This spring, the federal Department of Health and Human Services will begin enforcing a regulation that has been in the books for almost seven years. It's a law that dictates how much of a patient's personal information a physician can disclose under what circumstances; and it gives the patient the first word in that debate.
Alaska health care providers have gone to sometimes great measures to meet the requirements laid out in the Health Insurance Portability and Accountability Act, which begins enforcement April 14. The measure, also known as the Kassenbaum-Kennedy Act, was signed into law Aug. 21, 1996.
It was designed to protect patients' "certain, unalienable rights," according to Judith Semo, an attorney with Washington D.C.-based Squire, Sanderson and Dempsey and an expert on medical legislation.
"The patient is supposed to have control over disclosure of his medical history," she said. "If I go to the eye doctor for a simple check-up, the billing receptionist doesn't need to know if I have AIDS."
Actual disclosure isn't the only topic over which patients will have renewed control.
There are certain rules and regulations that patients and providers alike need to understand once the law goes into effect next spring, said a senior advisor on HIPAA privacy outreach for HHS' Office of Civil Rights.
Legally designed
Health care providers, be they large hospital-administration groups or small physician teams, must meet certain administrative requirements.
Those requirements, the advisor said, comprise designating a privacy official from within the organization; designating a contact person responsible for receiving complaints; making an appropriate effort to safeguard a patient's medical records; training staff and personnel; and contractually obligating any outside consultants that assist in the administrative process to protect a patient's privacy.
Patients, meanwhile, need to be aware of their rights to complain if they feel their privacy has been compromised; receive notice of a provider's privacy practices; inspect and copy their own medical records; and have information in their records amended if they can justify the change.
Under most circumstances, a physician may only disclose a patient's information if that patient agrees, attorney Semo said.
She noted that there are instances, however, in which information may be disclosed without the consent of the patient. Under certain circumstances, usually related to public health and safety when the common good outweighs a patient's personal rights, disclosure without approval is considered acceptable.
But that doesn't mean that the provider does not need to maintain good judgment, Semo said.
"Exceptions usually imply that a person may use or disclose only what he or she needs to disclose," she said. "The ultimate criterion is, in hindsight, is it going to look reasonable?"
The advisor said discipline for a breach of privacy varies, depending on the severity of the situation. Criminal penalties can range from a $50,000 fine and one year in jail to a $250,000 fine and 10 years in jail, she said. Criminal cases are heard by the Department of Justice.
Most breaches, however, will be considered civil offenses, in which fines may not exceed $100 per incident or $25,000 annually, The advisor said. They will be heard by the Office of Civil Rights.
Legally adapted
For Alaska's health care providers, compliance with the April starting date has meant restructuring everything from data-entry and billing techniques to the entire central office.
Providence Health Systems Alaska, the state's largest provider, assured compliance by training 3,600 full-time employees and 600 physicians on the regulation, said Karina Jennings, the hospital's strategic communications program manager.
"It really does involve every aspect of our business," Jennings said. "Each one of those people has to be cognizant every day of what they're doing to affect patient privacy."
Jennings said Providence is unique in the field because it is situated to share compliance concerns with other Providence systems in the Lower 48. She said the Alaska region, made up of a task force representing the hospital's 11 facilities in the state, focused on crafting a contract for business associates.
"We really are lucky in that we are able to share information and productions within the system," she said.
While Jennings acknowledged the increased costs inherent in making the hospitals electronically efficient, she said the bigger expense for Providence was training and manpower.
At Bartlett Regional Hospital in Juneau, one employee has worked full-time on HIPAA since 1998, according to Marijo Toner, the communications manager for the hospital.
She said the officer, John Wray, has trained the heads of every department within the hospital to assure that they will meet the requirements. He also developed an official compliance program and wrote policies that address security and confidentiality, Toner said.
"We are putting a plan into place that defines when, where and how much a patient's information may be released," she said. "We have made a very diligent effort to make sure that everything is compliant."
JoAnne Smith, the officer in charge of HIPPA accordance for Valley Hospital in Palmer, said she is a member of a compliance task force designed to make sure the hospital meets the regulatory deadlines.
Valley Hospital started with the most difficult aspects of the law and worked from there, Smith said. The first step was making sure that both patients and business partners recognized the basic right to privacy. She added that a privacy notice for doctors to distribute to their patients was expected to be ready in January, and an agreement between the hospital and its associates was also in the works.
"We are already doing some of the things we need to do," she said. "We will be compliant on the issues that demand it."
The next phase for the hospital, Smith said, includes standardizing its billing and transaction methods to meet guidelines. Going electronic, she said, won't come cheaply, but she felt the ends will justify the means.
"Getting it set up is going to be expensive," she said. "But, once it's all set up, it will make (medical care) much more efficient and much less costly."
At a family-care clinic in Anchorage, however, the potential gains of electronic record-keeping and billing haven't outweighed the costs of compliance.
Gayle Joseph, the administrator of Medical Park Family Care, said her clinic completely redesigned office practices to meet the ruling's privacy demands.
That meant redoing the procedures the clinic followed, both physically and psychologically, Joseph said. The staff had to be retrained to understand the procedures for compliance with the law, which, she added, made practicing medicine increasingly difficult.
"It's a challenge, and we're doing everything we can to be compliant," she said.
