If they haven’t been already, nurses all over the country soon will be enlisted to help implement a comprehensive set of mandates designed to protect the confidentiality of patient medical information. But, as one expert notes, nurses are the medical professionals most intimately involved with continuous patient care and, as such, always have made medical record confidentiality a priority.

"We are advocates for patients," said Carol Bickford, Ph.D., RN, senior policy fellow in the American Nurses Association’s Department of Nursing Practice and Policy. "We constantly report and communicate information about them and we want to make sure itdone correctly."

The mandates are part of the Health Insurance Portability and Accountability Act, also known as the Patient Privacy Rule, which requires health care providers, insurers and clearinghouses to obtain written consent from patients before using or disclosing medical information to carry out treatment, payment or health care operations.

The mandates also dictate that providers appoint a privacy official, develop and implement privacy policies and procedures, train their workforces in those policies and procedures, adopt privacy safeguards and establish a complaint process and sanctions for privacy violations.

"The privacy issue addressed in HIPAA is a concern for all nurses," Bickford said. "It reinforces what nurses have advocated for a long time."

Providers required to comply with the Patient Privacy Rule are those who conduct electronic financial and administrative transactions––such as electronic billing and fund transfers.

Specifically protected are medical records and other identifiable health information used or disclosed by a provider, whether in electronic, written or oral form.

Regulation compliance
The most pressing issue for providers is compliance to the regulations. The deadline is April 2003.

Kathy Lambert, JD, RN, who divides her time between nursing and law in Tucson, Ariz., agrees with Bickford that the medical profession always has been charged with generating comprehensive, timely, accurate and confidential patient information. But she notes that advanced technology has required an overhaul of the measures used to protect that information.

"The HIPAA mandate is not a new one," said Lambert, a 31-year nursing veteran who for years has educated nurses on issues of medical record documentation. "But automation resulting from advanced technology has created a fear that people who shouldn’t have access to medical records will somehow get it. Steps need to be taken to ensure that only authorized people see patient information."

Bickford said that she would be concerned if facilities don’t already have the basics in place.

"It should now be just a matter of formalizing existing policies and including everyone—physicians, nurses, physical therapists, occupational therapists, information technology people, medical records people and insurers––as partners in this process," Bickford said.

Like Bickford, Lambert emphasizes the role of nurses in the implementation of the regulations.

"If you want to get a job done, give it to nurses," she said. "Explain the reasons behind the regulations and educate us about the penalties. Nurses want to do things right. It’s imperative that we be involved in this process."

The civil penalty for violation of the rule is a maximum of $100 per person or organization, with a maximum of $25,000 imposed on any one person or organization for multiple violations within a calendar year.

Criminal penalties range from a $50,000 fine and/or imprisonment of not more than one year for wrongful disclosure of protected information to a $250,000 fine and/or imprisonment of not more than 10 years for intent to sell the information.

A procedural glitch resulted in a four-month delay between the time President Clinton signed the Patient Privacy Rule and the time the measure was put into action by President Bush.

Although he signed the rule in December, President Clinton failed to give Congress proper formal notification as required by law. The error wasn’t discovered until February, when Tommy Thompson, secretary of Health and Human Services, opened a new public comment period.

All told, the Clinton and Bush administrations tallied about 78,000 comments to the proposed regulations from patient advocates, health care providers, insurers and other parties.

Costly implementation
Although few argue that medical record confidentiality is a critical component of patient care, some health care providers balk at the costs anticipated in implementing the Patient Privacy Rule.

The federal government estimates that not-for-profit hospitals will spend nearly $1.6 billion during the next 10 years to comply with and maintain the privacy protections. However, studies by the American Hospital Association and other industry groups estimate minimum compliance costs at close to $7 billion.

Whether providers seek outside help in implementing their compliance policies or develop their own, Lambert recommends that they address how the Patient Privacy Rule affects their specific operations.

"For example, home health care providers may need to find the best way to prevent theft of laptop computers they take on patient visits to ensure that the data contained on them isn’t compromised," she said. "Hospitals, on the other hand, may have to evaluate the placement of their computers and determine whether visitors can see the monitors or have access to the keyboards."

In the hospital setting, nurses are constantly on guard to protect the confidentiality of patient information at their stations, Bickford added.

"We always need to ensure that no unauthorized person has access to that information. It needs to be the right information given to the right person for the right reasons," she said.