The April 2003 deadline for complying with the Privacy Standards of the Health Insurance Portability and Accountability Act (HIPAA) may seem far away, but it's not too early for facilities to start preparing. The new Privacy Standards are much stricter than many state privacy laws and, in many cases, you may have to change practices and behaviors that have become ingrained in your staff and surgeons. In this article, I'll alert you to some common ways that facilities may be non-compliant and suggest some ways to correct these errors.

Disclosing information without consent
In the past, medical staff would routinely discuss a patient's medical condition with his or her family members. Under HIPAA, however, health care providers will be restricted in their ability to release personal health information to a family member unless the patient has signed a release form authorizing it. While many healthcare providers already use informed consent forms before performing surgical procedures, HIPAA requires a separate consent form to allow a facility to use or disclose a patient's protected health information for treatment, payment or health care operations. A separate authorization form is generally required for all other uses and disclosures unless the law provides otherwise.

The law does, however, allow practitioners to exercise "reasonable judgment" when disclosing certain patient information, provided the practitioner is reasonably certain that the patient does not object to the disclosure. If the patient is not present or cannot agree or object because of incapacity or an emergency, the practitioner may only disclose information that is directly relevant to the person's involvement with the patient's health care. A practitioner may also use professional judgment and his or her experience with common practice to permit a person to act on behalf of the patient by picking up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information. This would seem to allow for providing information about a patient's post-op recovery time to a friend or family member who is waiting to drive the patient home.

As with many parts of the HIPAA Privacy Standard, the meaning of "reasonable judgement" is not easily defined. It will take some time to determine how the guidelines are going to be enforced. When in doubt, it is best to obtain the patient's consent.

Making records accessible
HIPAA was designed to protect a patient's medical privacy and personal health information. To this end, HIPAA requires that facilities limit the use or disclosure of protected health information to the minimum necessary to accomplish the intended purpose. The minimum necessary rule limits the disclosure of protected health information by the facility when the disclosure is not for treatment purposes.

Here are some ways facilities may be unwittingly releasing information that they should keep private:

Giving billing personnel unnecessary access to a patient's medical records. Your facility will need to determine and document in its policies and procedures what patient information billing staff needs to perform its functions and identify the circumstances, if any, under which disclosures or requesting the entire medical record is reasonably necessary. In many cases, the billing staff will need the patient's name, address, and list of treatments or services, but they may not need the past medical histories, for example.

Leaving medical records unattended and accessible to unauthorized staff. I recommend keeping the medical records cabinets locked to prevent any staff members without authorized access from viewing this information. Another good way to restrict access to records is to have them in a separate locked room. Also, require authorized staff to sign out medical records when they need them. Finally, your facility should make it a habit of checking identification before permitting access to medical records.

Leaving a patient's record displayed on a computer terminal in view of other patients or unauthorized staff. Start using passwords on your facility's computers. The Privacy Standards do not specifically require the use of passwords but the DHHS Office of Civil Rights has suggested that the use of passwords would meet the reasonableness standard for minimum necessary uses. Most computers have the capability of switching to a password-activated screensaver after someone walks away from the computer for a minute. Passwords should not be stored anywhere near the computer.

You may also want to think about where your computer stations are located and who can see them. Computer monitors in the sign-in area, for example, should not be viewable by patients checking in. You may have to consider adding a barrier or moving the computer away from the front desk.

Allowing doctors to openly discuss a patient's condition in public areas of the facility, such as the lobby or hallways. If this is a problem at your facility, I would recommend posting signs in lobby areas, hallways, and elevators to remind doctors and other staff members to protect patient confidentiality. The best way to prevent these kinds of violations is to educate your staff as soon as possible about HIPAA compliance, so they will have time to modify their behavior before the April 2003 compliance date.

Contracting with businesses who don't follow HIPAA standards
One of my clients recently discovered that the medical records disposal company his facility contracted with was holding records in unlocked storage bins on a loading dock for three or four months before shredding and disposing of them. Many of the bins appeared to have been rummaged through. In that interim period, anyone might have broken into the facility and taken these files. This illustrates the importance of being very careful with the third party companies you deal with. Any third party businesses that have access to your patients' personal information, such as medical transcription businesses, outside billing companies, or medical record disposal services, must also comply with HIPAA regulations. If you don't take reasonable steps to ensure they are complying, your facility could be penalized. You may not be held fully responsible for violations on their part that you don't know of, but just being associated with a non-compliant facility could lead to a public relations nightmare.

Draft business associate contracts with your third party companies to ensure that they are following the same privacy restrictions as you; it's best to have an attorney help you with the specific legal verbiage.

Taking the first steps
Start educating your staff. It is not too early to begin educating your physicians and staff about HIPAA. You are going to need their understanding and cooperation to make these guidelines work at your facility. In most cases, complying with the new law requires more than just policy changes; it requires staff members to change their understanding of a patient's right to privacy. And this kind of change requires a period of adjustment.

Start reviewing your current policies and procedures. HIPAA regulations touch upon so many different aspects of administrative policies that it may seem daunting to even know where to start. Start now by compiling a list of policies that may be non-compliant and investigate them. For example, begin analyzing your current patient records, either on paper or on a computer database, and inspect who has access to these documents and if they really need access. If you start doing this research now, you'll have a much easier time getting your facility compliant by the April 2003 deadline.

Start taking an inventory of your business associate arrangements. Chances are your facility has a number of arrangements, written and oral, with third parties who would be classified as business associates for HIPAA purposes. Draft written contracts with all of these third parties. You will have to amend existing contracts that do not contain the necessary business associate language (very few of them do) and, in some cases, form new contracts. Since many business associates will resist new contract provisions, I suggest allowing sufficient time to educate your business associates about HIPAA compliance and what their privacy obligations will entail.

Compare HIPAA to state law requirements. HIPAA establishes a floor for patient privacy. A number of states have laws that are more stringent than the HIPAA standards. In general, to the extent that state law is more stringent that the HIPAA standards, the state law will prevail. Since Federal preemption analysis can be very complicated, I recommend consulting with your state's medical societies, state HIPAA task forces, and/or HIPAA attorneys to assist in this analysis for your facility.

Scott A. Edelstein is a partner in the law firm of McDermott, Will