Patience required on new privacy rules - Hospitals, doctors deal with flood of new regulations

Patience required on new privacy rules - Hospitals, doctors deal with flood of new regulations

Missoula, MT - 3/24/03 - Hospitals, doctors deal with flood of new regulations

By mid-April, customers at prescription drug counters who ask questions about their pills may be surprised when their pharmacists ask them to step into private booths before they answer.

At doctors' offices, the staff won't ask in front of the waiting room why a patient is visiting.

Checking into the hospital will require reading another, new form at least two pages long and signing it at the bottom.

Calling a hospital to ask about a neighbor may or may not get an answer. First, the caller must know the neighbor is there and ask about him or her by full name. Then, the neighbor may have asked that the hospital not reveal that he's there. The hospital must honor that request at the door and the switchboard.

The tighter lips and more cautious practices are the result of new federal privacy laws that go into effect April 14. They're called the Health Information Portability and Accountability Act Standards for Privacy of Individually Identifiable Health Information. For short, they are called HIPAA Privacy Standards or the Privacy Rule.

The Privacy Standards are just a tiny part of the 1996 HIPAA legislation, but they will profoundly affect the way medicine does business.

"HIPAA is probably the biggest change in health care since the beginning of Medicare," said Craig Eddy, vice president for medical and legal services at St. Patrick Hospital and Health Sciences Center in Missoula. "It reaches into the private reaches of medical practice."

"This is the first time," he said, "the federal government has reached into medical offices and told them how to practice."

The main intent of HIPAA is to protect health insurance coverage for workers and their families when they change jobs or lose jobs. That's the Title I part.

The second part, Title II, dictates national standards for electronic transactions involving health care and new rules for protecting the privacy of health data about individual patients. That's the Administrative Simplification part.

It's administrative, but it has hardly been simple - or cheap - to start up.

"It affects everybody - doctors' offices, hospitals, pharmacies, dentists," said Janet Whitmoyer of the Montana Medical Association. "We've been trying to support the physicians as best as we can."

"Everybody is aware of the need to protect people's privacy and medical records," said Whitmoyer, who is the MMA's coding and reimbursement coordinator. "But this has been so much information, coming out in such a short time, it's been stressful. ... I think there's probably a lot of people out there who are overwhelmed."

It's hard to find anybody who disputes the need for medical privacy and for strict controls about what gets released about patients. The Wall Street Journal on Wednesday told of a Virginia resident and school board member who was hospitalized for 10 days after a suicide attempt for severe depression two years ago. Someone leaked his hospital admission form, the Journal said, to three local newspapers with notes attached, "Is this the kind of school-board member our community needs?"

Incidents like that illustrate the need for privacy that is acutely felt in this electronic age.

"You can say what you want to about it," said Missoula pharmacist Jeannine O'Connor. "But it's valid."

"Do I think it's needed? Yeah, I do," she said. "Do you want people to know you take Prozac? Maybe you don't."

Montanans have had a head start. The state's Uniform Health Care Information Act was among the first in the nation governing the release and sharing of health information when it was passed in 1987. Some of its rules are stricter than the HIPAA Privacy Rules.

"On the plus side, Montana was further ahead than other states," said Lou Corts, director of medical records and quality management at St. Patrick Hospital. "Way ahead."

Many of the day-to-day practices will not be new, said Barry Kenfield, executive vice president of Community Medical Center.

"It's put in place probably what everyone was already doing," he said. "Most health care providers would say it's a reasonable way to address it. It's just about what we've been doing all along."

The big new piece is the electronic one. It is full of immense change, including new forms to submit claims to federal programs and health insurers. Kenfield, who is Community's designated privacy officer, began task force meetings two years ago in an effort also led by Corinne Meyer of medical records, who's the designated privacy coordinator. They spent $6,000 on computer software that identifies the gaps in a hospital's compliance with HIPAA Privacy Rules.

Then they set to work on the small, everyday practices of privacy - for instance, shortening the time an unattended computer screen stays lit and turning screens away from where passersby might see them.

"We have spent a lot of time," he said.

At St. Pat's, HIPAA Privacy Rules dictated some of the design of the new outpatient Broadway Building. Visitors to the medical records department in the basement can't pass through a door in the counter, behind which are the computers. There's a private room for patients who need to talk about their records, and the doors have keypad locks for after-hours. Computer screens are turned away from the door, as they are throughout the hospital. Up in the operating room entrance, the white schedule board no longer has patient names on it. And X-ray viewing areas are not visible from hallways where other patients or visitors might see them.

At night, all areas with patient records are locked up, and someone of authority takes a walk through the whole house.

In addition to new software for forms, all computers had to be taken to a higher level of security. New seven-character double passwords have to be synchronized, never written down and changed every 90 days.

St. Pat's, one of the state's largest hospitals, had advantage in its size and numbers but is still not large enough to have a single employee dedicated to HIPAA Privacy Rules, said Corts.

"We have very sophisticated computers, where the smaller organization doesn't," she said. "In many ways, we're ahead."

Many of the calls Janet Whitmoyer has had at the Montana Medical Association have been from small physician practices in rural Montana. Sometimes they're shocked that they're included by HIPAA Privacy Rules. Some have asked Whitmoyer to send information - by mail, because they don't have e-mail, the Internet or, in some cases, a computer.

That exempts them, because they don't transmit health information electronically. But beginning in October, all practices with more than 10 employees must submit claims electronically to Medicare. No more paper claims. Some practices will start from zero.

"There are a fair number of those," Whitmoyer said. "More than you would think."

Many smaller practices moving toward the April 14 effective date have had trouble finding enough time in the day for the endeavor.

"What I'm finding is the small clinics and the solo physicians don't have the time to devote to this," Whitmoyer said. "They're looking at pieces of it, and it's overwhelming to them."

The MMA has been part of a coalition of groups that has worked on supporting materials, written policies, interpretations of the rules and other time- and labor-savers that are available through a Web site, www.HIPAAMontana.com. Everybody is welcome to use the generic templates, Whitmoyer said.

St. Pat's wrote its own Notice of Privacy statement for incoming patients and worked hard to reduce it to two sides of one piece of paper, said Cheryl Dorsman, the hospital's director of corporate compliance. It's hard to say how much time it will add to an admission.

"For some patients, it'll take two minutes," she said. "For some, I can imagine it taking a whole hour."

Staffs in medical offices, hospitals and pharmacies are aware, too, of a cultural change. While two physicians overheard discussing a patient for purposes of care could be excused as an incidental exposure according to the law, office or hospital employees gossiping in an elevator may not be.

"We're just going to start self-policing," said pharmacist O'Connor, who manages Eastgate Drug. "We are trying to never use a patient's name in connection with a drug. And it's a really valid thing."

The pharmacy is also installing dividers at the counter so customers can't look over each other's shoulders. And most pharmacies have already dispensed with the signature clipboard where a customer signed at the bottom of a list of previous customers.

At doctors' and other providers' offices, the staffs may still use sign-in sheets, but they can't ask for the reason for the patients' visits.

Being perceived as anti-privacy is a bit like being seen as anti-Mom-and-apple-pie, said Eddy of St. Pat's. But it must be said, he said, that HIPPA is an "unfunded mandate."

"Should patients have the right to privacy? Absolutely," he said. "But the HIPAA law has had some unforeseen consequences. ... Nobody looked at it globally to see how people were really affected."

St. Pat's has spent at least $100,000 so far getting ready for HIPAA compliance, and the costs will go to $250,000 easily, Eddy said.

The federal Department of Health and Human Services has estimated costs of $3.5 billion to $4 billion to implement the rules nationally, and the American Hospital Association estimates $43 billion. One's probably high, and one's probably low, Eddy said.

"Probably the actual cost to society will be $20 or $25 billion," he said. "But if you put that in perspective, that would be enough to provide a Medicare prescription drug benefit or to pay for all the care of children who are uninsured."

Blue Cross Blue Shield of Montana already has spent $1.268 million in 2002 toward HIPAA compliance and expects to spend $1.591 million this year, said Tanya Ask, assistant vice president for government and public relations.

"It's not an inexpensive thing to do," she said in an interview from her Helena office.

Blue Cross has the contract for administering Medicare, parts A and B, in Montana. Medicare's push for electronic billing has meant that Blue Cross staff has helped with its implementation around the state. Much of the help was needed by small practices of three and four people in small towns, Ask said.

"We were not only giving away hardware and software but also going out and training," she said.

Will the costs be passed on to the health insurance customer? Absolutely, Ask said.

"It's additional protection," she said, "but additional protection comes at a price."

At hospitals, the costs, like the costs of care that go unpaid, will be passed on to the paying customers. Absolutely, said Eddy.

"Privacy is important. Privacy has to be protected. You could say we're in favor of HIPAA," Eddy said. "But the way it's been done, at the federal level, is a way that will cost the American public more than it could have."

Reporter Ginny Merriam can be reached at 523-5251 or at gmerriam@missoulian.com.

In accordance with Title 17 U.S.C. Section 107, any copyrighted work in this message is distributed under fair use without profit or payment for non-profit research and educational purposes only. [Ref. http://www.law.cornell.edu/uscode/17/107.shtml]