Privacy law safeguards medical data of patients
4/6/2003Aunt Clara suffers an apparent stroke. A neighbor discovers her outside in her garden and dials 911. An ambulance arrives, and she is rushed to the hospital.
Hours later, the neighbor calls the hospital to see how she is doing. The neighbor recites what happened and how he is the one who found her and got help.
“Sorry,” the voice on the other end responds, “I cannot help you.”
A similar response is given when a member of Aunt Clara's extended family calls.
“But I'm her cousin,” she insists. “I'm calling long distance.”
The hospital employee on the other end sympathizes with the caller, but politely explains the hospital is banned by a new federal law from telling her anything - including whether Clara is even there.
Starting April 14, the fictional scenario above could become a frustrating reality nationwide for families, friends, clergy members, and health-care providers alike. After April 14, each patient checking into any U.S. hospital will be asked if they want to be included in a patient or hospital directory.
If you're in the directory, basic information, such as your condition, is released to anyone who asks, including family members, clergy, and the media.
If you're not in the directory, information isn't given out to anyone.
The new changes are the result of major parts of the Health Insurance Portability and Accountability Act going into effect.
The law is often referred to those in health care by its acronym, HIPAA.
One local hospital executive prefers to call it: “Hospitals In Pain And Agony.”
Passed by Congress in 1996, HIPAA was designed to - among other things - improve the privacy of patients' medical information.
Lawmakers passed the measure in response to public complaints about the unauthorized use of health-care records, such as the sale of information about what drugs patients were taking to companies that then tried to market competing drugs to patients.
But many health officials complain that Congress overreacted and may have gone too far. Complying with the regulations - which take up more than a thousand pages - is agonizing, they say.
Most health-care providers have spent thousands of dollars and hours of staff time trying to learn the intricacies of the new rules.
The regulations apply to hospitals, doctors' offices, health insurance companies, billing companies - almost any organization or individual that handles a patient's medical information.
Local hospital officials stress they will work through problem areas the best they legally can to get information to family members of patients.
It just might take a little longer for hospital officials to verify who is seeking the information.
“We'll probably err on the side of what's best for the patient and do the right thing” with regards to family members, said David Dewey, director of marketing for St. Luke's Hospital in Maumee. Still, he acknowledged that “we have staff who are nervous” about saying too much.
And with fines of up to $50,000 a violation and a one-year jail term, it's easy to see the reason for the nervousness.
The intent of HIPAA was to get everyone on the same page about what privacy means, but how each hospital and doctor's office interprets HIPAA may vary.
For example, in the case of Aunt Clara, if she's unconscious and unable to tell hospital officials her privacy wishes, most hospitals will decide not to release anything to anyone. Other hospitals will decide to release information if she was a patient before and said it was OK to release information.
Under the new privacy regulations, Toledo-area hospitals generally will handle requests for patient information in the following fashion:
That basic information includes the patient's condition (good, fair, serious, and critical) and where the patient is in the hospital.
The regulations also affect contact between members of the clergy and patients. Patients have the option of including their religious affiliation and place of worship on the directory. However, if a patient decides not to be included in the directory, clergy can't get patient information from hospitals. Patients can still tell their clergy they want to be visited, and the clergy can - as they do now - visit the patient.
Sandy Lewallen, privacy officer for Toledo Hospital, said hospitals have long valued patient confidentiality, and HIPAA just places some “structure” around long-established practices.
She said one new thing her hospital is starting because of HIPAA is the use of “patient identifier” numbers that each patient can give out to friends and family members.
A caller could then use the number to get more detailed information from nurses or doctors, instead of just the basic information available to anyone.
Denny McLean, security administrator for Mercy Health Partners, said many of the HIPAA regulations are just putting into law what are already common hospital practices.
“The primary difference is when we [maintain privacy] today we do everything to ensure it takes place, but after April 14th, if we commit a violation, then we're in violation of the law,” he said.
HIPAA is just as big a headache for doctors' practices.
“It makes us spend more money and time on things not related to patient care,” grumbled Dr. Donna Woodson, a family physician in Maumee.
She and her six physician colleagues have designated one doctor in the office to act as the HIPAA expert and sent that doctor to training and seminars.
Last week, patients began filling out new privacy forms to be included in their medical records
Dr. Woodson said each patient now has six more pieces of paper relating to privacy which she must now include in each file, each of which has to be gone over with the patient and explained.
Media organizations, including The Blade, have expressed concern the HIPAA regulations will limit their ability to give readers and viewers information on the fate of those involved in traffic accidents, fires, or other incidents that result in injury or even death.