Skip to contents
In This Issue:
Hospital Readies for Privacy Regulations
HIPAA: What’s Different
Yes, there is the remainder of the fall, all of winter and the onset of spring before the time is upon us. However, there remains work to be done as the hospital prepares for the full implementation of the Health Insurance Portability and Accountability Act (HIPAA).
April is the cut-off date for hospitals and other health-related organizations to have all systems in place to ensure increased privacy measures for patients and meet the higher standards of confidentiality imposed by the Congressional mandate. The new law calls for health care providers, plans and clearinghouses, such as billing services, to ensure security of an individual’s health information and the systems that store, transmit and process that information.
“Patient privacy is the responsibility of every single individual working at the hospital,” said Karen Nelson, executive director, Clinical Compliance and Risk Management.
“Numerous committees are identifying the systems we need in place, but we need employees to be vigilant in enforcing the systems. Some of the simplest measures include not sharing computer access keys and making sure screen savers are on when someone leaves their computer.”
Under HIPAA, health care providers may not use or disclose protected health information except with the consent or authorization of the patient or in other defined situations. The act calls upon institutions to provide written notice of privacy to patients, to enable patients to restrict access to and request amendments to the information, as well as to enable them to review who has accessed their medical information.
HIPAA imposes stiff penalties for breeches of the regulations, with criminal penalties of up to $250,000 and 10 years in prison, and civil penalties of $100 per person, per violation and up to $25,000 per violation.
While HIPAA regulations cover the standardization of transaction code sets for claims and billing, privacy and security of computerized systems, the April deadline deals only with privacy.
Since early 2001, multidisciplinary teams led by Health Information Services, Information Systems and Clinical Compliance have been identifying measures to ensure BWH meets these mandates.
Practices put in place by these groups include an annual confidentiality agreement, BICS warnings for patient lookups, a new auditing process with identifying information about staff who access health information, an enhanced corrective action policy for violations, and new staff orientation and training.
Watch for information on mandatory training and testing for all hospital staff, which must be accomplished by April 14. The HIPAA team has designed training in various formats, such as formal presentation, computer-based training, and train-the-trainer programs.
For more information about HIPAA, visit http://aspe.hhs.gov/admnsip/ or contact Jackie Raymond, privacy officer, at ext. 2-6068; Debra Polansky, privacy project manager, at ext. 2-6676; or P. Pearl O’Rourke, MD, director, Human Research Affairs, at 617-724-2731.