The Health Insurance Portability and Accountability Act (HIPAA) has the industry questioning its every move. Telephone calls, faxes, and letters are all being reconsidered. So how can facilities reconcile the need for secure patient information with the need to notify patients of their test results?
For patient-notification letters, as with all other sensitive patient information, "there’s nothing in HIPAA that tells you, ‘Here’s step-by-step what you’ve got to do," said Jeff Fusile, the national partner in charge of HIPAA advisory services at Pricewaterhouse Coopers in Atlanta. "At the end of the day, it’s got to be done in a reasonable manner so as to protect the confidentiality and make sure it gets to the person it was designed to get to."
Virginia Messick, a senior consultant in CTG Public Relations’ HIPAA privacy practice, noted that HIPAA might be pre-empted by local laws.
"If there’s anything more restrictive, you have to abide it. A lot of state laws are more restrictive," she said.
Each individual company interprets HIPAA and state law for itself and its business through its own privacy policy, a HIPAA-required document. According to James Keese, Chief Privacy Officer of Eastman Kodak Corporation’s Health Imaging Group in Rochester, NY, the facility or practice must refer to its privacy policy to determine its best course of action for patient notifications.
No matter what type of business or level of confidentiality a group’s privacy policy mandates, Fusile recommended that facilities require their patients, upon registering for examinations, to sign a document stating how they would rank their notification preference (e.g. first choice, mail, second choice, call to a specific telephone number). That way, the practice or office is protected to a higher degree because the patient had a say in the notification method, he added.
Messick said facilities should use their computer system’s software capabilities as a guideline when formulating the contact forms. "Determine what your software can accommodate. Can it accommodate cell phone numbers? E-mail addresses? How many phone numbers can it put in? Can it flag which one is the preferred method? You don’t want to pull out a paper chart all the time to find out how patients want to be contacted," she said.
Keeping snail mail quiet
When notification letters are sent by post, Fusile said that providers should pay close attention to the envelopes they use. A patient may not want the mail carrier, spouse, or children, to see an envelope printed with the name of a mammography or colonoscopy clinic on the front, for example. Stamping an envelope confidential may draw unwanted attention.
"There’s no guarantee if it says their name on an envelope that they’re the ones who open the mail at their house," Fusile said. "If someone else opens it, it’s mail fraud. There is certainly some safe harbor in assuming that mail fraud is a deterrent. But I open the mail for my wife. You need to foresee the risk that somebody else would open it. If it’s particularly confidential, send them a letter saying only, ‘Your test results are in, please contact us.’"
E-mail encryption
When offices send patient notifications by e-mail, they again must reference their privacy policies, which should cover the electronic transmission of sensitive data. Facilities should ensure that their e-mail providers meet the standards of their privacy policies.
"If a privacy policy states: ‘Any external mail needs to have public or private key encryption, with digital certificates,’ then they can’t use (America Online)," Keese said.
If introducing an entirely new e-mail system and its associated security systems is too costly for a center at this time, Keese suggesting installing encryption software that can be used along with popular email services (AOL, MSN).
However, "if you’re going to make an operational change, if you can afford it, do it all at once versus doing a piece today and a piece tomorrow, because it’s going to cost you twice as much," Keese said.
Phone and fax
When doctors and their offices call patients about appointments or test results, they must ensure that their conversations are confidential, Messick said. "If they’re talking in detail about diagnoses, procedures, and results, they must be in a somewhat secluded area where foot traffic is minimal. These calls should not take place at the front desk, where everyone in the waiting room can hear, or in the hallway, where people in exam rooms can hear," she said.
"Once they get somebody on the phone, then they need to do some kind of verification, so they know who they’re speaking to," Messick added.
When facilities leave voice mail or answering machine messages for patients, they must continue to maintain patient confidentiality. Messick recommends that facilities leave generic messages that name the doctor’s office, provide a telephone number, and request a return call.
Keese agreed. "Keep it simplistic. Cut all the additional information out," he said.
As for faxes, Messick recommends that physicians’ offices avoid them altogether. With fax machines, identifying the recipient can be complicated. If the fax goes to wrong number, for example, remedying the problem may be impossible.
Liability
So when does a physician’s responsibility for sensitive data end? Ultimately, the best way for a practice to protect itself and meet HIPAA standards is to be up-front with the patient -- make sure that all pre-examination documents clearly describe how the notification process is handled, Fusile said.
"If you said in your (pre-examination) notice, that (test results) will come, stamped ‘confidential,’ in a generic envelope, then I think you’re pretty safe. That’s not to say it’s perfectly safe, but it’s pretty safe," he said.
By Leslie FarnsworthAuntMinnie.com contributing writer
April 2, 2003
Related Reading
HIPAA security: best practices drive implementation roadmap, February 20, 2003
Looming HIPAA rule highlights healthcare business associates, February 11, 2003
Copyright © 2003 AuntMinnie.com