Jennifer Larson, NurseZone feature
compliance requirements of the Health Insurance Portability and Accountability
Act, or HIPAA, have loomed large in the minds of health care administrators and
staff ever since Congress passed the federal legislation in 1996.
The act is
the first legal protection of medical information and has several deadlines for
various parts of the legislation.
three major parts: administrative simplification, security requirements, and
privacy protections. The administrative simplification piece requires health
care entities to develop standard transactions, where everyone is using the same
format for a bill, payment remittance, or other form.
care entities are supposed to have standard transaction systems in place by
October 2002, but that deadline may be delayed. The U.S. Senate recently voted
to extend that deadline by one year, to October 16, 2003, and shortly thereafter
the House of Representatives also passed a delay bill.
the delay, the deadlines—and the changes they require—are still imminent.
you’re just getting into it now, you’re already behind,” said Mike Cohen,
a health care technology consultant for MRC Consulting Group, an information
consulting firm for health care organizations.
standard transactions component will affect administrators and information
systems personnel, it won’t directly affect much of the daily lives of most
privacy and security components of HIPAA will have a direct impact on the work
habits of nurses. The regulations will require them to be much more careful
about protecting the privacy and safety of patient information.
Welch, senior associate director of executive branch relations for the American
Hospital Association, tells hospital administrators that nurses need to be
involved in compliance preparations.
really need to get your nurses engaged, because a lot of this will fall in their
laps,” she said. “A lot of it is going to be focused on patient care, and
obviously nurses are the front line people.”
hospital should have a HIPAA implementation team, and nurses should participate,
certainly should be nurse representation on that team, because much of this will
fall to them in dealing with charges and creating a work environment or patient
environment where oral communication is limited to comply with the law,” she
compliance deadline for the privacy and security regulations is April 14, 2003.
was enacted, it required the Secretary of the U.S. Department of Health and
Human Services to issue regulations if Congress did not enact comprehensive
privacy regulations by a certain date. Because Congress missed its deadline, HHS
issued landmark federal regulations in December 2000, according to the Health
Privacy Project, a part of the Pew Internet and American Life Project and the
Institute for Health Care Research and Policy at Georgetown University.
privacy regulations were scheduled to go into effect in February 2001 but were
delayed until April. The recent bills to extend the transaction compliance date
does not affect the compliance date for the privacy and security regulations, so
that date remains April 14, 2003.
consultants believe HIPAA compliance is more about changing mindsets than
changing software. Obviously health care entities will have to tighten computer
and network security to thwart hackers, but when it comes to complying with the
privacy and security regulations, technology isn’t really the answer, Cohen
biggest part is going to be changing some work habits and some culture…and the
way things are done today,” h said. “The privacy and security regulations,
while some may consider them onerous, largely are common sense and need to be
changes in behavior required by the privacy regulations are just a codification
of things that health care professionals should have already been doing, he
Kreitzer, president of the consulting firm Michael H. Kreitzer Associates,
a culture change,” he said.
patient confidentiality will require behavior changes from nurses, like
remembering to find a private place to discuss patients, instead of a busy
hallway or elevator, Kreitzer said.
privacy regulations will still pose some challenges for many hospitals. Not
every hospital can afford to install soundproof walls to prevent people from
hearing physicians and nurses discussing patient information.
from a large community hospital for which Kreitzer has completed assessments
found their facility’s admissions office was cramped for space, but Kreitzer
told them they needed to carve out a physical space for privacy during the
looking at me like I’m nuts,” he said. “But I’d rather spend money on
figuring out how to create some space…than have some HIPAA compliance problem
come up because the fines are much more expensive than the cost of moving a
to Kreitzer, HIPAA regulations are designed to encourage health care facilities
to make the effort to preserve privacy and security within the context of their
as you’re making the effort to keep confidentiality…then we’re OK,” he
said. “The setting is what’s important, and it’s the intent.”
might look for a lounge or conference room, while nurses might choose to discuss
sensitive information in an empty room or office at the back of a nurses’
station, Kreitzer said.
American Hospital Association has some reservations about the standards for
privacy requirements. The regulations may be construed to put communication
barriers between nurses and patients, Welch said.
a very dangerous slope to go down,” she said.
security elements of HIPAA will require other types of behavioral shifts. For
example, a charge nurse on a hospital floor may have to remember a half dozen
passwords for the computer system on the unit.
to remember more than one or two passwords is a nightmare, so they develop
shortcuts that a reasonable person might have,” Cohen said.
easy-to-decipher passwords defeat the very purpose of passwords, Cohen said,
recommending that nurses make their passwords more difficult to guess and change
them more often. Password sharing is another no-no, he added.
behavior is also common sense, Cohen added. Disposing sensitive notes or
information by using a paper shredder instead of a regular trash can and turning
over paper records face-down so that no one can catch a glimpse of patient
information are two such examples.
Coopers and Information Week recently conducted a survey and found that
authorized employees are responsible for 58 percent of security threats. Many of
those security lapses are common mistakes, like using simple passwords and
failing to change them, keeping computers turned on while away from a
workstation where someone could gain access to patient data, and leaving laptop
computers or personal digital assistants in unsecured areas.
American Hospital Association has other concerns about the HIPAA compliance
requirements on privacy. The association joined with a number of other parties
in sending a letter to HHS Secretary Tommy Thompson in October, expressing their
four main areas of concern involve consent, minimum necessary standards, oral
communication, and business associate agreements. Consent and oral communication
are the two concerns that will most affect nurses, Welch said.
Patient Privacy Rule requires patients to give consent in written form before
receiving care. Also, a patient must receive a notice document on how their
information will be used.
to the AHA, that can be cumbersome in some instances and hold up care in others.
to get a signed consent form before you can even do something like schedule
surgery is burdensome,” Welch said, adding that patients seeking care in rural
areas may have to drive many miles to a hospital to fill out a form for surgery
and then make the same drive later for the actual surgery. “A patient is
clearly not going to want to do that.”
standards for oral communication will require many hospitals to retrain
employees to learn what’s acceptable, Welch said.
going to be difficult to do, and people will be frustrated that it’s changing
the way they provide care in a way that’s probably, in their minds, more
complicated than is necessary,” Welch said.
that there is still disagreement at HHS on what is acceptable under the
regulations, so there may eventually be changes.
minimum necessary standard is a provision that allows health care providers to
have only the minimum amount of necessary information about a patient to perform
a function. The idea is to preserve privacy, but the AHA believes it hinders
communication between providers, as well as patient care.
HHS exempted external disclosure of patient information, rather than internal
use of treatment information. AHA hopes that both use and disclosure will be
exempt from the rule, Welch said.
consulting provider might fall under either category but would need a
patient’s medical history before making a decision or diagnosis, she added.
Dec. 7, 2001 © 2001. NurseZone.com. All Rights Reserved.