|
HIPAA
Quiz: What is "Oral Privacy"?
By David M. Sykes and Susan A. Miller, JD
The
following article appeared in the September issue of Advance
Magazine:
Most healthcare professionals have barely noticed
this part of HIPAA. But you'd better learn fast: the deadline
is still April 2003.
Can
you answer these seven questions correctly?
- "Oral
privacy" is required by HIPAA (yes or no?)
- "Oral
privacy" is (a) subjective, or (b) objective?
- "Oral
privacy" conditions be measured & monitored with
electronic instruments (yes or no?)
- "Oral
privacy" is a legal "term of art" defined
by existing technical standards from three recognized
standards agencies ISO, ASTM and ANSI (yes or no?)
- "Oral
privacy" conditions can be fixed quickly and inexpensively
using off-the-shelf products (yes or no?)
- "Oral
privacy" can be ignored because of loopholes like
"incidental disclosure" (yes or no?)
- The
deadline for compliance is April 2003 (yes or no?)
If you
guessed more than one correctly, congratulations, you're
a well-informed healthcare professional.
[Here are the correct answers: 1. yes; 2. objective; 3.
yes; 4. yes; 5. yes; 6. no; 7. yes]
Guess what: it didn't go away…
Of course you haven't had a lot of help from Washington.
DHHS hasn't said anything about "Oral Privacy"
since the first "Guidance" appeared in July 2001.
And that document left people hoping the matter would dry
up and blow away.
But it didn't. And we're sitting here with the Federal Register
in our laps-the one released August 14 with the Privacy
Modification Final Rule in it. And "Oral privacy"
is still there. Guess what: It's completely unchanged from
the last NPRM in March. Plus the deadline for compliance
is still April 2003. So now what do you do?
For starters, although "oral privacy" has been
overlooked by just about everyone in healthcare, it's actually
one of the easiest and quickest requirements to handle.
It won't cost you an arm and a leg either. That is, if you
take time to understand it. So whatever you do, don't throw
money at the problem until you've read this article and
circulated it to the rest of your HIPAA compliance team.
Because a little understanding will save you money and time.
What about "loopholes"?
Some people think HIPAA is riddled with loopholes so you
can safely ignore oral privacy. For example, the Privacy
Rule says "incidental communications" are acceptable
as long as you've taken "reasonable safeguards"
to prevent them. But consider the term "reasonable
safeguards" carefully-after all, that's what judges
and juries will do. When DHHS uses this term, they mean
four things. First, they expect solutions to be based on
accepted standards. Second, they expect solutions that are
based on "best practices." Third, they expect
to see solutions that can be objectively measured and monitored.
Fourth, they expect you to comply without building walls
or installing other expensive "fixes." In other
words, they think this can be dealt with straightforwardly
and they're right.
Sixty privacy lawsuits and
counting…
President Bush didn't publish HIPAA privacy until April
2001 and it isn't official until April 2003. But State courts
around the USA have been treating HIPAA as the "standard
of care" since Congress passed the law in 1996. The
website www.healthprivacy.org lists over sixty healthcare
privacy lawsuits which have already been heard by judges
across the country-many resulting is severe penalties and
the loss of reputation. Here are just a few to illustrate
the human drama that underlies the healthcare privacy issue:
• Example A:
California Drug Store Chain
In 1998, Longs Drugs settled a lawsuit filed by an HIV positive
man. After a pharmacist inappropriately disclosed the man's
condition to his ex-wife, the woman was able to use the
information in a custody suit. The man chose to settle to
avoid a court trial and further publicity. ["Longs
Drugs Settles HIV Suit," San Diego Union Tribune, 9/10/98,
p. A3]
• Example B:
Washington, DC hospital
The jury ordered this hospital to pay a $25,000 fine for
failing to keep a patient's medical records confidential.
Coworkers learned of the victim's HIV status after an employee
at Washington Hospital Center revealed information in his
medical record. ["Man Wins Suit Over Disclosure of
HIV Status," The Washington Post, 12/30/99, p. B4]
• Example C:
Wisconsin EMT
In 2002, a Wisconsin jury ordered an EMT and her employer
to pay a fine as a result of an invasion of privacy of an
overdose patient. The EMT told the patient's coworker about
the overdose who then told others at West Allis Memorial
Hospital-where both the coworker and the overdose patient
were nurses. The EMT claimed she called the coworker out
of concern for the patient. But the jury decided that, regardless
of her intentions, the EMT had no right to disclose confidential
medical information. ["jurors Decide Patient Privacy
Was Invaded," Milwaukee Journal Sentinel, 5/9/02]
Answers aplenty
First of all, know this: "oral privacy" is what
lawyers call a "term of art." That is, it has
a technical definition memorialized in well-known published
standards-actually a suite of them--from three recognized
standards agencies: ISO, ASTM and ANSI. These standards
define a scale of measurement (called "AI") as
well as three different levels of privacy that can be measured
and monitored with readily available electronic instruments.
The three levels are "Confidential privacy," "Normal
privacy" and "Minimal privacy."
With three to choose from and no guidance from Washington
on which is the "right" one, you can simply decide
for yourself what level you want to adopt for your organization's
HIPAA compliance program. But don't ignore these standards.
They have been around a long time and are widely used. In
fact the first one was adopted in 1969 and was most recently
reaffirmed in 1997. So if you're looking for "best
practices" to consider, this is an excellent place
to begin.
Take a "tool kit"
approach
Not only are there standards and abundant best practices
to use as a basis for compliance, there are also off-the-shelf
solutions you can quickly install between now and April
2003.
In fact, your solutions tool kit" will only have four
"tools" in it:
- NRC-rated
ceiling tiles;
- STC-rated
HTL curtains;
- NRC-rated
portable panels; and the most effective solution of them
all,
- "white
noise generators" (also known as "sound masking")
that have been tested to meet the privacy standards.
Some
of this stuff you can even get at Home Depot or from retail
websites. To see what we mean, search Google using the keywords
"sound masking" or "white noise."
Of course before you begin installing solutions, you should
probably set a "benchmark" by doing some testing.
Check your yellow pages under "Acoustics" for
a consulting engineer who can come in, take the necessary
instrument readings, tell you where you have situations
that need to be "fixed," and describe how to go
about fixing them inexpensively. The same person can probably
also be encouraged to come back on a regular basis to monitor
your compliance program and keep a record of it for you.
The bottom line
Oral privacy should not be swept under the rug. In fact,
once you realize how straightforward it is to understand
and how cheap it is to fix you'll probably feel like relaxing
a bit. Because as you well know there are much more challenging
parts of HIPAA awaiting you that your organization will
be wrestling with for years to come.
About the authors:
David M. Sykes is vice president of CSM/Acentech (formerly
BBN Acoustics) in Cambridge, MA. Susan A. Miller is Senior
Co-chair of WEDI/SNIPS Privacy Workgroup and a partner at
The Kearney Group in Concord, MA.
For information see: www.acentech.com/ssHIPAA.htm;
or email the authors at david.sykes@remington-group.com
and Susan A. Miller at tmsam@aol.com.
Both are based in the Boston, MA area.
Back
to HIPAA Main Page
Click
here to request a quote! |
