We all want to keep information about our health private. Most of us feel that only those medical professionals who need to know about us the doctors and nurses treating us should have access to our medical information. On April 14, a new law went into effect that seeks to protect patients' privacy. This law the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA is already having a dramatic impact on how we all do our jobs at Health Sciences. A concerted effort on everyone's part is needed to ensure full compliance.
Most Health Sciences employees have already been introduced to HIPAA through the training sessions conducted by HIPAA Coordinator Vivian Dupuy and me for the more than 4,000 doctors, nurses, administrators, researchers, support staff, and students. We continue to train new hires, students, and anyone who missed the initial training sessions; the sessions will be ongoing so that everyone on campus becomes familiar with HIPAA's requirements. For example, employees need to know that, as defined by HIPAA, protected health information includes all identifying information patients provide and information about their treatment, such as name, address, age, Social Security number, diagnosis, medical history, medications, and observations of health status.
Inevitably, HIPAA is having an impact on the Health Sciences culture. People now understand that sanctions have been and will be applied to those who violate patient privacy and that it is illegal under most circumstances to release health information without permission or fail to adequately protect that information from unauthorized release. (See sidebar for ways to prevent privacy violations.) People who intentionally disclose information for financial gain can be fined as much as $250,000 or jailed for up to 10 years.
As part of its protections, HIPAA also increases the patient's ability to control how his or her health information is used. The law enables patients to access their records, request amendments to his or her health information, and limit the ways a healthcare facility uses information about them. Now a patient seeing a doctor for the first time must receive a notice about his or her rights to privacy.
Apart from its impact on patient care, HIPAA is also having an important effect on clinical research. I work with the four Columbia Internal Review Boards to ensure HIPAA requirements are met in all Columbia research efforts. We created a separate training course for researchers posted on Rascal the Web site for research administration at Columbia.
Researchers must obtain patient authorization or waiver of authorization to use protected health information about patients in their studies. The researcher has to explain to the patient what information will be used, how it will be used, and how a patient can revoke the authorization. HIPAA has also placed new restrictions on how patients may be contacted to participate in a trial. Researchers generally have to have a patient's primary care doctor contact the patient or get permission from the primary care physician to contact the patient. Previously, researchers were able to contact prospective study participants directly. The general rule today is: Don't do anything that surprises the patient.
This rule of thumb applies to fund raising too. Fund-raisers used to be free to contact someone who had a particular disease for which money was being raised. Not anymore. Now we can't use treatment or diagnosis information in fund-raising unless we have specific written authorization from the patient. We are exploring ways to work within the restrictions but give patients options for learning more about the work we do here.
Getting this campus up to speed has required a major effort, one that could not have been accomplished without the hard work of many people, including Dr. Steven Shea [Hamilton Southworth Professor of Medicine at P&S and professor of epidemiology at the Mailman School of Public Health], Dr. Soumitra Sengupta [assistant professor of biomedical informatics], Kathleen O'Donnell [vice president and senior associate dean for clinical administration], Kevin Kirby [vice president and senior associate dean for administration] and many clinical department administrators.
Like anything new, getting used to HIPAA will take some time, but ultimately, I feel everyone will come to appreciate its benefits. After all, we live in an age when it's getting harder and harder to protect ourselves from intrusions into our personal lives. The rationale for HIPAA, to keep that most intimate facet our lives our health to ourselves, should be welcomed by everyone at Health Sciences.