Privacy rules on patients take effect tomorrow

Federal restrictions seek to add protections

Md. law provides most already

Huge proliferation of paperwork is expected

April 13, 2003|By M. William Salganik | M. William Salganik,SUN STAFF

New federal rules on medical privacy go into effect tomorrow, ushering in added patient protections - and a proliferation of paperwork.

The regulations allow doctors, hospitals and insurers to share information needed for treatment and billing, but give patients control over other uses of health data.

For example, patients checking into a hospital will be asked to sign forms in which they can indicate who may - and who may not - be given information about their treatment.

"How many times have you called the hospital for somebody you know, and talked to the nurse? That all goes away" if the patient doesn't give his authorization, said Clifton Gaus, president of Health Professor Inc., a California company that does training and consulting on the new regulations.

The rules also require that patients receive a notice of privacy policy and sign forms saying they have been notified about their rights and designating how they want their information used.

Congress stipulated new privacy rules because of concerns over the sale or inappropriate disclosure of medical information.

In Maryland, the disclosure statements and permissions may be what patients notice most, experts say.

"Patients will be getting new forms everywhere they go," said Lorraine Doo, director of the privacy office at CareFirst BlueCross BlueShield.

The new rules "are very similar to existing Maryland law," said Joy L. Pritts, an assistant professor of health policy at Georgetown University who specializes in medical privacy issues.

While she supports the new rules, she said, "In states like Maryland, you get marginal additional protections with disproportionate paperwork."

Similarly, Joanne E. Pollak, vice president and general counsel of Johns Hopkins Medicine, said Maryland law and the new federal rules are "not, on principle, very different, but administratively, they're worlds apart."

The new rules also require care providers, insurers and companies that process billing information to review their operations to make sure privacy is assured.

At the Parkinson's and Movement Disorder Center of Maryland, a two-doctor practice in Columbia, it has meant shutting the sliding windows surrounding the office receptionists so people in the waiting room can't overhear conversations with patients on the phone.

"It feels kind of like we work at a gas station, trapped behind the glass," said Nicole Saunders, one of the staff members there, who said she's afraid it may seem more impersonal to patients. She said she's also moved her computer to be sure no one can see patient records on her screen.

Pam Isabel, administrator of the nine-doctor Woodholme Gastroenterology Associates, said her practice has made a few minor changes, such as making sure patient charts are hung facing the wall and that patient schedules are hung behind a door.

Russ Strough, chief information officer at Midatlantic Cardiovascular Associates, a 65-physician practice with 10 offices, said he's hired a shredding contractor to dispose of old records and added a statement to the fax cover sheet that says, in effect, "If you're not supposed to read this, don't."

The regulations stem from the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law that drew attention when it passed largely because it helped people retain health coverage when they changed jobs.

The law did contain other provisions, however, and - after years of haggling over the regulations - the privacy rules are now going into effect.

In October, other regulations take effect on another section of the law, dealing with electronic health data. This requires making sure computers are compatible with other medical record systems - a chore that some in health care have compared with the efforts to prevent computer malfunctions tied to the year 2000.

The impact of the new privacy rules on health businesses hasn't been on the Y2K scale, but it has been substantial on large entities such as Hopkins and CareFirst.

The rules require training all employees. For CareFirst that meant 6,200 employees, plus 500 contractors and temporary workers.

All employees received a one-hour "awareness" session, said Doo, of the CareFirst privacy office. Those who work regularly with patient records got several hours of Web-based training, with a test at the end of each of six instructional modules.

At Hopkins, said Pollak, even employees who don't generally handle patient records, such as the cleaning staff, are trained on what to do if, say, they encounter confidential material in a trash can.

There has been particular concern at Hopkins, Pollak continued, over how researchers can share data and over how much information the hospital can give to its own fund-raising office.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.