Private parts: Breast cancer screening and HIPAA compliance

2006 09 29 14 21 16 706

Many women who are about to undergo screening mammography aren't in the best frame of mind -- they're nervous and anxious, find the exam uncomfortable, and finally, there is the psychological stress associated with the word cancer.

At the same time, breast health centers -- along with every other U.S. medical institution -- must deal with their own nerve-racking process -- maintaining patient privacy and security. Since the passage of the Health Insurance Portability and Accountability Act (HIPAA) a decade ago, practices have wrestled with HIPAA compliance, and adaptation has been slow-going.

So what happens when the patient's emotional issues surrounding breast cancer screening come face-to-face with an imaging center's legal requirements surrounding HIPAA? AuntMinnie.com asked this question of Robert Tennant, a senior policy advisor in health informatics at the Washington, DC, office of the Medical Group Management Association (MGMA). Tennant offered his thoughts on how breast imaging centers can gain their patients' trust by making privacy paramount.

AuntMinnie: Compliance with HIPAA regulations is certainly an important issue that all healthcare institutions must address. Do you think there is a particular onus on medical imaging providers to maintain patient privacy?

Tennant: I believe there is an onus on all providers to maintain the privacy and security of their patients' information. While this is now the law, it is also good business. Patients who feel that their information is not being kept private may decide to leave that provider for another.

In the case of imaging centers, in most geographic locations there is significant competition -- an adverse privacy incident that reflects badly on the center may lead to patients refusing to go and a decrease in the number of referrals from physicians.

How important is it for breast imaging centers to comply with HIPAA? Is their responsibility heightened given the sensitivity that pervades this particular imaging subspecialty?

Women who go for mammograms are concerned about their health. Should they have any adverse test results, they also are concerned that these test results are kept confidential. For example, should a woman's employer learn of a health problem, it could impact her employment. As well, health issues related to breast health are intensely personal, and many women would feel uncomfortable if their medical information was seen by unauthorized individuals.

Should a facility's privacy notice take into consideration the greater emotional context of breast cancer screening? Is it enough to comply with HIPAA and assure patients that their privacy rights will be honored, or should a facility go a step beyond that?

I have always counseled medical practices to be very "patient-centric" when it comes to disclosing their privacy policies. While the center is in compliance with the law by simply stating, in "legalese," what their policies are, a better approach is to highlight to their patients just how important keeping their information private is to the center.

In addition, it is critical to train all staff -- including the front-end administrative staff -- that it is not permissible to look at medical records if they are not permitted to, and to be sensitive to the privacy needs and concerns of their patients. Finally, centers should avoid situations where sensitive information is conveyed to the patient verbally in the waiting room, or any other "public" area of the center.

In a talk you gave at the 2006 Health Care Information Technology Forum in San Francisco, you encouraged the audience to be creative with their privacy notices and mentioned a poster that one practice had done. Are there other creative ways to present this kind of information, especially in a setting where there is this air of apprehension?

The center's privacy notice should explain in simple terms the rights of the patient (i.e., to view, amend, and receive a copy of their medical record). This is too often done in a manner that patients cannot fully understand.

In addition, although not strictly required by law, the notice should explain who will review the test results, how the test results will be stored and transmitted (or transported), and to whom the test results will be released.

Communicating a positive message can be done through large posters in the waiting room, which emphasize the center's commitment to information privacy and security. Also, by verbally explaining what happens with their test results, who will view them, and to whom they will be released.

Centers concerned about the cost of photocopying notices can laminate a copy of the notice and have the patient read it and return it. As long as the center offers the patient a paper copy of the notice, this is permitted. As I mentioned above, designing a poster to hang in the center's waiting room is an effective method of conveying to the patient the privacy commitment of the center.

Does HIPAA offer guidelines for test result notification methods? Along with the privacy notice, would it be worthwhile to ask the patient to "rank" their notification preference (e.g., first choice: mail, second choice: call to a specific telephone number)?

Patients should be strongly encouraged to review and comment on the contents of the center's privacy notice. For example, the center may state that their policy is to contact the woman for follow-ups using her home telephone number. There should be an opportunity in the notice for the patient to amend this and request that her cell phone number be called.

I recommend having the privacy notice explain the policies and procedures of the clinic to notify patients, in simple language. Have the patients review the notification policies and check "yes" if they approve of the policy or "no" if they don't, and offer an alternative method of notification.

How would you recommend that a facility handle "gray" areas of privacy? For example, a woman has been called back to discuss the results of her diagnostic mammogram with the radiologist, and she wants to bring her sister into the consultation room with her. Or a patient requests that she be notified of her test results at her home by phone. Her husband answers and says he will relay the results to his wife.

These "gray" areas are actually pretty straightforward. HIPAA is clear that if patients bring another individual into a clinical setting (consultation room) they are permitting the provider to disclose information to them. The clinician may still wish to remind patients that sensitive information may be disclosed during the visit and ask if they would like to have their relative or friend remain in the room.

In terms of relaying information to others over the phone, the privacy notice should ask if the patient would like to identify any other individual with whom test results could be shared. If the husband has not been identified in the notice, no information should be released to him. The center's representative should simply state to the husband that the woman should call (the center). My belief is that the center should err on the side of caution when releasing information to individuals other than the patient.

There are specific guidelines for complying with HIPAA while also adhering to the Mammography Quality Standards Act (MQSA) in terms of releasing information (to MQSA inspectors, referring docs, labs, etc.). What are some ways that a breast imaging facility can keep its staff aware of and up-to-date on these rules?

Employees who have violated center policies should be reprimanded. As well, staff should be told of these instances and how to avoid them in the future during regular staff meetings.

In terms of staff training, I recommend that staff be constantly reminded of the center's commitment to privacy and security. This can be accomplished through regular e-mail or staff meeting reminders.

A most effective technique is to discuss actual or fictional issues, and have the staff respond with the appropriate action. For example, at a staff meeting you can relate an issue (e.g., "What do we do when someone calls claiming to be the husband of a patient? Can we disclose test results?") and discuss proper procedure.

Some provider organizations have organized "HIPAA days" when staff look for potential problems and find ways to solve them. It is always possible to find creative ways to educate staff.

There are also excellent online training programs and consultants who will come to your organization to train the staff. Before investing in these expensive solutions, however, I recommend reviewing the plethora of industry materials available for no or low cost to determine if you can develop a training program yourself that staff will find useful.

In terms of privacy and security issues relating to centers, there are a number of organizations that potentially could provide updates and assistance in terms of privacy and security issues relating to centers. These include the National Coalition for Quality Diagnostic Imaging Services, the American College of Radiology (ACR), and the RSNA.

According to the 98-1-1 rule, 98% of patients have never heard of HIPAA; 1% have heard about it and remain uninterested; and 1% have heard about it and are concerned. Given how litigious the field of breast cancer screening is, how important is it for a facility to have a plan in place to deal with the 1% who have a grievance?

While it is always a small number of patients who feel that their privacy rights have been violated and who take action against the center, I strongly encourage centers to train all their staff on how best to handle issues and complaints from patients.

Sensitivity to the concerns of the patients will almost always permit the issue to be resolved before the dispute is forwarded on to the Office for Civil Rights, or OCR (the federal agency that enforces privacy), as a formal complaint. However, it is just as important to have the center develop a reporting and documentation policy that will identify, track, and resolve complaints.

Does compliance with HIPAA regulations act -- in any way -- to shield a breast imaging facility from the potential of lawsuits? Obviously, there are many factors that determine whether a patient will opt to launch a malpractice suit. But can adherence to privacy and security rules serve as a defensive tool for a practice?

Under HIPAA, federal private rights of action are not permitted for patients. In other words, patients have no right to sue imaging centers under the privacy regulation. Only the federal government has the authority to file an action for violations of the privacy rule. The worst case scenario under HIPAA, in the vast majority of situations, would be civil fines, though with over 20,000 complaints to OCR so far, no civil fines have been levied.

Having said this, many state courts have adopted HIPAA as the "reasonable test" for ensuring that providers maintain the confidentiality of medical information, and centers might be subject to state sanctions. Thus, patients may be able to sue under state law using the HIPAA privacy regulation to establish the appropriate standard of care. As well, malpractice actions may include the disclosure of the centers privacy policies and procedures.

By Shalmali Pal
AuntMinnie.com staff writer
October 2, 2006

Related Reading

Practices that embrace EHR security regulations inspire patient confidence, July 14, 2006

How the legal system stacks the deck against mammography, April 3, 2006

Sidestepping screening: What factors make women avoid annual mammography? October 10, 2005

When push comes to shove: Addressing compression in mammography, October 5, 2004

Patient notification letters: How to keep them hush-hush and HIPAA-compliant, April 2, 2003

Copyright © 2006 AuntMinnie.com

Page 1 of 570
Next Page