Continued from Page 1

In the 28 states, such as Alaska and Texas, that do not have stringent privacy codes, HIPAA regulations will set the standard.

Diane Sheppard, RN, HIPAA compliance analyst for UT Southwestern, said the teaching hospital had three full-time staff members working on privacy standards since fall 2001. "It's been a huge effort, since we had to train the entire workforce on policies and procedures as they related to individual jobs," Sheppard said.

New employees at the medical center receive an orientation session on HIPAA. All employees also must complete an online training program.

Carole Klove, JD, RN, chief compliance officer for Stanford Hospital and Clinics and Lucile Packard Children's Hospital, said that the hospitals went through a comprehensive two-year process to make operational the HIPAA privacy rules and incorporate them into existing policies and procedures. "We redesigned some work flows and created some new processes as required by HIPAA," Klove said.

Training for nurses and other workforce members includes protocols for disclosing protected health information.

For example, medical records may be disclosed for purposes of treatment, payment and certain health care operations; however, they generally cannot be used for research without a specific authorization or waiver of authorization from an institutional review board or privacy board. Nurses also need to understand their HIPAA notice of privacy practices so they can respond to patient questions about the rules.

"Patient safety is everyone's concern and always has been, but HIPAA has raised some issues and has helped us all improve our practices and performance in the patient privacy arena," Klove said. She said nurses would continue to have updated sessions on HIPAA and that the policies and procedures also are posted on the hospitals' Web site.

Hope Hammond, privacy officer at the University Medical Center of Southern Nevada, said nurses went through an intense five-week training effort before the April deadline. "The gist of it is, confidentiality is not new, patient privacy isn't new, but that there are some changes and processes nurses need to be aware of, including the ability to answer patients' questions about their rights.

Use common sense

"The rules require reasonable safeguards, not a huge construction project," Hammond said. "There are subtle changes, but not anything overwhelming." An example, she said, is making sure computer screens face away from the public or have privacy screens attached to them. Patient charts are always to be face down on carts and any written information about patients put in folders.

Smith said that although there are penalties for breaches in compliance, the final rules effective May 19 from the Office for Civil Rights say the initial approach to enforcement will be "complaint-driven" and that informal resolutions will be emphasized over penalties.

However, the OCR can impose fines of $100 "per incident" up to a maximum of $25,000 per year for each breach of a privacy standard.

At South Peninsula Hospital, follow-up meetings will address privacy questions and a Web site was created for the staff to access HIPAA policies and procedures, Seitz said.

"We made sure our care providers, managers, physicians and board members had a good understanding of the requirements and the consequences. We also offered training classes to local clinics, law enforcement agencies and media groups," she said. "The response from nursing has been great."

Contact John M. Leighty at johnsan@aol.com