Recent headlines about stolen veterans' medical records privacy haven't done much to quell the fears of the general population that their medical privacy is under constant threat. As a result, practice managers should be prepared to deal with patients who are fairly certain that their healthcare information is mishandled, said Robert Tennant from the Medical Group Management Association (MGMA).
In a talk at the MGMA-sponsored 2006 Health Care Information Technology Forum in San Francisco, Tennant offered an overview of the privacy challenges that modern practices face, and how these challenges can be met while maintaining compliance with Health Insurance Portability and Accountability Act (HIPAA) regulations.
Tennant, a senior policy advisor in the MGMA government affairs department, started by highlighting an article in a popular consumer magazine that focused on medical privacy and electronic health records (EHR).
"The bottom line with this article was 'Be very wary of your medical practice because they may be misusing your medical data,'" he explained, adding that there have already been 20,000 complaints regarding medical privacy violations filed with the U.S. Office for Civil Rights.
Accentuate the positive
The first step a practice can take to gain consumer confidence is to offer patients a privacy notice that makes sense. Tennant suggested that practice managers cast a critical eye over their current notices.
"How many people have read their own privacy notice in the last six months?" he asked his audience. "Most of the time, it's (written) in this canned language that you got somewhere from the Internet. It says nothing about your actual practice. Read (the privacy notice) over as if you were two people: (A) Your average patient and (B) a patient who just read (a news report on privacy) and is a little concerned about it. Read (the notice) over and make sure that it's actually giving out information."
While the law requires that the privacy notice is posted in the waiting room, Tennant suggested doing so with a dynamic poster presentation, rather than an easily ignored piece of paper tacked up in the corner of the room.
"What some practices have done is to create a privacy notice poster that explains 'Your rights as a patient in this clinic.' Instead of having HIPAA as a negative, turn it into a positive about the importance you place on privacy and security," he pointed out.
Also, a practice with a Web site is required to post the privacy notice on that site. But even with these public and prominent declarations, the patient should still be offered a paper copy of the privacy notice, Tennant said.
Staff training with Kermit the Frog
On the most basic level, everyone in the practice, including physicians, should be discouraged from discussing patient information in the waiting room, Tennant said.
Less clear is how to decide when medical information should be shared. Patients need reassurance that their health data is not falling into the wrong hands or being held back from the right ones. Staff should be able to make the distinction between those who can have access to health information (referring physicians, for example) and those who may not (family members, employers), Tennant said.
One misconception that medical staff often has is that they are free to peruse all patient information simply because they are employees. "For example, if a (physician's) neighbor is being treated by one of his colleagues, then he has a right to look at (that chart) and that is not the case," Tennant said.
Another example of an in-house HIPAA violation is when real patient data is used for training people on an EHR system. To address that issue, one MGMA session attendee said that she built an entire health record for Kermit the Frog, which is then used for training and demonstration purposes.
Finally, the front office staff needs to be well-versed in addressing -- not dismissing -- patients who lodge a privacy complaint. Staff don't have to be trained in the minutiae of HIPAA, but should be able to listen to the patient (although not in the waiting area) and guide them to the practice's privacy officer, who is willing to apologize for the error if appropriate, Tennant said.
"It's the old 98-1-1 rule," he said. "Ninety-eight percent of your patients have never heard of HIPAA, 1% has heard about it and couldn't care less, and 1% has heard about it and is concerned. If you get one of that 1%, they are the ones that are going to complain ... to your front-end staff. They are the ones who are more likely to go home and submit a complaint to the government. But often, people won't file a complaint if they feel that someone is listening to them."
'What if?'
While privacy issues directly affect patients, security affects a practice. Historically, security controls have been geared toward paper records.
"There's a whole new set of problems when it comes to security," Tennant said. HIPAA security covers three main areas: administrative (organizational practices), physical safeguards (physical access), and technical safeguards (data integrity and confidentiality).
When it comes to addressing technical and physical safeguards, Tennant suggested that the two buzzwords for every practice manager are "What if."
What if the server crashes, which is technically a HIPAA violation? What if a physician's laptop or PDA is lost or damaged? What if employees leave the practice and take key cards or passwords with them? What if the practice's financial data is inaccessible for two weeks?
"Always ask these questions and always have an answer," he advised.
For a practice that sends medical information offsite, either for transcription, coding, or, in the case of imaging, interpretation, business associate agreements must be in place. For extra protection, nonhealthcare contractors (such as the cleaning crew) should sign confidentiality agreements, Tennant suggested. Ultimately, it is the responsibility of a practice to the maintain privacy and security of the data, he said.
Finally, Tennant pointed out that a list of EHR product vendors that have been certified by the Certification Commission for Health Information Technology (CCHIT) is scheduled for release in July 2006.
"My recommendation is don't buy a system that isn't (CCHIT) certified. You don't know what you are getting if it's not certified," he said. In addition, eligibility for pay-for-performance or Stark exception rules may not apply to a practice that uses non-CCHIT-certified products, he said.
Beautiful HIPAA
According to an MGMA survey of more than 34,000 U.S. practices, 14.1% have adopted EHR, with a higher rate of adoption in larger outfits. The cost of converting to EHR is $33,000 per full-time physician. Maintenance of EHR can run up to $1,500 a month and a practice should anticipate a 15% drop in productivity for at least one year postimplementation.
In other words, converting to EHR is not a simple task, Tennant said. "Those are tough numbers and it's tough for you to go to your physicians and say 'Who's ready for the decrease in productivity? Who's ready for these incredible costs?'" he said. "But here's the reality: If you want better healthcare and a cheaper healthcare system overall, you need HIT."
To that end, there is a new emphasis in Washington, DC, on HIT, he said, including the creation of the Office of National Coordinator for HIT. Also, the American Health Information Community (AHIC) serves as an advisory group for developing HIT standards and interoperability. And the National Health Information Network has spurred the creation of regional health information organizations (RHIOs) to interconnect community-based healthcare systems. Lastly, in July 2005, the Senate approved the Wired for Health Care Quality Act."
Tennant referred attendees to a few HIT resources:
"The HIPAA security regulation is beautifully written in that it tells you in broad strokes what to do," Tennant concluded. "But it leaves it up to you how best to handle it. For example, it tells you that you must protect your server. You could have a chain on the door; you could have a guard with an Uzi; you could have German shepherd (dog) out front. They don't care how you do it. The more you can reassure your clients that you are protecting their data, the better off you'll be."
By Shalmali Pal
AuntMinnie.com
July 14, 2006
Related Reading
Health IT bill moves forward in U.S. Congress, May 25, 2006
HIPAA compliance remains inconsistent, April 12, 2006
Dealing with HIPAA changes in 2006, April 6, 2006
U.S. Senate committee moves on health information technology, July 21, 2005
Copyright © 2006 AuntMinnie.com