Hospitals, doctors face tougher patient privacy rules

Hospitals, doctors face tougher patient privacy rules
By LUKE PICKELMAN
Capital News Service
Friday, March 14, 2003

LANSING -- Hospitals and physician offices across Michigan will have stricter regulations to protect patient privacy, starting in April.

The federal Health Insurance Portability and Accountability Act (HIPAA) took effect in 2001, and all health facilities must fully comply with the law by April 14.

"Patient confidentiality has been an issue for a long, long time," said Mark Somneborn, senior director of data services and policy for the Michigan Health and Hospital Association.

Privacy has always been important at Memorial Medical Center of West Michigan in Ludington, said Patricia Cutler, director of marketing for the hospital.

"We have always strived to keep patient information private," she said. "HIPAA won't necessarily change our practices, but puts in writing what we need to do and what will happen if we don't."

Privacy isn't the only issue HIPAA covers. The law was originally intended to save money by changing hospital and physician records and patient health information into electronic formats, which must be implemented by October, Somneborn said. While some facilities already have changed, many still use traditional paper medical charts and files.

"Electronic formats are a good thing -- it saves time and money," he said. "The privacy aspect is also positive, but not necessarily a money saver."

The law also originally intended to help people keep their health insurance when they change jobs, the "portability" aspect of the law, said Dr. Roger Annis of Holt Family Practice near Lansing.

"But like all things,the law was mutated into what it is today," he said. "It is now more focused on protecting patients health information."

The change from paper to electronic format resulted in the new law's emphasis on privacy. Congress recognized that advances in electronic technology and increased use of technology could erode patient privacy substantially. Federal privacy mandates were then included. The privacy rule is aimed at keeping patient health information confidential.

The regulation establishes a framework for privacy, but fails to give patients total control over their health information, said Wendy Wagenheim, communications director of the American Civil Liberties Union (ACLU) of Michigan.

"On paper this sounds good," she said. "But they don't need patient consent to do some of these things. It's a step forward, but two steps back."

Often, patients are afraid to tell their physician everything in fear that the information will get back to their insurance company or employer, Somneborn said.

"When a patient goes into see the doctor, they have to be able to say exactly what's wrong with them," he said. "The more information a doctor has, the better he can treat you."

What the new law does is this: It creates national standards to protect individual medical records and personal health information by setting boundaries on the use and release of these records. It establishes safeguards that physicians and hospitals must achieve. And it holds violators accountable, according to the U.S. Department of Health and Human Services.

It enables patients to learn how their information can be used and what disclosures have been made. It also gives patients the right to copies of their own records and limits disclosure of this information to the absolute minimum needed.

"In general, the medical profession sees this as a formalization and complication of a system that was working fine before," said Annis. "Patients have always had the right to inspect their own information, and we've never disclosed the information without their consent."

HIPAA won't totally eliminate privacy problems in health care, Somneborn said. The idea is to put systems in place that would make it a crime to violate a patient's privacy.

Memorial Medical Center has established a committee to make sure the facility is up to date with the HIPAA rules, said Cutler. The entire staff has received privacy training, and a privacy policy has been set.

"We wanted to go beyond HIPAA," Cutler said.

For example, the law does not prohibit the use of sign-in sheets or calling out names in a waiting room, but the Medical Center has adopted a way to eliminate this practice anyway. Under its "coaster system," patients report to the front desk and, without disclosing their names, tell whether they are there for a scheduled appointment or an unscheduled visit, Cutler said. The patient then receives a coaster that lights up when the registrar is ready to take down his or her personal information in a separate room.

"It isn't required, but we wanted to do it," Cutler said.

The cost for complying with HIPAA is difficult to estimate since it varies among hospitals and other health care providers, said Geralyn Lasher, director of communications for the Department of Community Health. It will cost the state money, however.

"This isn't a new process. We've been planning for it for a long time," she said. "Absolutely it will cost a lot."

The department will spend $35 million -- $30 million of which is federal -- on implementing HIPAA requirements, primarily updating the Medicaid Management Information System, Lasher said. The department has also received special federal funding to cover Department of Community Health and Department of Information Technology staff cost and contractors as part of the HIPAA implementation process.

In the private sector, this process is extremely costly, Annis said. "The amount of work and forms that we will need here to use to meet the demands of the law will literally cost us tens of thousands of dollars each year."

The ACLU's Wagenheim said that people need to be careful and educated about privacy problems, such as health information and identity theft.

"The less privacy we expect, the less we'll get," she said. "Privacy in general has really diminished. Both liberals and conservatives agree that we don't have enough privacy."