New federal medical privacy rules cause headaches for health care professionals

Friday, May 9th 2003, 12:00 am
By: News On 6

NEW YORK (AP) _ Patients visiting Drs. Jeffrey Mazlin or Howard Shaw remark on how much nicer the office looks since a wall was removed, creating a bigger, more open space.

Aesthetics wasn't the point.

The wall was knocked down two months ago to ease patient traffic that often clustered around the reception desk because someone might see another person's medical file. Nowadays, such an accidental glance could be construed as a federal offense.

Federal regulations that went into effect April 14 mandate that health providers, insurance companies and pharmacies limit disclosures of patients' medical information. Providers have spent millions of dollars and countless hours readying for the privacy portion of the Health Insurance Portability and Accountability Act of 1996, known as HIPAA.

Compliance has meant changes big and small, from building or tearing down walls, to door locks on rooms with patient files, to removing bulletin boards with patient notes to upgrading software and computer systems.

Enforcement is another matter. The Department of Health and Human Services has hired only 40 people to monitor compliance, so surprise or regular inspections aren't part the review plan. Instead, HHS is counting on individuals to report infractions. It estimates that 21,000 complaints will be filed in the first year; in the first 2 1/2 weeks, 70 were registered.

HHS spokesman Bill Pierce said half the complaints probably won't be privacy-related, and facts and circumstances would determine how the agency proceeds.

For example, he said, leaving a medical file out on a desk once wouldn't necessarily be a violation, but doing it repeatedly most likely would be.

Mazlin and Shaw, Manhattan obstetricians and gynecologists, thought removing the wall was necessary.

``There could be medical charts on the desk, on the computer screen,'' said Barbara Valez, who manages the practice. ``We had to find a way to reduce that traffic.''

The regulations mandate that doctors, hospitals and insurers notify patients of the privacy regulations, describing how their medical information may be used and their rights under the new rules. Directions on how to report violations must also be included, and patients must be told they have a right to review their records, request errors be changed and limit who has access to it.

Many health care providers have been giving patients forms detailing their rights, and asking patients to sign releases.

News organizations can also be affected by the regulations, and are concerned about restrictions on information important to the public. If, for example, victims of disasters, accidents or crimes are taken to a hospital, officials might not release any information without patients' consent, making it nearly impossible to learn the names and conditions of the injured.

Those regulated by the rule are leaving nothing to chance.

``The preparation was massive _ massive and all-consuming,'' said Kathyrn Bakich, vice president-national director for health care compliance at The Segal Co., a benefits consulting firm.

``People are getting hysterical. There is a lot of wiggle room in the regulations, so people have to decide what is a reasonable effort at compliance and what is not.''

Penalties for privacy violations range from a $100 fine to up to a $250,000 fine and 10 years in prison. The most severe punishment is reserved for people who intended to sell medical information for personal or financial gain or to harm the patient.

So far, patients have had little reaction. The University of Texas Medical Branch at Galveston provided patients with a phone number to call if they had HIPAA questions, but many of the calls have been to check on doctor's appointments.

When Robin Ruffner went into a Manhattan hospital last week for plastic surgery, she was irritated at having to sign a form when she was jittery about the procedure.

``I was really nervous and didn't feel like reading a form. I think it would have been better if they gave me them a week before when I wasn't nervous,'' the 31-year old social worker said.

Ruffner also signed a HIPAA release form at a visit to the allergist earlier this month. But overall, Ruffner said, she doesn't mind signing the forms because she thinks laws to protect patients' medical records are a good idea.

The medical community has spent vast amounts to show patients and the government it is serious protecting medical records.The University of Texas at Galveston has spent about $1.5 million, not counting all the personnel time, on compliance. The U.S. Department of Health and Human Services estimates compliance will cost the industry $17.6 billion over 10 years.

Some observers worry that these costs will trickle down to consumers, but HHS spokesman Pierce said efficiencies from electronic transfer of records will save nearly $30 billion over the same time. One of HIPAA's mandates is to standardize the electronic transfer of patient records, but this part of the regulations does not go into full effect until Oct. 16.

Bakich said health insurers are telling clients administrative costs will rise because of updating systems to comply with the regulations, which in turn could increase premiums.

``This comes at a bad time because health care costs were going up anyway,'' Bakich said.

Despite the legions of businesses offering HIPAA advice, health executives say one of the challenging aspects of compliance is deciphering the rules and figuring out what is necessary to comply.

``People would go to one conference and hear one thing and someone else would go to another conference and hear something else,'' said Shelley Witter, manager of information systems at Galveston.

Galveston had to update its computer system so it could make a list of patients who had to be informed of the regulations and track them as they were. It also had to record who might have received information without the patient's consent, which is allowed in certain circumstances such as reporting suspected child abuse.

Another delicate issue has been implementing the regulations without negatively affecting communication between hospitals and doctors and their patients and patients' families and loved ones.

Pierce said hospitals and doctors use their judgment about which family members and friends should receive a patient's medical information. But now many doctors and hospitals are asking patients to put it in writing.

Some units at MCG hospital in Augusta, Ga., have patients create a password given to those authorized to speak with the medical staff.

``This way people can get updates,'' Regina Maier, of the MCG Health System. ``The communication issue becomes harder when so many people live far from family and friends.''

Meanwhile, journalists are still grappling with the laws. In small towns, printing the names of people who went into the hospital or nursing home was common and advocates say such practices unified a community.

``This regulation imposes big city values on us (small papers),'' said Tonda Rush, counsel to the National Newspaper Association, a trade group for small papers.

Rush also fears the new regulations will silence potential whistle blowers from speaking to journalists because their actions could be considered HIPAA violations.

``The confusions and doubts about the law could keep people quiet,'' Rush said.