimesand accidents to the police. The law doesn’t dictate whatdetails to supply, but over time the Denver police de-partment developed a form eliciting basic information. Ifa police officer later calls the emergency department forinformation, the ED staffer refers the officer back to thepolice department, explaining the information has al-ready been supplied. “If they want more detailed infor-mation, we have to get patient authorization,” Jensensays.

Buegel is developing policies and procedures forresponding to law enforcement requests, and generallythey will require police to obtain patient records fromthe HIM department during regular business hours —except if there’s urgency, Buegel says. For example, if aperson under arrest needs treatment, “then we will hand

HIPAA RESOURCE CENTER: Visit www.AISHealth.com/Compliance/HIPAAResource.html, or merely click the“Compliance“ channel on www.AISHealth.com, to access a wide range of free resources related to HIPAA.

HIPAA Myths Can Be DangerousWhen O’Bleness Hospital in Athens, Ohio,

was preparing a patient for transfer to anotherhospital for a pacemaker implant, the nurse askedthe recipient hospital for the name of the physicianthere who would be managing the case. The reason:The O’Bleness nurse wanted instructions for trans-porting the vulnerable patient. But the recipienthospital refused to divulge the name of the physi-cian without a patient authorization, citing HIPAAprivacy-rule restrictions.

The recipient hospital was incorrect in its in-terpretation of HIPAA, and was letting its mis-guided interpretation of the privacy rulepotentially interfere with patient care. “The patientwas having a cardiac crisis, and we just wanted toask the doctor what to do during the transfer,”says Privacy Officer Tammy Johnson. And interms of the disclosure, the only information atissue was the name of the physician attached tothe case. Johnson felt she had no choice and ob-tained the authorization from the patient, so thenurse could get the doctor’s name and call him fortransfer instructions.

But it was a close call in terms of the patient’swell-being. This was another case of HIPAA over-kill, with a provider insisting on patient authoriza-tion even though the disclosure was treatmentrelated. To prevent future recurrences of superflu-ous authorization demands from this hospital,Johnson contacted the other hospital’s privacyofficer, and told her about the HIPAA myth andthe risks it poses to patient care. And “I told mywhole hospital this was a big thing. If it involvespatient care, don’t be afraid to do it.”

Contact Johnson at [email protected].

Page 12: Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps ... · time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may

12 Report on Patient Privacy October 2003

Call 800-521-4323 for information on METROPOLITAN AREA MARKET REPORTSfor different U.S. cities and the complete HEALTH INDUSTRY MARKET INTELLIGENCE database.

� CMS said on Sept. 23 that it would deploy itspreviously disclosed Medicare fee-for-servicecontingency plan to accept electronic transac-tions in legacy formats after the Oct. 16 HIPAAtransaction and code sets (TCS) deadline. Thedecision generally pleased providers, but both theyand CMS noted that it does not require privatepayers to take similar actions. Language CMS re-leased to its Medicare contractors stressed that itscontingency plan would last for only a “limitedtime.” The decision on when to halt it, CMS added,would be made based on its monitoring of progressin HIPAA-compliant claims as well as the numberof submitters that are testing compliant formats.

� The state of Illinois suspended the licenses ofeight physicians who owned a Chicago-areamedical group after they failed to adhere to abankruptcy court agreement to safeguard therecords of former patients, according to the Illi-nois Department of Professional Regulation. Thedepartment imposed the suspensions after discov-ering more than 100,000 records, X-rays, mammo-grams and ultrasounds in the basement of theformer Meyer Medical Physicians’ Group office inMerrionette Park and in a former auto repair ga-rage next door, says department spokesman TonySanders. The medical group had promised as partof the bankruptcy agreement to pay $120,000 tosafeguard and copy patients’ records. ContactSanders at (217) 524-8195.

� Concerned about the potential for financialinstitutions to obtain protected health informa-tion for marketing purposes, the Health PrivacyProject (HPP) in Washington, D.C., is urging HHSto provide public guidance that affirms restric-tions on unauthorized disclosure of PHI. Whenbanks process payments through an automatedclearinghouse (ACH) network on behalf of healthcare clients, these transactions contain PHI whenthey include transmissions of the electronic remit-tance advice, HPP explains in a letter to HHS. Ac-cording to HPP, the privacy rule requires that PHItransmitted through the ACH network be en-crypted in a way that makes it accessible only tothe intended recipient provider or health plan. HPPsays it is concerned that PHI that is not encryptedor restricted could be used by financial institutionsto obtain information about individuals for market-

ing purposes, which would clearly violate HIPAA.To view the letter, visit www.healthprivacy.org.

� National Imaging Associates, Inc., a radiologybenefit management company that serves morethan 11 million health plan enrollees, says it isthe first radiology organization to receive HIPAAprivacy accreditation from URAC. The accredita-tion program, launched in April, is the nation’s firstindependent HIPAA privacy accreditation programfor covered entities and business associates. In July,URAC awarded the first round of privacy accredi-tations to 21 organizations (RPP 8/03, p. 12). Con-tact Nicole Mudloff of National Imaging Associatesat (212) 941-8499.

� A Wal-Mart pharmacy in Lubbock, Texas,allegedly violated its own privacy practices byaccidentally stapling a one-page list of confiden-tial customer information to a prescription, ac-cording to The Lubbock-Avalanche Journal. Theproblem was identified by a Journal reporter,whose prescription was attached to a documentthat listed 22 customers, their telephone numbersand 31 drugs prescribed to them, says the newspa-per. The prescriptions included antipsychotics,antidepressants and birth control pills, accordingto the report.

� The Harris County District Attorney’s Office inTexas seized documents from a Ben Taub Hospi-tal employee’s desk as part of an investigationinto a company that allegedly sold stolen hospi-tal records to personal injury lawyers, accordingto The Houston Chronicle. The hospital employeewas not arrested or charged, but was suspendedwithout pay pending the outcome of the investiga-tion, says the Chronicle. The operators of IndustrialSafety Consultants are being investigated for alleg-edly paying hospital employees to steal patientrecords and selling them to personal injury lawyersin Houston, San Antonio, McAllen and CorpusChristi, says the Chronicle. Based on an undercoversurveillance operation commissioned by the gov-ernment, law enforcement officers speculate that atransaction to exchange stolen records took place,according to Joel Androphy, a lawyer representingthe company and its operators. Androphy says itwas not his client who made the purchase and thatinvestigators do not have sufficient evidence toprove that any money was exchanged.

PRIVACY BRIEFS

Page 13: Hospitals Tailor Policies for ‘Outsiders,’ From Drug Reps ... · time. Outsiders have legitimate purposes for routine, ongoing hospital visits, but their presence and access may

If You Don’t Already Subscribe to the Newsletter,Here Are Three Easy Ways to Sign Up:

☎ (1) Call us at 800-521-4323

(2) Fax the order form on page 2 to 202-331-9542

(3) Visit www.AISHealth.com and click on “Shop at the AIS MarketPlace”

If You Are a SubscriberAnd Want to Routinely Forward this

E-mail Edition to Others in Your Organization:

Call Brenda at 800-521-4323 to discuss AIS’s very reasonable rates foryour on-site distribution of each issue. (Please don’t forward these e-maileditions without prior authorization from AIS, since strict copyrightrestrictions apply.)