Steps to ensuring patient privacy:
What’s Different:
What to expect in the coming months:
HIPAA training sessions for directors, managers and supervisors
April 2003 is the deadline for hospitals and health-related organizations to have all systems in place to ensure increased privacy measures for patients and meet the higher standards of confidentiality imposed by the Health Insurance Portability and Accountability Act (HIPAA). The new law calls for health care providers, plans and clearinghouses, such as billing services, to ensure security of an individual’s health information and the systems that store, transmit and process that information.
“HIPAA affects us here at BWH widely and deeply,” said Debra Polansky, privacy project manager. “It is every clinician’s/ practitioner’s responsibility to protect all patient privacy and confidentiality at all times.”
Under HIPAA, health care providers may not use or disclose protected health information except with the consent or authorization of the patient or in other defined situations. The act calls upon institutions to make privacy notices available to patients, to enable patients to restrict access to and request amendments to their health information, as well as to enable them to review who has accessed their medical information over the past six years.
HIPAA imposes stiff penalties for breaches of the regulations, with criminal penalties of up to $250,000 and 10 years in prison, and civil penalties of $100 per person, per violation and up to $25,000 per violation.
While HIPAA regulations cover the standardization of transaction and code sets for claims and billing, privacy and security of computerized systems, the April deadline deals only with privacy. The deadline for transaction and codes sets for claims and billing has been extended to October 2003.
Multidisciplinary teams led by Health Information Services, Information Systems and Clinical Compliance have been working since 2001 to identify measures to ensure BWH meets these mandates.
Practices put in place by these groups include an annual confidentiality agreement, BICS warnings for patient lookups, a new auditing process with identifying information about staff who access health information, an enhanced corrective action policy for violations, and new staff orientation and training.
For more information about HIPAA, visit http://phsweb17.mgh.havard.edu/opbudget/hipaa/HIPAA.asp or contact Jackie Raymond, privacy officer, at ext. 2-6068; Debra Polansky at ext. 2-6676; or P. Pearl O’Rourke, MD, Research Management, at
617-724-2731. For more information on transaction and code sets, contact Catherine McGoldrick, IS Management and Planning, at 617-525-6282.