Devices & Technology

HIPAA Requires Nurses to Protect Patient Information Privacy and Security

  • Print Page

By Jennifer Larson, NurseZone feature writer

The compliance requirements of the Health Insurance Portability and Accountability Act, or HIPAA, have loomed large in the minds of health care administrators and staff ever since Congress passed the federal legislation in 1996.

The act is the first legal protection of medical information and has several deadlines for various parts of the legislation.

HIPAA has three major parts: administrative simplification, security requirements, and privacy protections. The administrative simplification piece requires health care entities to develop standard transactions, where everyone is using the same format for a bill, payment remittance, or other form.

Health care entities are supposed to have standard transaction systems in place by October 2002, but that deadline may be delayed. The U.S. Senate recently voted to extend that deadline by one year, to October 16, 2003, and shortly thereafter the House of Representatives also passed a delay bill.

Despite the delay, the deadlines—and the changes they require—are still imminent.

“If you’re just getting into it now, you’re already behind,” said Mike Cohen, a health care technology consultant for MRC Consulting Group, an information consulting firm for health care organizations.

While the standard transactions component will affect administrators and information systems personnel, it won’t directly affect much of the daily lives of most hospital nurses.

But the privacy and security components of HIPAA will have a direct impact on the work habits of nurses. The regulations will require them to be much more careful about protecting the privacy and safety of patient information.

Kristin Welch, senior associate director of executive branch relations for the American Hospital Association, tells hospital administrators that nurses need to be involved in compliance preparations.

“You really need to get your nurses engaged, because a lot of this will fall in their laps,” she said. “A lot of it is going to be focused on patient care, and obviously nurses are the front line people.”

Every hospital should have a HIPAA implementation team, and nurses should participate, Welch added.

“There certainly should be nurse representation on that team, because much of this will fall to them in dealing with charges and creating a work environment or patient environment where oral communication is limited to comply with the law,” she said.

The compliance deadline for the privacy and security regulations is April 14, 2003.

When HIPAA was enacted, it required the Secretary of the U.S. Department of Health and Human Services to issue regulations if Congress did not enact comprehensive privacy regulations by a certain date. Because Congress missed its deadline, HHS issued landmark federal regulations in December 2000, according to the Health Privacy Project, a part of the Pew Internet and American Life Project and the Institute for Health Care Research and Policy at Georgetown University.

The privacy regulations were scheduled to go into effect in February 2001 but were delayed until April. The recent bills to extend the transaction compliance date does not affect the compliance date for the privacy and security regulations, so that date remains April 14, 2003.

Some consultants believe HIPAA compliance is more about changing mindsets than changing software. Obviously health care entities will have to tighten computer and network security to thwart hackers, but when it comes to complying with the privacy and security regulations, technology isn’t really the answer, Cohen said.

“The biggest part is going to be changing some work habits and some culture…and the way things are done today,” h said. “The privacy and security regulations, while some may consider them onerous, largely are common sense and need to be there.”

The changes in behavior required by the privacy regulations are just a codification of things that health care professionals should have already been doing, he added.

Michael Kreitzer, president of the consulting firm Michael H. Kreitzer Associates, agreed.

“It’s a culture change,” he said.

Protecting patient confidentiality will require behavior changes from nurses, like remembering to find a private place to discuss patients, instead of a busy hallway or elevator, Kreitzer said.

But privacy regulations will still pose some challenges for many hospitals. Not every hospital can afford to install soundproof walls to prevent people from hearing physicians and nurses discussing patient information.

Officials from a large community hospital for which Kreitzer has completed assessments found their facility’s admissions office was cramped for space, but Kreitzer told them they needed to carve out a physical space for privacy during the admissions process.

“They’re looking at me like I’m nuts,” he said. “But I’d rather spend money on figuring out how to create some space…than have some HIPAA compliance problem come up because the fines are much more expensive than the cost of moving a wall.”

According to Kreitzer, HIPAA regulations are designed to encourage health care facilities to make the effort to preserve privacy and security within the context of their space.

“As long as you’re making the effort to keep confidentiality…then we’re OK,” he said. “The setting is what’s important, and it’s the intent.”

Physicians might look for a lounge or conference room, while nurses might choose to discuss sensitive information in an empty room or office at the back of a nurses’ station, Kreitzer said.

But the American Hospital Association has some reservations about the standards for privacy requirements. The regulations may be construed to put communication barriers between nurses and patients, Welch said.

“That’s a very dangerous slope to go down,” she said.

The security elements of HIPAA will require other types of behavioral shifts. For example, a charge nurse on a hospital floor may have to remember a half dozen passwords for the computer system on the unit.

“Trying to remember more than one or two passwords is a nightmare, so they develop shortcuts that a reasonable person might have,” Cohen said.

But easy-to-decipher passwords defeat the very purpose of passwords, Cohen said, recommending that nurses make their passwords more difficult to guess and change them more often. Password sharing is another no-no, he added.

Other behavior is also common sense, Cohen added. Disposing sensitive notes or information by using a paper shredder instead of a regular trash can and turning over paper records face-down so that no one can catch a glimpse of patient information are two such examples.

Pricewaterhouse Coopers and Information Week recently conducted a survey and found that authorized employees are responsible for 58 percent of security threats. Many of those security lapses are common mistakes, like using simple passwords and failing to change them, keeping computers turned on while away from a workstation where someone could gain access to patient data, and leaving laptop computers or personal digital assistants in unsecured areas.

The American Hospital Association has other concerns about the HIPAA compliance requirements on privacy. The association joined with a number of other parties in sending a letter to HHS Secretary Tommy Thompson in October, expressing their reservations.

AHA’s four main areas of concern involve consent, minimum necessary standards, oral communication, and business associate agreements. Consent and oral communication are the two concerns that will most affect nurses, Welch said.

The Patient Privacy Rule requires patients to give consent in written form before receiving care. Also, a patient must receive a notice document on how their information will be used.

According to the AHA, that can be cumbersome in some instances and hold up care in others.

“To have to get a signed consent form before you can even do something like schedule surgery is burdensome,” Welch said, adding that patients seeking care in rural areas may have to drive many miles to a hospital to fill out a form for surgery and then make the same drive later for the actual surgery. “A patient is clearly not going to want to do that.”

HIPAA’s standards for oral communication will require many hospitals to retrain employees to learn what’s acceptable, Welch said.

“That’s going to be difficult to do, and people will be frustrated that it’s changing the way they provide care in a way that’s probably, in their minds, more complicated than is necessary,” Welch said.

She said that there is still disagreement at HHS on what is acceptable under the regulations, so there may eventually be changes.

The minimum necessary standard is a provision that allows health care providers to have only the minimum amount of necessary information about a patient to perform a function. The idea is to preserve privacy, but the AHA believes it hinders communication between providers, as well as patient care.

Originally, HHS exempted external disclosure of patient information, rather than internal use of treatment information. AHA hopes that both use and disclosure will be exempt from the rule, Welch said.

A consulting provider might fall under either category but would need a patient’s medical history before making a decision or diagnosis, she added.

Dec. 7, 2001 © 2001. All Rights Reserved.

Look to NurseZone for information on the latest devices and technology impacting nurses and the nursing industry.