Is Privacy of Medical Records Going Backward?

T he proposed changes to the HIPAA privacy rule announced 2 weeks ago by the Department of Health and Human Services (HHS) loosen restrictions on providing care before obtaining consent and discussing patient care out loud with other clinicians. Just as the M.D. credential obligates you to adhere to the tenets of the Hippocratic Oath, the R.H.I.A. credential obligates Registered Health Information Administra-tors to tenaciously protect the confidentiality of private medical information on behalf of patients. Because there was never federal regulation to protect this information, this task has been challenging at best. Also, patients haven’t necessarily known their medical information was being used or what they could do to direct that use. The Department of Health and Human Services along with the Office of Civil Rights have been strategically positioned by the HIPAA privacy standards to improve this legacy while expediting patient care and payment to providers for that care. That was, until March 22, 2002. We should proceed cautiously in modifying the HIPAA privacy regulations. Recall the original intent of these privacy regulations with these examples from the Federal Register of Dec. 28, 2000: • 35% of Fortune 500 companies look at an applicant’s medical records prior to making hiring decisions. • A health system posted records of thousands of patients on the Internet. • A health department employee took a disk with the names of 4,000 people who had tested positive for HIV. • A woman purchased a computer that still contained prescription records of pharmacy customers. • A banker, who also sat on a county health board, accessed cancer records and called in patients’ mortgages. Administrative simplification was the original intent of the HIPAA regulations. Those of us responsible for running and operating healthcare organizations have questioned this as we’ve learned more about the arduousness of implementing various HIPAA provisions. It isn’t going to be easy. As leaders, it’s time for us to step up and figure out how best to implement these regulations, share the successful methods for doing so with our colleagues in the healthcare community and maintain the protections that we as citizens have been provided. Beth A. Kost, R.H.I.A. Corporate Compliance Officer Vice President, Professional Services Precyse Solutions

T he proposed changes to the HIPAA privacy rule announced 2 weeks ago by the Department of Health and Human Services (HHS) loosen restrictions on providing care before obtaining consent and discussing patient care out loud with other clinicians. Just as the M.D. credential obligates you to adhere to the tenets of the Hippocratic Oath, the R.H.I.A. credential obligates Registered Health Information Administra-tors to tenaciously protect the confidentiality of private medical information on behalf of patients. Because there was never federal regulation to protect this information, this task has been challenging at best. Also, patients haven’t necessarily known their medical information was being used or what they could do to direct that use. The Department of Health and Human Services along with the Office of Civil Rights have been strategically positioned by the HIPAA privacy standards to improve this legacy while expediting patient care and payment to providers for that care. That was, until March 22, 2002. We should proceed cautiously in modifying the HIPAA privacy regulations. Recall the original intent of these privacy regulations with these examples from the Federal Register of Dec. 28, 2000: • 35% of Fortune 500 companies look at an applicant’s medical records prior to making hiring decisions. • A health system posted records of thousands of patients on the Internet. • A health department employee took a disk with the names of 4,000 people who had tested positive for HIV. • A woman purchased a computer that still contained prescription records of pharmacy customers. • A banker, who also sat on a county health board, accessed cancer records and called in patients’ mortgages. Administrative simplification was the original intent of the HIPAA regulations. Those of us responsible for running and operating healthcare organizations have questioned this as we’ve learned more about the arduousness of implementing various HIPAA provisions. It isn’t going to be easy. As leaders, it’s time for us to step up and figure out how best to implement these regulations, share the successful methods for doing so with our colleagues in the healthcare community and maintain the protections that we as citizens have been provided. Beth A. Kost, R.H.I.A. Corporate Compliance Officer Vice President, Professional Services Precyse Solutions

T he proposed changes to the HIPAA privacy rule announced 2 weeks ago by the Department of Health and Human Services (HHS) loosen restrictions on providing care before obtaining consent and discussing patient care out loud with other clinicians. Just as the M.D. credential obligates you to adhere to the tenets of the Hippocratic Oath, the R.H.I.A. credential obligates Registered Health Information Administra-tors to tenaciously protect the confidentiality of private medical information on behalf of patients. Because there was never federal regulation to protect this information, this task has been challenging at best. Also, patients haven’t necessarily known their medical information was being used or what they could do to direct that use. The Department of Health and Human Services along with the Office of Civil Rights have been strategically positioned by the HIPAA privacy standards to improve this legacy while expediting patient care and payment to providers for that care. That was, until March 22, 2002. We should proceed cautiously in modifying the HIPAA privacy regulations. Recall the original intent of these privacy regulations with these examples from the Federal Register of Dec. 28, 2000: • 35% of Fortune 500 companies look at an applicant’s medical records prior to making hiring decisions. • A health system posted records of thousands of patients on the Internet. • A health department employee took a disk with the names of 4,000 people who had tested positive for HIV. • A woman purchased a computer that still contained prescription records of pharmacy customers. • A banker, who also sat on a county health board, accessed cancer records and called in patients’ mortgages. Administrative simplification was the original intent of the HIPAA regulations. Those of us responsible for running and operating healthcare organizations have questioned this as we’ve learned more about the arduousness of implementing various HIPAA provisions. It isn’t going to be easy. As leaders, it’s time for us to step up and figure out how best to implement these regulations, share the successful methods for doing so with our colleagues in the healthcare community and maintain the protections that we as citizens have been provided. Beth A. Kost, R.H.I.A. Corporate Compliance Officer Vice President, Professional Services Precyse Solutions