HIPAA confidential: Achieving compliance, dispelling myths

John Que heard the whispered voices as he walked down the long, dark hall past cloistered chambers.

The secrets being shared behind these closed doors were anyone's guess. Maybe there was a young child being diagnosed with a staph infection, an elderly woman complaining of arthritis, a college student seeking antidepressants.

John didn't know. And he didn't care. He was there for another reason -- to unlock his own secrets from the closed grip of an anxious physician's office administrator.

John was determined this time not to go away empty-handed. No longer could he be denied his own health information. His access was a government-given right, clearly laid out in the slew of privacy practice notices that slipped through his mail slot after April 14, when the rule went into effect.

As mandated by the Health Insurance Portability and Accountability Act, John's doctor had to give him this information, and John knew it. But that still didn't necessarily mean getting it would be easy.

Overly cautious physicians, office managers and hospital administrators made news soon after the HIPAA privacy rule went into effect. Driven by myths and misinformed salesmen pushing their HIPAA-compliance wares, many doctors became worried about handing out protected health information to anyone -- even its rightful owner.

The fictitious John Q scenario illustrates just one way in which physicians have had difficulty navigating the new landscape. And although the initial implementation of the rules has not been as bad as some experts were predicting, the time has been marked by much confusion, reaching well beyond patient access to other HIPAA-related concerns.

"The most troublesome thing that I have seen is that people, particularly doctors in small practices, are expecting they have to do a lot of things they don't have to do," said health information policy consultant, William R. Braithwaite, MD, also known as "Dr. HIPAA" for his role in drafting the law. "They're being misled by a whole variety of sources of information. I don't know exactly where they get all this stuff."

Some misconceptions seem to come from physicians taking advice too literally. For example, although the rule itself lays down very few specific edicts, some stakeholders interpreted the requirement to secure patient records to mean that offices had to be outfitted with locking cabinets.

"The rule doesn't say anything about that. It just says you have to protect [the files] in some way," Dr. Braithwaite said. That may just mean putting files in a locked room or some place under the watchful eyes of staff.

There were also initial media reports of physicians thinking they were not allowed to send medical records to other physicians, even though the rule makes it clear that such transfers are OK.

Physicians are not the only ones perplexed by the rule. Patient misunderstanding is reflected in complaints filed with the government over perceived privacy breaches.

"Most of the complaints we've received go more to misunderstandings of the rule than they do to violations," said Janlori Goldman, director of the Washington, D.C.-based Health Privacy Project. Her group has monitored some of the grievances received by the government through a Web-based form that facilitates the complaint-filing process.

Probably a third of complaints are not actual violations of the rule, said Kevin D. Lyles, a health care partner in Columbus, Ohio, with the law firm Jones Day.

Alleged violations that don't pan out to be infractions have included patients grumbling about not having enough privacy in hospital rooms or questioning why they were not asked to formally consent to treatment.

But this mode of HIPAA hysteria seems to be tapering off, experts said.

"I'm encouraged that much of the overinterpretation and confusion has died down since those first few months," Goldman said.

"HIPAA police" don't come knocking

Initial fears about overzealous federal enforcement efforts too have passed. The Dept. of Health and Human Services Office for Civil Rights, the federal entity responsible for overseeing the privacy rule, has taken a flexible and understanding approach to physicians' compliance efforts.

Rather than using limited resources to track down noncompliant physicians, the OCR is taking a two-pronged approach involving public education and response to formal complaints. At last count, the office had logged just shy of 3,000 complaints, 36% of which were closed with little difficulty. No penalties or fines have been imposed.

Among common allegations were those regarding impermissible uses or disclosure of protected health information; lack of adequate safeguards, such as files left in waiting rooms or other public areas; and failure to provide individuals access to their own records. Complaints also have involved violations of "minimum necessary" provisions that require physicians to share only as much information as is appropriate for the purpose at hand, and notice violations, such as failure to provide complete information about office practices.

"Private providers, hospitals and pharmacies are the three top groups that we are receiving allegations against," said OCR's director, Richard Campanelli. "That's not a surprise because they're the folks who often have the greatest routine face-to-face contact with individuals."

According to Campanelli, when contacted, physicians have been cooperative, and most complaints have been resolved with little more than a phone call.

"People are starting to understand [the rule]," he said. "That's really been our goal."

Finding the right balance

As misconceptions are cleared away, advocates for the rule hope that its benefits will increasingly be realized by physicians and patients.

"There are really two goals here with the privacy rule," Campanelli said. "One is to protect the privacy of health information. The other is to make sure that access to quality health care is not unduly impeded. As the rule settles in, I think we'll be able to see, I think we are seeing, in many cases, that the balance was correctly struck."

The privacy rules were not meant to create another mountain of paperwork for physicians, the privacy project's Goldman said. They were intended to reassure patients that when they go for a doctor's visit their information is not going to be shared with employers or drugmakers or sold for marketing.

The notices of privacy practices are supposed to communicate that message, but it often seems to get lost in the shuffle.

"Those notices are really important, and most of them are written poorly," she said. "They're not really written for your average patient to read and understand.

"They don't talk about new rights under the law -- that's buried somewhere. They're written by lawyers who are trying to protect their clients, and they're not written with the public in mind."

It doesn't have to be that way. The privacy rule gives physicians a lot of flexibility in how the notices are drafted, including using a cover page to highlight the elements with the most patient relevance. The OCR also has put up sample notices on its Web site that physicians can copy or use as models.

For most patients, the No. 1 concern is preventing an employer from finding out about their medical condition or treatment they're getting, Goldman said.

Whether it's HIV, cancer or mental illness, people are worried how that information will affect their jobs.

"The law now absolutely prohibits health plans and hospitals and others from giving health information to employers," she said. "I mean that should be right at the top of these notices."

At the same time, physicians are being asked to strike another balance.

On one side, they are hearing that they need to take legal precautions against complaints or worse, civil lawsuits. On the other, they are being told that the rule should not interfere with the practice of medicine.

In a small survey, 35% of doctors thought holding a privacy training session and handing out notices of privacy practices was enough, said Arnold Rosenbaum, MD, a surgeon and founder of Seacrest DocSecurity Inc., a Middletown, R.I.-based firm developed to certify doctors' HIPAA compliance for liability insurance.

"As soon as there is a million-dollar lawsuit out there, then [physicians will] wake up to the real risks and the features they have to comply with," he said.

Concern about potential civil suits is a major reason some experts are advising physicians to make sure that their compliance efforts lean more toward overreaction rather than underreaction.

While the law does not give individuals the ability to sue based on the rule, nothing prevents plaintiffs from using the rule as a standard of practice against which a breach of privacy can be measured, said health care attorney Lyles.

"The government has created standards which are stratified [across the spectrum from small institutions to large]," Dr. Rosenbaum said. "However, the liability issue crosses those boundaries. You can still be sued, regardless of the size of your facility. And that's where the real danger lies."

Common sense is the key

"There's lots of easy solutions to [problems posed by the rule] if people would only think reasonably," Dr. Braithwaite said. "After all, the word 'reasonable' was used 365 times in the final rule, and they meant it."

Consider the following approaches: While the privacy rule allows the use of patient sign-in sheets, many offices no longer have patients write down their doctor's name. That way, people won't know whether a patient is there to see an oncologist or other telltale specialist. Offices also can adopt practices to avoid confusion or complaints by requiring written requests before disclosing health information to family members, public health officials or law enforcement.

Making sure procedures are in place and that office staff are aware of them is an important part of that, Lyles said. Physicians can expect to make mistakes, but corrective actions, such as implementing new procedures, will help avoid future problems.

Ultimately, true implementation will come, more and more, as the privacy standards become a part of office routines, Goldman said. "Privacy is getting built into the practice of health care."