Time to get hip to HIPAA
Remember the early days of the Clinton administration, when ‘ol Bill anointed his wife Healthcare Czarina and threw her to the lions, with orders to come back with medical insurance for all Americans?
Alas, poor Hilary got eaten alive by the insurance lobbyists inside the Beltway, and the First Lady’s quest for universal health coverage died a quick death.
One innovation that did survive, however, was “insurance portability” — the right to carry your medical coverage over from one employer to the next without undue restriction, such as having a “pre-existing condition” or a family history of a disease. This was protected in a 1996 federal law called, in the elegant phrasing that only Washington can come up with, the Health Insurance Portability and Accountability Act, or HIPAA.
“HIPAA.” Remember that term. Say it five times fast: “HIPPA, hippa, hippa...” Because even if you don’t do a lot of healthcare-facility work, you may still be required to protect “patient confidentiality” under HIPAA’s new “speech privacy” rules. That could involve a project as seemingly innocuous as a drugstore, a dental office building, or a long-term nursing home. Let’s see what this means in practical terms.
From data protection to speech privacy
Among its many goals, HIPAA originally set out to protect the confidentiality of patients’ insurance and medical records, especially computerized files. Given the threat from hackers and others who might misuse sensitive medical information, this seemed a perfectly reasonable thing to do.
Starting April 14, however, the ante goes up. That’s when the new federal speech privacy rule, “Standards for Privacy of Individually Identifiable Health Information,” goes into effect.
At that time, healthcare providers will have to show that they have created “reasonable safeguards” to protect the confidentiality of patients’ conversations with doctors, nurses, medical students, PhD candidates, pharmacists, medical technicians, receptionists, clerks, secretaries — even clergy, volunteers, and maintenance staff.
At the University of Chicago Hospitals, for example, more than 10,000 people are being educated via computer-based training and live sessions.
Historically, most hospital designers and contractors have given lip service to concerns over whether confidential information might be overheard due to poor design. Hospital administrators and facilities managers also wanted precious construction dollars spent on more visible improvements.
But, even without HIPAA, there are sound reasons for tightening up on speech privacy in medical settings. As any experienced nurse or doctor will tell you, patients often withhold embarrassing or sensitive information — an unwanted pregnancy, a history of alcoholism, venereal disease, even homelessness — if they think they might be overheard. Who could blame them?
Without complete information about a patient’s history and condition, though, a doctor might prescribe the wrong drug, or otherwise pursue an inappropriate or ineffective course of treatment.
This can take matters straight from the hospital to the courtroom. Even though the new federal rules won’t go into effect till April, at least 60 lawsuits have already been filed in state courts, with patients’ lawyers claiming that HIPAA’s privacy rules set a “standard of care” that must be adhered to by healthcare providers.
According to David M. Sykes, PhD, vice president of CSM/Acentech, Cambridge, Mass., and Susan A. Miller, JD, a partner with The Kearney Group, Concord, Mass., in one such case, a jury in Washington, D.C., awarded $25,000 to a patient whose HIV status was inadvertently revealed to the patient’s coworkers by a hospital employee.
A drugstore chain in California settled a suit involving a company pharmacist who revealed a customer’s HIV-positive condition to the man’s ex-wife. She used the information in a custody battle.
But don’t panic. You should be able to solve the problem within your budget and using currently available resources. Sykes and Miller note that the feds, in the form of the Department of Health and Human Services, will be looking for four things.
First, solutions should be based on accepted standards. Kenneth P. Roy, senior research scientist at Armstrong World Industries, Lancaster, Pa., says such standards have been developed by the American Society of Testing and Materials, the American National Standards Institute, and the International Standards Organization.
Second, DHHS will ask if you followed “best practices.”
Third, the feds will be looking for solutions that can be measured and monitored objectively.
Finally, you’ll be expected to comply without making expensive “fixes,” such as building walls or installing costly new systems. And you’ll have a year to make the retrofit before the feds jump on you.
What might such “reasonable safeguards” look like? According to Armstrong’s Roy, who holds a PhD in acoustics and is a U.S. representative to the ISO, you should be able to meet HIPAA’s oral privacy standards fairly easily, using a three-tiered approach: 1. Absorb sound, using ceiling panels. 2. Block sound, with walls, ceiling panels, doors, and partitions. 3. Cover up sound, with high-quality sound-masking systems, or “white noise.”
In simple terms, says Roy, “you have to be aware of the signal-to-noise ratio.” In other words, you have to determine not simply how much sound is blocked, but what effect ambient (or supplied) noise has in masking conversations between patients and caregivers.
Roy says he started preaching about speech privacy in healthcare four years ago, but didn’t get much reaction from hospital administrators. “Now there’s the force of law to make that happen,” he says.
There. Now you’re hip to HIPAA. Don’t you feel better already?
For more information:
David M. Sykes
The Kearney Group
Susan A. Miller, JD
Free “HIPAA Brochure”
For a listing of speech privacy lawsuits, visit: www.healthprivacy.org.