The Health Insurance Portability and Accountability Act (HIPAA) of 1996 called for steps to create national standards for the electronic transmission of health information for certain administrative and financial transactions. Congress recognized that, by making information sharing easier for providers and insurance companies, they may have increased the risk of disclosures that pose a threat to the confidentiality of patient records. HIPAA's privacy and security rules address these concerns. > The deadline for compliance with the privacy rulewhich requires what the government calls "reasonable safeguards"is April 2003, and healthcare institutions like Columbia University Health Sciences are already making policy changes to protect medical information. > Jeffrey Davis, Esq., LL.M., Associate Vice President for HIPAA Compliance/Privacy Officer, spoke with In Vivo writer Aileen Moroney about the new HIPAA privacy regulations.
Why is implementation of the HIPAA privacy protections on the Health Sciences campus important for research?
While the Constitution does not specifically detail an individual's right to privacy, the expectation of privacy has become an important implied societal right that the public clearly believes extends to the use of their medical records. In fact, in a 1995 Harris poll, almost half of those questioned stated they were "very concerned" about their personal privacy and a third stated they were very concerned about possible negative consequences of electronic medical records.
The creation of vast medical record databases capable of reducing medical errors, the use of cancer registries or tumor banks in cancer research, and the mapping of the human genome all require analysis of identifiable medical information utilizing advanced technology. These and many other advances in medicine will not occur if individuals do not authorize use of their medical information because they are afraid of the privacy implications of providing such information to scientists for research purposes.
How will HIPAA impact clinical research?
Once plans for a clinical research study are under way, informed consent from study participants is required. How the privacy rule will operate in these circumstances will be very similar to the federal government's "Common Rule," the statute that currently guides the Institutional Review Board, or IRB, the in-house committee that oversees scientific research at academic medical facilities such as Columbia, in obtaining informed consent. Clinical research participants will be required to give a research authorization to permit our researchers to use their health information in the research phase. That research authorization will be built into our informed consent document.
What about other activities, such as the Faculty Practice Organization?
People in the medical profession have been concerned about how HIPAA will change the way medicine is practiced. A big part of my job will be to dispel some of that fear by providing practical guidance. Some of that guidance will be forthcoming relatively soon in the form of brief e-mail memos to faculty practice physicians concerning common issues raised, such as the use of sign-in sheets in waiting areas, e-mail and faxes of patient information, when providers need to track disclosures of patient information, and other issues.
What is often misunderstood is that the regulations require "reasonable safeguards" to be implemented to protect patient privacy. So, for example, calling out a patient's name in the waiting room is not a problem but common sense would indicate that a patient's medical information should not appear on a sign-in sheet or be taken verbally in a public space. Similarly, fax machines and computer screens should be positioned so they are not within view of the general public. These are reasonable safeguards that should be easy to put in place.
Will medical and nursing students be prevented from accessing patient information?
No. The privacy rule, under its definition of "healthcare operation," allows for training programs. Students can continue to see patients and learn under the proper supervision. However, we may need to develop guidelines on how much identifiable medical information is necessary to carry out educational activity.
What are some of the technological implications of HIPAA?
The investment in technology will be substantial. We,re going to be developing significant firewalls to prevent those not associated with the institution from pulling up our databases. We,ll have to develop access controls so people that have no need or limited need to patient information cannot look at anything they don't have a right to see. But the goal is not to stop the flow of information, but rather to develop strategies to protect it.
In addition to you, who is responsible for seeing HIPAA implemented at Health Sciences?
The Health Sciences administration has dedicated significant resources to complying with HIPAA and has put together a HIPAA Steering Committee chaired by Dr. Steven Shea, Southworth Professor of Medicine, and comprised of some of the top medical leadership on the Health Sciences campus. Dr. Gerald Fischbach, executive vice president and dean, set the tone in a recent memo sent to all Health Sciences employees in which he said, "The Health Sciences Division has been and will continue to take its obligations under this new legislation very seriously."
When will implementation procedures be completed?
We will be substantially compliant by the April 2003 deadline, considering we are working with a legislative moving target that has yet to come to rest. However, how we treat patient privacy and continue to comply with HIPAA's provisions will be an ongoing issue. I,m not sure the goal here is to be "done"; it's not a one-time issue like Y2K. In this sense, HIPAA compliance is not so much a race as it is a long walk.
For more information about HIPAA implementation, contact Jeffrey Davis by calling (212) 305-7315 or e-mailing firstname.lastname@example.org.