by Anne Adams nformation is accumulated about people every day by health care organizations and then used sometimes in unexpected ways. For example, a few weeks after a visit to her doctor, an Orlando woman received a letter from a drug company promoting a treatment for her high cholesterol. In another case, a Utah-based pharmaceutical benefits management firm used patient data to solicit business for its owner, a drug store. An increasing concern among patients, health care organizations, and government is that health information is being used for things other than medical treatment. Patients worry that their health information may be inappropriately provided to insurance companies or employers and that they will be denied services or employment opportunities. Also, while technology makes patient health information only a click of a mouse away, easy access from the Internet and remote sites puts more responsibility on health care providers and others to ensure appropriate safeguards are in place to restrict access to confidential medical information. A recent Georgia court case found that patient medical information maintained by medical providers is certainly a matter that a reasonable person would consider as private. Information in a medical record reflects the physical state of a person's body and cannot be put on exhibition at any time or at any place without the person's consent.

The new privacy office, headed by Anne Adams, is part of Emory Healthcare's Office of Compliance Programs. Adams is also chief compliance officer for Emory Healthcare and the Emory Medical Care Foundation.

lthough states already have laws addressing patient confidentiality issues, until 1996 there were no national standards for the use, disclosure, and protection of patient medical information. To address these concerns, the federal government promulgated privacy rules under the Health Insurance Portability and Accountability Act (HIPAA). The "Standards for Privacy of Individually Identifiable Health Information" provide the first comprehensive federal protection for health information and set requirements on how patient information is to be used, disclosed, and protected. The deadline for complying with those standards is April 14, 2003. However, if state laws are more stringent than the federal rule, we must meet state requirements. Emory Healthcare is now comparing federal and Georgia law to determine which one we must comply with. The federal privacy rule has three goals: Protect and enhance consumers' rights Improve the quality of health care by restoring the trust in health care systems among consumers, health care professionals, and the many organizations and individuals committed to delivery of care Improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection. The privacy rule gives patients more control over their health information and sets boundaries on the use and release of protected health information. Patients can find out how their health information may be used or disclosed. Use of patient health information is limited to the minimum necessary for the purpose that it is going to be used. For example, we should not disclose an entire medical record unless the specific circumstances justifies the disclosure. Patients also have the right to examine, obtain a copy, and request amendments of their medical record. Privacy of health information has risen to the level of a civil right with regulations at the federal level overseen and enforced by the Office of Civil Rights. OCR will investigate complaints and conduct compliance reviews. It can seek civil monetary penalties and criminal prosecution when patient health information is knowingly disclosed or obtained for commercial or personal gain or for malicious harm.

mory Healthcare currently allows patients to access their health information and request appropriate changes, but we are reviewing our policies and procedures to ensure they meet privacy rule requirements. In essence, the rule mandates a privacy compliance program with a privacy office and officer to adopt and implement clear privacy policies and take disciplinary action for violations of those policies. We must also inform patients about their privacy rights and how their health information will be used. We must ensure that physicians and staff understand how they can use and disclose patient health information, and we are training employees how to respond when patients ask questions about the use of their health information. Five multidisciplinary teams, overseen by a privacy task force, are modifying current procedures or developing new ones that will help us comply with the privacy rule. For example, one team is revising patient consent and authorization forms and developing a tracking mechanism to ensure that we collect the appropriate consent and authorizations so we can continue to provide treatment to our patients. Emory Healthcare must also ensure that our current and future business associates comply with the privacy rule when they conduct business on behalf of Emory Healthcare and have access to patient health information. We are reviewing current contracts to determine if amendments are necessary to comply with the privacy rule. We already require business associates to sign confidentiality statements but also want to make sure that they are educating their employees on the privacy rule requirements.

lthough there is debate about the cost of implementation and ongoing efforts to comply with the privacy rule requirements, there is no doubt among health care providers that the cost of compliance will take money away from direct patient care. This is an unfunded government mandate that comes at a time of continued decreases in reimbursement for health care services. While we recognize that our patients need to understand how we might use their health information, the new rules will burden both providers and patients. As the rule is currently written, we will have to provide patients more than seven pages of information on our privacy practices. A large cost will be in the forms patients are required to sign and the time for the patient to read the form and for employees to answer patients' questions. Patients are already required to sign multiple documents and the added forms are likely to frustrate our patients and delay care while not really enhancing the protection of patient information. Even Health and Human Services (HHS) Secretary Tommy Thompson has said, "When we flood doctors and hospital with excessive paperwork, patients suffer the consequences." Tracking and storing acquired forms and information may require implementing new software and, at the very least, modifying current systems. We must not only track the consent by the patient for treatment and payment, but also revocation of consent. Much of the costs for Emory Healthcare will be incurred in complying with the consumer uses requirements, which allow patients to amend their information, opt out of the marketing and fundraising list, and request a list of who has accessed their health information. Emory Healthcare will have to maintain databases to track this information. To assure compliance with the new rules, we must develop monitoring and review processes to detect and correct noncompliance.

he government says that the privacy regulations are designed to be flexible to accommodate all types of providers. Although the OCR has stated that it wants to collaborate with providers on compliance, I am concerned that enforcement of the regulations will not accommodate the individual needs of the provider. It is possible that OCR will resort to the aggressive enforcement efforts seen in recent years to "stamp out" fraud and abuse in the health care industry. There is an old saying that the two people you should never lie to or withhold information from are your doctor and your lawyer. Both make decisions based on what their patients or clients tell them. If patients believe their privacy will not be protected, they are less likely to participate fully in their health care treatment. Our patients need reassurance that their most personal of information will be kept confidential. I think, however, that we can strike a more reasonable balance between protecting the privacy of the information and our use of the information than is in the current rule.

From the Director  /  Letters Hazardous duty Code blue Dropping Pulaskis Class 'A' space Moving Forward  /  Noteworthy On point: Very private matters Cleaning Mickey's mess

Recently, HHS proposed changes that would remove barriers that delay medical care and simplify the patient authorization processes for research. Under the modifications, patients would not have to sign a consent form for treatment, payment, and health care operations, but instead be asked to sign an acknowledgment that they have received the "Notice of Privacy Practices." The emphasis has shifted to letting patients know how their information will be used. These and other changes were published in the March 27 Federal Register, and the public was given 30 days to comment before HHS makes a final decision. Additional government guidance on interpretation and compliance with the privacy rule may provide some relief for us. However, the entire health care industry needs to continue to explore the best way to balance effective and efficient delivery of care with protection of patient privacy. Emory Healthcare will meet the spring 2003 deadline. In the meantime, as health care providers, we must reassure our patients that their medical information is secure. Technology may help protect patient information, but it is up to physicians and staff to assure that this information is kept confidential and not used inappropriately.