Medical privacy is a balancing act. The protection of an individual’s health information has to be constantly weighed against its disclosure for treatment purposes. The Health Insurance Portability and Accountability Act (HIPAA) privacy standards that came into effect in April seek to more clearly define this relationship. However, the rules have generated confusion, not understanding, among health care providers. To eliminate this confusion, on July 6, the Department of Health and Human Services (HHS) released its first HIPAA privacy guidance document, clarifying some of the vagueness of the privacy rules and showing that, though the rules will impact the way all medical providers-including radiologists-will deliver health care from now on, they are not as onerous or restrictive as they seemed to be at first glance.

The HIPAA privacy rules, which are designed to give patients the right to control their health information, are also designed to help providers by setting understandable boundaries and a benchmark to protect patient privacy. The health providers or covered entities that must adhere to the privacy standard include health plans, health care clearinghouses, and any health care provider who transmits health information electronically. As part of their compliance, providers have to obtain from patients a signed consent form, which details the patient’s rights and how their information will be used, in order to disclose medical information. If a patient refuses to sign the consent form, the health provider can refuse to treat the patient. Only one consent may be needed for an integrated entity. However, the disclosure consent form is not a catch-all. A separate consent for treatment must also be obtained by the provider.

In all cases, if state law provides stronger privacy protection, those are the guidelines providers must adhere to.

Adopt Formal Privacy Procedures

As part of the privacy compliance, the covered entity must also formulate and adopt privacy procedures, train their staff about these procedures, have a secure way to maintain and store records, and designate-or hire-a staff member as the practice’s privacy officer. Most covered entities will have until April 14, 2003, to comply with the standard. “There’s no reason to wait on these actions,” says Helene Guilfoy, principal, Phoenix Health Systems Inc, Montgomery Village, Md. “These simply make good business sense today.”

For many radiology and other medical groups, the implementation of privacy safeguards has been more involved than just formulating policies and appointing a privacy officer. One of the areas of greatest confusion has been the issue of communication of health information during treatment. The guidelines make a clear distinction between use and disclosure. Use of a record covers its viewing by any authorized personnel within an organization. Disclosure covers the release of information to those outside the organization. Disclosed information must be tracked by the organization. “You need to track only the disclosures, those releases of information done outside of your organization,” says Guilfoy. “So, if you are using the information only within your organization, there is no reason or no need to audit at the read level.”

However, the rules acknowledge that medical personnel may have to discuss an individual’s health information in a public area, such as a nurse’s station or an emergency department. Personnel are not prohibited from discussing a patient’s condition over the telephone with either the patient, another provider, or the patient’s family members. Diagnostic results-including radiology studies and laboratory results-may be discussed with the patient or another provider in a joint treatment area. “The major thing you need to remember here is to make sure that your policies and procedures are in line with the access that is being given,” says Guilfoy. “You must identify the persons or classes that need access. You must state the categories of protected health information that they need. You must state the conditions appropriate to such access-in other words, can they get it anywhere they are-and if the entire medical record is necessary, such as for clinicians, the policy must state this and must include a justification.”

The rules also allow providers to consult colleagues on treatment options without getting consent from the patient. However, consent for disclosure of information is needed if the consultant becomes directly involved in the patient’s treatment.

Coast is Clear

The privacy rules do not prohibit the hanging of radiology films and charts in plain sight, but do require that steps be taken to limit their access to the general public. Beyond limiting access to information-including securing records-there are no requirements that treatment rooms and areas be changed in any way, such as soundproofing them.

The privacy requirements have the most limitations on electronic communications. Though there is no need to encrypt telephonic communication, information transmitted via the Internet must be encrypted. The HIPAA rules do not outline the specific means by which providers must protect personal information on the Internet. For instance, the HIPAA guidelines say that a fire wall must be used to ensure security, but do not outline the specifics of the technology that should be used. The Center for Medicaid and State Operations, however, has provided guidelines for encryption, authentication, and identification. The three permitted encryption specifications or their equivalents are triple DES, which is defined as 112-bit equivalent for symmetric encryption, 1,024-bit algorithms for asymmetric encryption, or 160-bit elliptical curve forms of encryption.

Authentication-which must be established at the beginning of a session-can be one of four varieties: locally managed digital certificates, use of third-party certificate authorities, self-authentication, or smart cards. For identification, passwords or smart cards could be used to establish a connection.

The HIPAA privacy rules are still taking their first, faltering steps, and Guilfoy expects that the first HHS guidance document will not be the last. What is clear is that? health care providers will have to be as conscious of the security of their patients’ health information as they are in formulating treatment strategies.

Chris Wolski is a contributing writer for Decisions in Axis Imaging News.