You don’t want just anyone looking at how much money is in your bank account, and most people feel just as protective about their medical records. We like to think medical information is revealed on a need-to-know basis – just between us and our anointed care givers.
But medical records privacy is a crazy quilt – a swatch of institutional policy here, a square of an accepted guideline someplace else, and every so often, an alarming hole where information can escape. Concern about these holes led lawmakers to amend the 1996 Health Insurance Portability and Accountability Act – HIPAA – with privacy mandates that proponents hope will turn the medical records crazy quilt into a cozy electric blanket surrounding our most personal data.
Senior Editor Wayne Forrest examines how HIPAA is shaking up the software marketplace in “Goodbye, Y2K. Hello, HIPAA,” beginning on page IM-46 of this month’s special section: Information Management.
The U.S. Department of Health and Human Services (HHS) proposed regulations based on HIPAA last fall. The proposed rules prohibit healthcare organizations from releasing identifiable patient medical records – records relating to a person’s health, medical treatments or payments for care – without the patient’s consent for any purpose other than medical treatment, payment or legitimate healthcare operations, such as quality assurance and utilization review. The document covers all electronic data, including e-mail and remote service diagnostics.
These new privacy rules, expected to be fully enforceable by May 2002, establish that patients have a right to view and correct their own medical records. They require healthcare enterprises to implement programs that protect these rights. But, HHS does not say what sort of entries should and should not be corrected, nor do they say who will make these decisions.
Consequent changes in the day-to-day operation of an imaging department will include frequent computer password changes and possibly James Bond-like fingerprint or retinal scans. At the very least, healthcare organizations must take a hard look at existing policies and ask, “How do we authenticate? How do we assign authorization? How do we manage disclosure of patient information to proper sources?”
Some experts estimate HIPAA compliance could cost healthcare organizations $8.5 billion, rivaling the cost to squash the Y2K bug. On the other hand, the Health Care Finance Administration predicts the industry will save $1.5 billion during the first five years of HIPAA implementation thanks to switching from paper claims to uniform electronic submissions for payment.
Speaking of controlling costs, Medical Imaging embarks this month on a project in cooperation with the asset management services company MedAssets.com. During the month of April the two of us are sponsoring a free Internet forum, “How Much Should It Cost to Run My Radiology Department?” It is a virtual panel discussion where two dozen radiology equipment and service professionals share their insights on controlling the cost of capital assets and equipment maintenance. Point your Web browser to www.medassets.com/forum, or follow the link at www.healthtechnet.com . Once there, you can submit questions to the forum’s participants and compare your hospital with other hospitals in your area and around the country.
See you there!
Mary C. Tierney, Editor
[email protected]
