Private lives, public concerns
Safeguards for patient data take on a new urgency as HIPAA’s impact becomes apparent.
A patient’s chart can be many things. It is a compendium of ailments and treatments, but it is also a life story, full of clues to a patient’s state of mind, love life and financial status. In settings such as the Yale-New Haven Hospital and the School of Medicine, this window into a person’s life is open to physicians, nurses, medical students, residents, clerical workers, pharmacists and others who might need access to it. Now the long-awaited implementation of a 1996 law requires that all health care workers privy to a patient’s personal information be trained in protecting confidentiality.
The Health Insurance Portability and Accountability Act, or HIPAA, requires health care professionals to protect privacy and create standards for electronic transfers of health data. The Office for Civil Rights at the Department of Health and Human Services will enforce the regulations and impose penalties on institutions that do not make a good-faith effort on privacy and security. The deadline for university compliance is April 13, 2003. Electronic exchange standards will be required six months later.
Horror stories of people being denied jobs and loans because of their health status prompted Congress to pass the law in 1996. Also looming was the prospect of genetic discrimination given the possibility that one’s genes might be predictors of disease (See “Tailor-Made Medicines Are Within Our Reach”). “There is no question that legislation ensuring the right of privacy to medical information is necessary,” said Jed M. Shivers, M.B.A., deputy chief operating officer of the Yale School of Medicine and a member of the university’s executive steering committee on HIPAA compliance. The most pernicious abuses regarding privacy stemmed from the sale of information by insurance firms or others. But leaks of personal data also occur due to carelessness. For example, Shivers pointed out that staff can no longer discuss cases while another patient is in the room. Patient and drug names, which might provide hints of specific ailments, may no longer be listed on receipts. “Our strategy is to create a strong network, make the system locked down and have information take the appropriate path,” Shivers said. Faculty will trained to secure data on computers and portable devices with passwords, automatic locking screensavers and other tools.
“This is an opportunity to do the right thing and become more efficient by automating the processes that should be automated,” said Susan E. Grajek, Ph.D., director of communications and technical support for the medical school’s information technology service, ITS-Med.
The regulations are still evolving, but they require most medical providers to obtain a patient’s written consent before disclosing information; institutions must hold onto the consent forms for six years. “The concept sounds basic and straightforward, but there are hundreds of pages of complicated regulations,” said Julie Behm Carter, J.D., associate general counsel for Yale.
The biggest changes will be in terms of education and awareness, according to David Stagg, Ph.D., director of Systems Engineering and Security for ITS-Med and a research scientist in pharmacology. Care will be taken to keep records private, from simple matters such as not leaving faxes exposed on a desk to installing encryption tools on computers.
The university is surveying more than 5,500 people, including employees, postdocs and other fellows, researchers and volunteers, to determine how and where records are stored, how many people must be trained and how protected information is used. Shivers expects everyone at the School of Medicine to undergo some training on an interactive website. Training is on hold while the government modifies the rules. Grajek does not expect the Web-based training sessions to last more than 90 minutes. “I’m optimistic that HIPAA won’t be overwhelming,” said Grajek, who also coordinated preparations for Y2K conversion at the medical school. “People must take HIPAA seriously, but there will be minimal disruption.”
Shivers noted that the law is not perfect and will continue to evolve as institutions adapt. Already, the government has eased regulations about research and sharing knowledge with medical students.
“This will be an ongoing effort,” said Janet E. Lindner, a project manager in the office of the vice president of finance and administration, who will organize implementation of HIPAA at Yale. “But people throughout the university are working together as a project team on a goal we all care about.”