Deadline near for compliance with privacy law
For the past several months, the U-M Health System (UMHS) has been preparing some 20,000 people across campus for new national regulations set to take effect next week governing the privacy of patients and M-CARE members.
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996, and privacy regulations passed pursuant to the law are enforceable April 14.
HIPAA has at its heart a general premise of respect for patient privacy and the secure handling of health-related information, says Deborah Biggs, interim privacy director at UMHS. This includes patients receiving care in the U-M hospitals and clinics, and those who are the subjects of research.
"It is wide-sweeping regulation that impacts many units," Biggs says.
UMHS attorney Ed Goldman, University Privacy Director Leo Rutledge and Biggs have taken word of the new policy to faculty and staff in the Health System, School of Dentistry, School of Public Health, Human Resources and Affirmative Action, Office of the Vice President for Research, and various units of Central Administration, including News Service, where staff sometimes are asked for patient information by media, though the majority of such inquiries are handled by UMHS.
The law also requires health care institutions to work with vendors on protecting privacy of patients they might come in contact with while providing services. Information has been shared through a special Web site (http://www.med. umich.edu/u/hipaa/), a video, and presentations to groups and individuals.
"Under the privacy regulations, patients must be informed about how their patient information will be used and given the opportunity to object to or restrict the use or release of their information," Goldman says. Patients learn about their rights by receiving a Notice of Privacy Practices.
Hospitals may use and disclose patient information without a patient's consent for purposes of treatment, payment and health care operations, Goldman says. The privacy regulations also allow the release of limited information about inpatients without authorization when someone specifically asks about the person by name. Unless the patient objects, the following may be released:
• patient name
• his or her location in the health care facility
• his or her condition, described in general terms that do not communicate specific information about the individual (good, fair, serious, treated and released, etc.)
• religious affiliation, but only for clergy.
UMHS has established a number of guidelines to safeguard private information, including:
• Keeping patient information in forms—such as sign- in sheets, registration cards, paper charts and computer screens—out of public view
• Logging off computers and using software with a time-out function for times when someone steps away from a desk
• Using a password to protect home computers and laptops when work must be done at home, and keeping only the information necessary to do the work
• De-identifying patient information—removing identifiers, such as name, address, social security number, registration number and photos—when using it for educational purposes. Considered a normal part of health care operations, using patient health information (PHI) to teach students and trainees is permissible, but authorization in advance must be obtained if PHI is to be used to educate members of the public or other patients
• Notifying patients that e-mail is not necessarily secure
• Getting permission from a patient before leaving appointment, billing or health care information on voicemail or by fax transmittal, and then leaving as little information as possible.
The new rules also impact University research. "The way we collect data for research will change," Biggs says. She cited as an example use of information from a deceased person. In the past, the federal "Common Rule" allowed such information to be used without permission. Now researchers must seek approval from either their Institutional Review Board (IRB) or a newly formed privacy board.
The Common Rule will remain in effect, but the privacy regulations add new criteria requiring researchers to: prove that the use or disclosure of PHI only will involve "minimal risk" to privacy; show a plan for protecting identifiers and destroying them at the earliest convenience; and provide written documentation that the patient has authorized use of his or her PHI.
Goldman says the new regulations were prompted by a number of changes in health care, among them the growth of the industry itself. "The federal government is interested in having one consistent set of privacy and security regulations for every state," Goldman says. Increased use of technology, the growth of health care marketing and advances in research science also have led to concerns about protecting patient privacy, he says.
Biggs says in many ways the previous state of Michigan rules for protecting privacy were even more restrictive than HIPAA, which seeks to set national standards due to a wide discrepancy in how states handle the issue. Still, she says, the new regulations represent pages of small changes that need the attention of health care workers and researchers.
"UMHS and the University are working very closely on the new privacy regulations to ensure consistency across the organization," Biggs says.
For more information on the new regulations or to schedule a review session, go to the University's Web site at http://www.med.umich.edu/u/hipaa/.