HIPAA: Confusion, Common Sense, and Codes of Ethics
Two years after the first HIPAA rules came into force, health care providers and patients are probably much more aware of personal health information (PHI) privacy and security issues than ever before. Yet where are we today in the HIPAA process? Some say we are drowning in meaningless paperwork and patient release forms. Others suggest that HIPAA has created a needed framework with national standards for patient privacy. Given the myriad questions and concerns arising from the ongoing HIPAA implementation process, it is not surprising that health providers are sometimes anxious or confused about HIPAA requirements and compliance. Unfortunately, fear and confusion can complicate even the simplest situations. When individuals or institutions are afraid to rely on common sense, experience, and good judgment because they may be fined or jailed for an "incorrect" response, or when they "play by the rules" so rigidly that the purpose of their mission is forgotten, the outcome can be distressing. For example, The Washington Post reported on an early case:
The transplant patient was recovering well when doctors discovered that his new heart might have been infected with bacteria before the operation. When the doctors sought more information so they could give the man the right antibiotics, the hospital where the donor had died refused, citing new federal patient privacy rules (Stein, 2003, pA01).
Future Trends and Challenges
Unlike the financial services or even the manufacturing industries, the health care industry has been slow to adopt information technology. A peek at the offices of my eye doctor, internist, and gynecologist reveals that personal health information (PHI) is still stored on bits of paper in manila folders, stacked to the ceiling.
As the digitization of this information becomes more prevalent, it will be easier to track, share, and compile PHI across offices, throughout hospitals, or across health care networks. Business Week’s, "Special Report: The Digital Hospital" spotlights the Hackensack University Medical Center of New Jersey, which has aggressively integrated health information technology into its day-to-day routines, including wireless laptops that "…allow nurses to record patient vital signs, symptoms, and medications" (Mullaney, 2005, p. 78). Using the same wireless system, "...doctors can place pharmacy orders or call up medical records from anywhere in the hospital" (Mullaney, p. 78). According to the article, quality of care is up and medical errors are down. When Dr. Gross, chairman of internal medicine, recently treated a homeless HIV patient, he requested an HIV drug through the hospital’s digital drug order entry system. Within minutes, Gross received a message on his wireless laptop warning that the drug could interact dangerously with an antidepressant the patient was already taking.
While digitization has many benefits, the balkanization of information can be viewed as an old-line defense for patient privacy. It takes time to track, request, compile, and share paper-based health records, but in digitized format these records (including images) could be searched, manipulated, and shared among the few or millions, at the touch of a computer key. Thus, the health care sector’s overall shift to information digitization may prove to be one of the greatest challenges to privacy, confidentiality, and security. In the introductory articles of this topic, authors representing various areas within health care share their insights on the threats and opportunities that have come with the HIPAA regulations.
Ives Erickson and Millar offer a practical primer on HIPAA rules and how nurses can protect patient privacy, particularly in a busy, crowded health care environment, where conversations are easily overheard and IV bags labeled with names are discarded in open trash receptacles. After touching upon the impact and challenges of technology, the article highlights some common sense strategies and tips in dealing with slippery HIPAA issues such as communication with family members or accessing phone numbers for work-related purposes. Ives Erickson and Millar advise, "Never assume you have the right to look at any type of health information unless you need it in order to do your job." A helpful table of websites discussing HIPAA is included at the end.
Harman provides a concise overview of how HIPAA has affected the nursing workplace, focusing on the initial high costs associated with implementation. The article examines the costs of HIPAA education for health care staff and patients; new administrative costs, including the salaries of those consulting on HIPAA implementation; and lost revenues, resulting from fewer donations from patients who must now sign a separate philanthropy consent form when admitted. Harman emphasizes that one-time educational interventions do not work and notes: "the CIO at Johns Hopkins Medicine predicted it (HIPAA implementation) could cost $10 million a year, based on a combination of costs and lost revenues (Blackburn, 2004)."
Johnson offers a different perspective on privacy issues for nursing. The author argues that it is not possible to provide true privacy in a healthcare setting given the tension between patient privacy and the need for surveillance, which nurses must provide to guarantee patient quality of care. Nursing "depends for its effectiveness upon observation, assessment, diagnosis, classification and reporting. Privacy is the defense against surveillance." The article examines the privacy experiences of patients in the United Kingdom, looking specifically at bodily privacy, space privacy information privacy, and privacy of individual behaviour, and suggesting that common nursing practices such as patients’ open gowns, exposing a patient’s body, or overseeing a patient’s toilet use, may distress or humiliate patients; at the same time these situations inherently invade their privacy.
"HIPAA Past, Present, and Future" provides a broad overview of HIPAA related issues from a legal perspective. For example, the authors underline the importance of developing agreements between covered entities and their third-party business associates, who may handle protected information but are not directly regulated by the law. Flores and Dodier point out that release forms that are commonly used today "often do not include a "re-disclosure" provision." Depending on the type of Personal Health Information, Federal and state laws may prohibit re-disclosure without specific authorization. Flores and Dodier also explore HIPAA’s possible impact on upcoming health initiatives, including a Unique Patient Identifier, patient safety strategies, the Health Alert Network, personal health record technologies, and consumer driven health plans.
Nursing Advocacy, Common Sense, and Principles
As each old-line defense of privacy falls, nurses, who have always been advocates for patients’ health, safety, and rights, will have to advocate more assiduously and shoulder more responsibility for patient privacy. HIPAA has thrust nurses into new roles of information gatekeepers, record access arbiters, and data gurus under the new HIPAA culture.
How can nurses juggle these important news roles and still maintain their traditional roles of healers and advocates in a fast changing environment? It is telling that several articles in this OJIN issue make reference to nursing codes of ethics, principles, and pledges. Harman refers to Grace Whiting Myers, whose early 1934 pledge states, "no clinical information should be given to anyone, except as authorized" (Huffman, 1972, p. 135). Ives Erickson and Millar point to the Nightingale Pledge and to the American Nurses Association’s Code of Ethics for Nurses, that states: "The nurse promotes, advocates for, and strives to protect the health, safety, and rights of the patient" (ANA, 2001, Provision 3) and includes explicit language regarding privacy and confidentiality.
These principles, pledges, and codes of ethics tempered by common sense, experience, and good judgment (as well as consultations with a HIPAA official when needed) are the cornerstone upon which nurses must rely as they face a more complicated, challenging, and fast changing world.
Privacy Versus Security: A Balancing Act
Patients must also be educated about their privacy rights so that they do not inadvertently sign them away or allow them to be unnecessarily suspended, even during times of crisis. Patients should be aware that exceptions to HIPAA rules permit health care providers to give medical records to the government without prior patient authorization for "national security" reasons. Without an educated patient population, a reasonable balance between patient privacy and government security cannot be struck. Such a balance could be critical to the protection of patient privacy rights as well as other basic rights. During WWII, my family experienced first hand what happens when government security concerns trump basic rights. After Pearl Harbor, they, along with 120,000 mostly American citizens of Japanese descent, were interned behind barbed wires at "relocation" camps for the duration of the war. To guard against this kind of extremism under Homeland Security, nurses will have to be on the front lines of defense against unreasonable or unnecessary incursions into patient privacy. And patients will need to be educated about their basic rights and the possible price they will pay if they are not willing to protect them.
No matter if you feel that HIPAA is irrelevant or a godsend, it has touched all our lives for better or worse; and we hope you will submit a manuscript on the topic to continue and further the discussion we have begun.
Joanne Kumekawa is Director of Kingston eHealth, a consultancy. She has served as Director of Policy for the Office for the Advancement of Telehealth at the United States Department of Health and Human Services, as senior advisor to the Assistant Secretary of Commerce for the National Telecommunications and Information Administration, and as a strategic planner at a special agency of the United Nations in Geneva, Switzerland. She received her BA in Economics from Yale University and an MBA in Finance from the Wharton School of Business, University of Pennsylvania.
American Nurses Association. (2001). Code of ethics for nurses with interpretive statements. Retrieved March 24, 2005 from http://www.nursingworld.org
Blackburn, M. (2004). HIPAA, heal thyself. Johns Hopkins magazine, 56(5). Retrieved January 26, 2005 from www.jhu.edu/~jhumag/1104web/hipaa.html
Huffman, E.K. (1972) Medical record management. Berwyn, IL: Physicians’ Record Company.
Mullaney, T.J. (2005, March 28). Special report: The digital hospital. How info teach saves lives and money at one medical center. It this the future of health care? Business Week. New York, NY.
Stein, R. (2003, August 18). Patient privacy rules bring wide confusion: New directives often misunderstood. Washington Post. Washington, DC. Retrieved April 30, 2005 from www.washingtonpost.com/ac2