The "Standards for Privacy of Individually Identifiable Health Information" (also known as "The Privacy Rule", implements the privacy requirements of the
Administrative Simplification subtitle of HIPAA. Currently, the rule states that the same protections afforded to paper and electronically-based information must also apply to verbal communication (or any other form). What, exactly, does this mean for health care providers? Loosely translated, it means that all patient information and communication, including verbal, is protected under HIPAA. "If oral communications were not covered, any health information could be disclosed to any person, so long as the disclosure was spoken," according to guidelines published by the U.S. Department of Health and Human Services. (1) When physicians discuss diagnoses with patients in their hospital rooms, when two providers talk about a case at a nurses station, or when a patient needs an interpreter, all of the information that is shared falls under HIPAA's umbrella and should be treated with the same care as if it were in writing.

It seems somehow easier, though, to limit access to paper records and encrypt electronic information than to determine whether or not oral communication meets compliance requirements. "There is not a lot of information out there about oral communication," admits David M. Sykes, PhD, vice president of CSM/Acentech, a Cambridge, Mass.-based provider of "best-practices" based HIPAA compliance systems. "The regulations are clearly there, clearly required," he says. "There doesn't seem to be any question about it, yet this remains an area of great ignorance within the industry." This ignorance, he adds, can result in outrageous spending. "Institutions that have addressed the issue of oral communications tend to spend more money then they need to," he says. "This is not their intention, but the problem has not been fully defined yet, so many just don't know the best way to address it."

The difficulty of establishing and maintaining privacy of oral communications is exacerbated by the fact that medical personnel need to be able to speak freely amongst themselves as well as with patients. "This is a very touchy area, because clinicians need to share this information for the care of the individual," says Susan A. Miller, JD, co-chair of Workgroup for Electronic Data Interchange (WEDI) Strategic National Implementation Process (SNIP) security and privacy work group and corporate regulatory and compliance manager for IDX Systems Corp, in Boston, Mass. "This aspect of the regulations will present more of a challenge, because the systems we have in place already work, in that respect. Most people are not going to want to change them." Because dealing with the issues surrounding paper and electronic information was, in many ways, less complex, Miller believes many health care administrators have found it all too easy to put off considering which measures to take to ensure the privacy of oral communications. "Sooner or later," she warns, "they are going to have to grapple with it."

MISCONCEPTIONS ABOUT ORAL COMMUNICATIONS
The basic lack of information about HIPAA requirements affecting oral communications has resulted in several misconceptions that appear to hold fast throughout the industry, according to Sykes. In surveys conducted early this year, researchers found many health care opinion leaders believe oral privacy is basically subjective rather than objective, he says. They also expressed the belief that oral communication cannot be measured or monitored objectively. "If you go to compliance officers and ask how they are going to handle oral privacy, they often respond that they plan to tell people 'to speak softly,'" Sykes continues. "But they often don't realize that privacy can be easily measured and monitored with instruments."

The third misconception, Sykes explains, is that there are no standards or best practices for oral communications. "People tend to assume there are best practices for other areas, but not for oral privacy." A broad set of standards and best practices do exist, he continues, in many government agencies and elsewhere in the world of business, which have simply not yet filtered into the healthcare industry. "Many people also believe that oral communication issues will be too expensive to fix," Sykes says. In fact, there are several technological approaches to this problem that are actually far less expensive than administrators dare hope.

Misconception number five, Sykes says, is that the only way to deal with oral privacy issues is to retrain the entire staff, tell them to speak quietly, and then put fliers in the elevators. "That is untrue and entirely ineffective," he continues. "To take all your doctors off line and retrain them is not only expensive but absurd because it won't work. Physicians must be able to do what they need, and an institution can't expect its doctors to maintain privacy by buttoning up their lips." The sixth, and final misconception is that there are loopholes in the latest rule that basically mean it is not necessary to do anything about protecting the privacy of oral communications.

DEFINING THE ISSUES
Perhaps the best way to begin to address oral communications in any forum is to define the term and determine which communications fall under HIPAA's protection. "Oral communication is subject to everything in the privacy rule unless it provides an exception," explains Gwen Hughes, RHIA, professional practice manager for AHIMA. However, she adds, the rule does contain some specific references to various types of oral communication, including hospital directories, disclosure to family members and the media, and incidental disclosure.

Directory information, according to Hughes, is any information made available to the public, including family, friends, and clergy members visiting who are visiting patients or inquiring about their conditions. "Providers can disclose information about a patient's location and condition if they have that patient's consent," she says. Additionally, health care providers can disclose protected health information with family members, relatives, or anyone identified by the individual as far as it is relevant to that person's care or payment of the bill. "If a patient is discharged and needs to pick up a prescription on the way home, or has some medical instructions, it may be appropriate for a clinician to talk about that with a family member," she explains. "It might not be appropriate, though, for them to discuss bathing instructions or other personal issues with a friend who is not taking care of the patient."

It is also important, according to Hughes, that clinicians receive patient consent before talking with that patient about medical information while another person is present. This consent could come in the form of a signed document, oral agreement, or when necessary, the clinician can infer from the circumstances that this is what the patient wishes, Hughes explains. For example, if a physician sees a Spanish-speaking patient whose husband speaks both Spanish and English, he or she will need to discern if the patient consents to having the spouse interpret the conversation. "This could be the first thing the clinician asks when speaking through the interpreter," she says. "Asking if it is all right to talk about a condition through the interpreter is especially important when there are no written consent forms, such as with some less common foreign languages."

In the case of an emergency, she adds, HIPAA states that a provider can notify family members of a patient's location and status if the patient is unable to provide consent or has consistently provided consent in the past. "It has to be consistent with prior expressed interest," she explains, "and in the patient's best interest. As soon as the patient is able to communicate, however, he or she must be given the opportunity to object."

Additionally, health care providers who need to discuss a case for treatment purposes are allowed to disclose information to each other, Hughes continues. "They can share information with members of health care team, but should use the 'minimum necessary' standard as an overall umbrella," she says. "It is critical to use good judgment and reasonable safeguards all the time." As long as the information disclosed is appropriate and relevant, she explains, health care team members can safely talk to other providers to relate patient information.

Although the standard for providers does not specify "minimum necessary," it is important, for many reasons, to adhere to this as an overall guideline, Hughes advises. "If a physician is giving another provider information necessary to treat a patient, and someone else overhears a snippet of the conversation, they won't get in trouble," she adds. "However, they need to use reasonable safeguards and good judgment. They need to be discreet if having a conversation in the cafeteria or the elevator. That is just the right thing to do, the ethical thing, and what they have always strived for."

TECHNICAL SOLUTIONS
In addition to discretion, there are several technical solutions health care providers may implement to maintain and monitor privacy of oral communications, according to Sykes and Miller. "There are a lot of technologies available to assist people with the administrative aspects of the security regulation, but few are truly aware of the technologies that can assist them with privacy," Miller says. "There are a number of them, though-a rather elegant set of inexpensive solutions for oral communication."

The assumption that these solutions are inevitably extensive is incorrect, Sykes adds. "It need not be expensive and, in fact, there are some 'quick fixes' readily available on the market that are well past the developmental phases and in regular use." These fixes, or, as Sykes refers to them, the "tool kit," can be easily acquired and installed to solve many problems with very little effort.

For example, Sykes explains that corporations frequently install the least expensive ceiling tiles possible. Each ceiling tile has a rating, he continues, which indicates the noise reduction coefficient (NRC). "You can buy a ceiling tile that absorbs a little, some, or a lot of sound," he says. "So, one thing that providers can do to increase privacy is simply to install a better ceiling tile." with ceiling tiles selling for approximately one dollar to ten dollars each, this solution offers peace of mind without taking a huge bite out of the budget. "Also, wall and cubicle panels have the same NRC and STC ratings system to indicate how much sound they absorb, and are also not expensive," Sykes explains.

Additionally, most hospitals use cotton curtains to separate patient beds because they are washable. There is another, heavier type available, Sykes says, known as a high TL-rated curtain which has a high STC rating. "TL stands for transmission loss, so, in other words, sound doesn't go through it. Using high TL curtains between patients in a recovery room privatizes the doctor-patient relationship." These easy-to-implement methods of increasing privacy have been on the market for years and are readily available, he notes. They are also rated according to recognized standards and involve no staff training, which, in a busy hospital, is a major advantage.

Perhaps the most effective method of ensuring privacy is known as masking or sound conditioning, according to Sykes. First developed by government agencies, including the Department of Defense and the GSA, where confidentiality is potentially a deadly serious issue, masking technology has been on the market in a number of forms for at least 30 years, he says. Sykes notes that sound-absorptive ceiling and wall panels are passive technologies, while masking is actually electronically active.

A masking device, he explains, creates a low-level background sound that is tuned to match the voice spectrum. "Because the human voice falls within a certain spectrum that is , it is possible to create a background sound that is unobtrusive, a little bit like air conditioning noise," he says. This background noise, which many people may not even be aware of, blocks the intelligibility of speech . You can actually pass people who are talking or be standing a few feet away, see them talking but not understand what they say." Depending on the size of a facility, a standard masking system could cost as much as $15, 000 when installed by a professional, he adds. "On the other end of the scale, however, are technologies based on microchips, which are miniaturized versions of the same technology, which can be purchased for anywhere from $79 to $150." A few such devices, he says, would be enough for the average nurses' station.

It is important to note that while many believe oral communications cannot be monitored, there are technologies available on the market, which do just that, according to Sykes. "There are instruments that can take measurements on a regular basis to provide monitoring," he explains. "That would provide an institution with a record of compliance over time. Which from a legal point of view would be useful." These instruments, about the size of laptop computers, read the level of privacy in a specific area for 15 seconds at regular intervals, and can also be used during gap analyses. "You can take before and after readings at locations around the hospital to assess the situation before you put in technologies to mitigate the problem and then take measurements afterwards," Sykes explains. The devices, he adds, offer standardized, numbered ratings based on a scale of confidential privacy called AI.

HIPAA continues to evolve, and at the same time, the April 2003 deadline for compliance with federal privacy regulations is drawing ever nearer, threatening to catch many in the healthcare industry unprepared. "We have never done anything like this to ensure security and privacy in the health care environment before, so I believe we are in for a period of adjustment," Miller says. "Part of what we have to deal with is the physician's need to share information with other clinicians for treatment. The solutions that are available right now offer wonderful support, so that communication can continue without lessening the care patients receive."

(1) Available at the U.S. Department of Health and Human Services Office of Civil Rights Web site: http://www.hhs.gov/ocr/hipaa/

Susan A. Miller, JD
Senior Co-chair of WEDI SNIP security and privacy work group
Email: tmsam@aol.com, David M. Sykes, PhD
Vice President of CSM/Acentech
david.sykes@remington-group.com; and
www.acentech.com/ssHIPAA.htm

Gwen Hughes, RHIA
Professional practice manager for AHIMA
Gwen.Hughes@ahima.org

Back to HIPAA Main Page