New medical privacy rules create headaches for doctors, patients

Confusion has hindered care, prompted questions

April 23, 2003|By Julie Bell | Julie Bell,SUN STAFF

Sally Finkel thought she was trained and ready when new federal medical privacy rules took effect last week. But the administrator of a 12-doctor practice in Lutherville wasn't expecting this.

The office document shredder was operating at such an intense pitch that the head of medical records rebelled - asking that the whining machine be operated only after she was gone for the day.

Some patients were balking at signing forms that said they acknowledged the new rules. Others were asking so many questions that it caused appointment delays.

"Why do I have to sign this?" one suspicious patient asked Dr. Dana Frank earlier this week in the same Johns Hopkins-affiliated practice at Green Spring Station.

Such are the headaches of life after the Health Insurance Portability and Accountability Act, or HIPAA.

Congress enacted the law in 1996, ostensibly to help people retain health insurance when they changed jobs. But the law contained complex new privacy provisions that produced seven years of bureaucratic wrangling to put in the form of regulations.

After months of training for hundreds of thousands of workers ranging from brain surgeons to receptionists, the privacy rules took effect April 14.

Although patients are supposed to be better protected than they were, and privacy violators face heavy fines, lingering confusion over the rules is having unintended consequences here and across the country.

Medical record mix-ups have kept some cancer patients waiting for chemotherapy in Baltimore. South Dakota clerics who want to comfort hospitalized patients can't always get information about them. Health authorities in New Mexico wonder whether they have to keep detailed paperwork on every person they interview while investigating a case of contagious disease - just in case the sick patient later asks for a reckoning.

"The biggest roadblock has been interpretation of the regulations," said D'Arcy Guerin Gue, a Gaithersburg-area consultant and co-author of Guide to Medical Privacy and HIPAA.

Generally, HIPAA allows doctors, hospitals and insurers to share medical information needed for treatment and billing but gives patients control over other uses.

To protect the identity of patients, doctors' offices are doing everything from having sign-in sheets with peel-off stickers that receptionists immediately remove to rotating computer screens so they can't be seen from waiting rooms.

"A lot of HIPAA is just common sense," said Juliet Allen, who manages a number of outpatient services at Johns Hopkins Bayview Medical Center. But she noted that doctors are more aware now that they should keep the door shut when talking to patients.

One problem is that there is no single way to comply with the rules. One pediatrician told Allen that he would no longer send patients' referrals by fax, requiring one patient's mother to drive over and pick one up.

Finkel's office, Park Medical Associates, is requiring patients to sign a privacy rules acknowledgment as a condition of treatment. But at Bayview, patients can refuse to sign as long as a health-care worker notes the refusal in their files.

At Greater Baltimore Medical Center, about 30 percent of cancer patients are facing delays in getting their infusions because some outside laboratories refuse to send faxes of test results, noting privacy concerns, said Dawn Stefanik, clinical manager of infusion therapy.

The results are needed to determine whether patients' immune systems can handle another round of harsh anti-cancer drugs. "Prior to HIPAA, we could call [an outside lab] and say, `Hi, I'm at GBMC calling for some lab results,' and they would say, `We'll fax them to you,"' Stefanik said.

Now, she said, some outside labs mistakenly believe they can send faxes of the lab-test results only to the doctor who ordered them. So Stefanik has to run down the results by contacting the doctor's office. "The patient sits there waiting," Stefanik said. "It has taken up to an hour or two to get results just so we can treat the patient."

Dr. Timothy Doran, GBMC's chairman of pediatrics, wonders how federal regulators will view a common practice - sharing medical records with schools that evaluate children for developmental problems. "I'm not going to hold up an evaluation," he said. "Most physicians are going to do what they need to do to take care of patients."

To be sure, some hospitals say the transition has been smooth. Bayview has had few problems, Allen said.

Crystal Edwards, director of outpatient care for the Department of Medicine at the University of Maryland, said most patients at her two large outpatient facilities simply pick up forms, sign them and turn them in without question.

But hospitals recognize that questions are bound to come up. Allen looks to a Web site operated by Johns Hopkins' HIPAA office to find answers.

So detailed are the rules that they even govern relationships between health-care providers and so-called business associates, such as accountants or lawyers who may need access to files to do their jobs.

Lee Miller of Shred It Baltimore, a document disposal company, has detailed agreements with every doctor's office he serves. They require that he keep detailed records about which of his employees touched the records and when they were destroyed. Shred It, which has seen its shredding volume grow 20 percent over the past six months, has to keep those records for six years.

Said Miller with a laugh, "We can't even shred our own records."

The Associated Press contributed to this article.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.