Protecting patient information health care facilities gear up for privacy regulations

Nevada RNformation, May-Jul 2003 by Trossman, Susan

Every day nurses and other health care professionals routinely share information about patients. Day-shift nurses pass on vital information to evening-shift nurses during report. Consulting physicians write their assessments in charts, which include information on everything from recent laboratory results to a patient's insurance carrier.

But "routine" practices have taken a serious jolt lately as health care administrators and staff prepare for federal privacy regulations that take effect in April. The rules, which are the latest requirements of the Health Insurance Portability and Accountability Act (HIPAA), are designed to protect the way patient information is stored and conveyed, and dictate to whom it is revealed. The rules also give patients access to their medical records, as well as the ability to amend them.

"The premise of HIPAA is no different from the way nurses have been practicing since the time of Florence Nightingale," said Beverly Essick, MSN, RNC, privacy program manager at Wake Forest University Baptist Medical Center in Winston-Salem, North Carolina. "Nurses believe patients have a basic right to privacy and confidentiality, and they have advocated these rights throughout nursing's history."

Current events, legislative history

Though not rampant, there have been instances, or at least attempts, to misuse patients' health information. For example the ANA, the Iowa Nurses Association, and a local Planned Parenthood chapter recently prevented a county prosecutor from accessing the pregnancy records of women who used clinic services, The prosecutor was investigating the death of an infant found at a recycling center.

To protect consumers' health information, Congress passed the 1996 HIPAA with a stipulation that federal legislators pass a privacy measure by August 1999. If Congress failed to do so-which it did-the 1996 law required the U.S. Department of Health and Human Services to create privacy regulations. The final regulations were published in December 2000, modified by the Bush Administration, and released in August 2002.

The process of compliance

Health care workers say the new privacy regulations are complicated, subject to varying interpretations, and sometimes panic inducing. (One rumor had it that hospitals would have to make all their rooms private.) Many administrators brought in consultants, sent staff to special seminars, or created full-time privacy officer positions to ensure HIPAA compliance because egregious violations can result in hefty fines and criminal charges.

Shands Hospital at the University of Florida in Gainesville hired a security and privacy officer two years ago to work with nursing and other hospital departments to comply with HIPAA regulations. As part of this effort, the hospital has reviewed, revamped, and created new policies-some still in draft form-to strengthen the way it protects patient information.

"We really have had to look at every single thing we do," said Florida Nurses Association member Rose Rivers, PhD, RN, CNAA, vice president for Nursing and Patient Services at Shands. Determining exactly who needs to know what is a major priority. For example, should employees have access to patient information beyond their own unit or documentation that details a patient's previous hospitalizations?

Another effort involves looking at how patient information is handled-be it printed copies of patient results, data on hard drives, or information transferred between databases, Rivers said. For example, a nurse or staff person who accompanied a patient to the radiology department would previously have left the patient's chart on the counter but now must hand it to a department worker or leave it in a secure place.

With nurses' input, Shands eliminated public displays of information that could identify patients easily, such as door tags with patients' names and uncovered flow sheets at the bedside. And to monitor and prevent access of patient information by inappropriate personnel, computerized information is password protected.

In a recent policy change, all employees must review and sign a confidentiality agreement when hired and at every performance review. Additionally, legal, privacy, and security staff members have been working to ensure that all computer software has the capability of keeping patient information HIPAA secure. Contracts with vendors, nursing schools, and other educational programs are being reviewed and revised to specifically address patient privacy safeguards.

At Wake Forest University Baptist Medical Center, Essick said, staff members are reviewing new and revised policies, and hospital administration plans to test the new privacy and confidentiality practices for about a month before the regulations take effect.

The hospital's HIPAA steering committee is reviewing all consent and authorization forms and examining when and by whom patient information is distributed as patients enter and move through the system.

To meet a training component of the privacy rule, Essick said, her facility will use various methods to educate its 10,000 employees and affiliated personnel on HIPAA compliance based on their positions. RN staff will receive both online and face-to-face training on the regulations and policy changes.