Point of View

We all want to keep information about our health private. Most of us feel that only those medical professionals who need to know about us – the doctors and nurses treating us – should have access to our medical information. On April 14, a new law went into effect that seeks to protect patients' privacy. This law – the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA – is already having a dramatic impact on how we all do our jobs at Health Sciences. A concerted effort on everyone's part is needed to ensure full compliance.

Most Health Sciences employees have already been introduced to HIPAA through the training sessions conducted by HIPAA Coordinator Vivian Dupuy and me for the more than 4,000 doctors, nurses, administrators, researchers, support staff, and students. We continue to train new hires, students, and anyone who missed the initial training sessions; the sessions will be ongoing so that everyone on campus becomes familiar with HIPAA's requirements. For example, employees need to know that, as defined by HIPAA, protected health information includes all identifying information patients provide and information about their treatment, such as name, address, age, Social Security number, diagnosis, medical history, medications, and observations of health status.

Inevitably, HIPAA is having an impact on the Health Sciences culture. People now understand that sanctions have been and will be applied to those who violate patient privacy and that it is illegal under most circumstances to release health information without permission or fail to adequately protect that information from unauthorized release. (See sidebar for ways to prevent privacy violations.) People who intentionally disclose information for financial gain can be fined as much as $250,000 or jailed for up to 10 years.

As part of its protections, HIPAA also increases the patient's ability to control how his or her health information is used. The law enables patients to access their records, request amendments to his or her health information, and limit the ways a healthcare facility uses information about them. Now a patient seeing a doctor for the first time must receive a notice about his or her rights to privacy.

Apart from its impact on patient care, HIPAA is also having an important effect on clinical research. I work with the four Columbia Internal Review Boards to ensure HIPAA requirements are met in all Columbia research efforts. We created a separate training course for researchers posted on Rascal – the Web site for research administration at Columbia.

Researchers must obtain patient authorization or waiver of authorization to use protected health information about patients in their studies. The researcher has to explain to the patient what information will be used, how it will be used, and how a patient can revoke the authorization. HIPAA has also placed new restrictions on how patients may be contacted to participate in a trial. Researchers generally have to have a patient's primary care doctor contact the patient or get permission from the primary care physician to contact the patient. Previously, researchers were able to contact prospective study participants directly. The general rule today is: Don't do anything that surprises the patient.

This rule of thumb applies to fund raising too. Fund-raisers used to be free to contact someone who had a particular disease for which money was being raised. Not anymore. Now we can't use treatment or diagnosis information in fund-raising unless we have specific written authorization from the patient. We are exploring ways to work within the restrictions but give patients options for learning more about the work we do here.

Getting this campus up to speed has required a major effort, one that could not have been accomplished without the hard work of many people, including Dr. Steven Shea [Hamilton Southworth Professor of Medicine at P&S and professor of epidemiology at the Mailman School of Public Health], Dr. Soumitra Sengupta [assistant professor of biomedical informatics], Kathleen O'Donnell [vice president and senior associate dean for clinical administration], Kevin Kirby [vice president and senior associate dean for administration] and many clinical department administrators.

Like anything new, getting used to HIPAA will take some time, but ultimately, I feel everyone will come to appreciate its benefits. After all, we live in an age when it's getting harder and harder to protect ourselves from intrusions into our personal lives. The rationale for HIPAA, to keep that most intimate facet our lives – our health – to ourselves, should be welcomed by everyone at Health Sciences.

HIPAA in the Real World

HIPAA affects a wide range of medical center operations. Here are some examples of what Health Sciences employees can do to ensure the law is followed.

• Use the password function on a Palm Pilot if it is used to store patient medical records. Misplaced handheld devices containing patient information cannot be accessed if the password function is enabled.

• Employees should not take work home that contains confidential information. In some cases, confidential information can be removed – such as taking the title "Cancer Patients" off a list – to make it acceptable to take home.

• Do not discuss patient information or read medical charts in elevators or other public places.

• When putting medical charts in a holder on the door of a patient's room, make sure the chart is facing inward, toward the door, to hide the name.

• Individuals working in locations with pedestrian traffic, such as at a reception desk or a nurses station, should turn computer monitors away from public view.

• Those with authorized access to patient records should only view records to gain needed information. Looking at records out of curiosity or to feed gossip can lead to employment termination.

• Do not share your computer password with anyone; change your password if you think someone else has learned what it is.

• Files that contain patient information no longer needed should be shredded. Old computers with patient information on the hard drive must be disposed of properly rather than just thrown out because the patient information could be retrieved.

Any questions about HIPAA should be sent to HIPAA@columbia.edu. More information is available at http://www.healthsciences.columbia.edu/hs/HIPAA/index.html/.

Mr. Davis is associate vice president for HIPAA compliance/privacy officer.

[Top]