Prescription for Privacy
New HIPAA confidentiality rules change the way nurses handle patient information

By John M. Leighty
July 2, 2003

The 290 staff members at South Peninsula Hospital in Homer, Alaska, have been conducting vigorous preparations-showing a training video, holding a logo competition and posting informational signs-to meet the standards of the Health Insurance Portability and Accountability Act, which took effect April 14.

Nurses around the country have received similar training on the new rules that are designed to tighten patient confidentiality.

One ambulatory clinic nurse, Cheryl Edwards, RN, of the University of Texas Southwestern Medical Center at Dallas, said that when the privacy law took effect, changes were virtually "transparent."

Even at the 25-bed South Peninsula Hospital, where nurses still use privacy curtains in shared patient rooms, there's a heightened awareness of the need for protecting personal health information. The hospital has implemented a system in which the patientfamily and friends, with the patient's consent, have to tell hospital staff a password before receiving more than a one-word answer on the patient's condition.

"It's tough in a small town where people listen to scanners and know who's coming into the hospital, but the nurses know there can be consequences, and they're very aware of patient confidentiality," said Barbara Seitz, a registered health information administrator, privacy officer and manager of health information management.

The HIPAA privacy rules are designed to protect the way patient information is stored and conveyed, and dictate to whom it is revealed. The rules also give patients access to their medical records, as well as the ability to amend them.

A second phase of HIPAA requirements takes effect in October and deals with secure electronic claims transactions and coding confidentiality.

Reasonable measures

Paul Smith, a partner and co-chair of HIPAA practice at the law firm of Davis Wright Tremaine in San Francisco, said HIPAA is a pervasive regulation that affects the handling of medical information throughout any health care organization. However, Smith said, nurses don't have to be experts, because much of the act doesn't affect them.

"There's a good deal nurses need to know, but there's also a good deal they don't need to know," Smith said.

The main standard for nurses is to take "reasonable measures" to protect patient privacy and to try to prevent incidental exposure of information-such as patients' names on the doors of hospital rooms, discussing a case in joint treatment areas or inadvertently disclosing a patient's illness in a physician's waiting room.

Smith said that although many states, including California, already have confidentiality rules on the books, including the rights of patients to access their medical records, the states still must meet certain HIPAA requirements.

In the 28 states, such as Alaska and Texas, that do not have stringent privacy codes, HIPAA regulations will set the standard.

Diane Sheppard, RN, HIPAA compliance analyst for UT Southwestern, said the teaching hospital had three full-time staff members working on privacy standards since fall 2001. "It's been a huge effort, since we had to train the entire workforce on policies and procedures as they related to individual jobs," Sheppard said.

New employees at the medical center receive an orientation session on HIPAA. All employees also must complete an online training program.

Carole Klove, JD, RN, chief compliance officer for Stanford Hospital and Clinics and Lucile Packard Children's Hospital, said that the hospitals went through a comprehensive two-year process to make operational the HIPAA privacy rules and incorporate them into existing policies and procedures. "We redesigned some work flows and created some new processes as required by HIPAA," Klove said.

Training for nurses and other workforce members includes protocols for disclosing protected health information.

For example, medical records may be disclosed for purposes of treatment, payment and certain health care operations; however, they generally cannot be used for research without a specific authorization or waiver of authorization from an institutional review board or privacy board. Nurses also need to understand their HIPAA notice of privacy practices so they can respond to patient questions about the rules.

"Patient safety is everyone's concern and always has been, but HIPAA has raised some issues and has helped us all improve our practices and performance in the patient privacy arena," Klove said. She said nurses would continue to have updated sessions on HIPAA and that the policies and procedures also are posted on the hospitals' Web site.

Hope Hammond, privacy officer at the University Medical Center of Southern Nevada, said nurses went through an intense five-week training effort before the April deadline. "The gist of it is, confidentiality is not new, patient privacy isn't new, but that there are some changes and processes nurses need to be aware of, including the ability to answer patients' questions about their rights.

Use common sense

"The rules require reasonable safeguards, not a huge construction project," Hammond said. "There are subtle changes, but not anything overwhelming." An example, she said, is making sure computer screens face away from the public or have privacy screens attached to them. Patient charts are always to be face down on carts and any written information about patients put in folders.

Smith said that although there are penalties for breaches in compliance, the final rules effective May 19 from the Office for Civil Rights say the initial approach to enforcement will be "complaint-driven" and that informal resolutions will be emphasized over penalties.

However, the OCR can impose fines of $100 "per incident" up to a maximum of $25,000 per year for each breach of a privacy standard.

At South Peninsula Hospital, follow-up meetings will address privacy questions and a Web site was created for the staff to access HIPAA policies and procedures, Seitz said.

"We made sure our care providers, managers, physicians and board members had a good understanding of the requirements and the consequences. We also offered training classes to local clinics, law enforcement agencies and media groups," she said. "The response from nursing has been great."

Contact John M. Leighty at johnsan@aol.com