Patients' privacy evolving to meet new law

When Beth Jennings was taken to Southeast Missouri Hospital to be checked out after a minor car accident recently, she was introduced to a strange-sounding word.

HIPAA.

"They told me it was a privacy form," said Jennings, a 51-year-old Cape Girardeau resident. "I signed it. I didn't know much about it. I just knew I didn't want people to find out my personal medical business."

That's partially the point of HIPAA -- the Health Insurance Portability and Accountability Act. The sweeping federal law that went into effect April 14 was conceived to set standards for the health care industry's electronic communications.

But it also protects personal health information by restricting access to medical records and other health information. Nearly a month after HIPAA's effective date, those affected still are trying to sort out the specifics of what they can and can't do under the law.

For health-care providers, it means new administrative mandates, restrictions and penalties for failure to comply. For family, members of the clergy and volunteer organizations, it means limits to what had been considered public information.

HIPAA requires a patient's consent before his medical information can be released. There's good reason for health-care providers to comply: Consumers who believe their privacy has been breached can file a complaint with the U.S. Department of Health and Human Services and pursue civil and criminal penalties of up to $250,000 and as much as 10 years in jail.

The new law has caused hospitals, pharmacies, doctors offices, clinics and other groups to analyze not only how they interact with patients, but how easy it is for other patients to see personal information.

Access concerns

Many laud the law, but it also has raised numerous concerns about access to patient information -- whether it involves a car wreck, a tragedy like Sept. 11 or even disasters such as last week's tornadoes.

"People are not going to be able to get identification and conditions like before," said Jean Maneke, an attorney who represents the Missouri Press Association. "News stories aren't going to have those facts like they used to."

But the law could hurt the public, too, she said.

Maneke said that if Sept. 11 happened today, family members would not have access to information from hospitals, because many of the victims were taken to hospitals unconscious. Under HIPAA, hospitals could release information without patients' consent only to emergency aid groups such as the American Red Cross, she said.

There has also been some concern throughout the state by law enforcement officials, who are worried that the law is being interpreted too narrowly. In some cases, Maneke said, police are being refused information in investigations, such as in the case of a suspected drunken driver who is taken to a hospital or a driver in an accident who may have caused another person's injury.

"There are some drawbacks," she said. "Everybody's still trying to figure out how to work out all of these problems."

That includes health-care providers, who are now required to make sure computer screens, health charts or other information can't be seen by casual observers.

"I have had to ask people to move," said Kelley Pipkin, a registered pharmacist at Thriftway Drug in Jackson. "We're a little local pharmacy, and people used to sometimes gather around the register. But because someone might see something, that's had to change."

Pipkin said she also can no longer give information to family members just because she knows them.

"We had a lady in the nursing home, and her daughter called and wanted to know what a certain medication was for, but without consent, I couldn't tell her," Pipkin said. "Before, if I knew the daughter, I probably would have done it."

Dr. Robb Hicks, an emergency medicine and general practice physician at Immediate Health Care, said it's clear the new law is going through a trial-and-error process. Doctors check the U.S. Department of Health and Human Services' Web site weekly since HIPAA information is continuing to be updated there, Hicks said.

Joining the directory

Hospital patients will notice several changes during registration, said Jerry Sill, senior vice president and general counsel for the Missouri Hospital Association. They will be given a lengthy document, explaining what the organization does with the patient's health information, he said.

They will be asked to sign a form acknowledging receipt of these practices and be given the opportunity to object to certain uses of their information.

"If the patient doesn't want the information released, even if Aunt Sally calls, the hospital is bound by that request," Sill said. "But frankly, overall, I don't think patients will see a big change."

Sill said hospitals have been asked to design their own policies, which leaves interpretation mainly up to individual hospitals.

Brenda Hanle is the privacy officer at St. Francis Medical Center. She said the Cape Girardeau hospital has always maintained a watchful eye on patient records and will continue to do so under the new law.

Patients will be asked whether they want to be part of a hospital directory, Hanle said. That document is internal and only used by the staff and physicians and will allow the staff to tell -- for example -- that patient's minister that he or she is a patient.

If the patient chooses not to be a part of that directory, then even clergy won't be told if one of their regular churchgoers is in the hospital.

Even so, Sam Ramdial, pastor of the First General Baptist Church of Cape Girardeau, said both hospitals have been very cooperative.

"I have had no trouble," he said. "They're being careful and I respect that. There have been patients who, I've heard later on, were in the hospital and nobody knew. That's their right."

Family members are a different situation, Hanle said. At St. Francis, a patient must list, verbally or in writing, which family members can be given information. A patient may only want a spouse or children to know.

Hanle said the hospital won't even confirm a patient is at the hospital for a caller whose name is not documented. A caller who is on the list may even be asked questions to make certain they are who they say they are, such as a maiden name or a birth date.

"We were cautious before, but now we have to confirm," Hanle said.

At St. Francis, flowers will make it to patients regardless of whether the sender is on the list. If the intended recipient is not at the hospital, the flowers will be sent back, Hanle said.

Southeast Missouri Hospital has chosen similar policies. Patients will be asked whether or not they want to be part of a directory, and that will be used to determine whether some information -- such as condition and room number -- will be released.

Patients will sign documents saying whether they want their information released. If he hasn't, no information will be given out. That document is good for six years, said Jerry Sanders, the hospital's assistant administrator and privacy officer.

Sharon Stinson, director of patient services at Southeast Missouri Hospital, said most of the problems will come from family members who call wanting information over the phone.

"It's not going to be as easy," she said. "A lot of family members are going to be bothered by not getting information as easily as they could have before."

At Southeast, a list of approved family members will not be collected, though patients can provide a family member a code word to get information.

Unlike St. Francis, Southeast also said that if the patient asked to be "no pub" -- for non-published -- flowers will not be sent to the patient's room.

Stricter than HIPAA

Although HIPAA does allow for some media access to patient information, both Cape Girardeau hospitals have taken a more restrictive stance.

HIPAA allows reporters to get information if the patient agrees to be in the hospital directory -- but the reporter has to know the name of the patient when calling. Then, under HIPAA, hospitals can only give one word descriptions like "good," "fair," or "poor."

But Southeast and St. Francis jointly have agreed not to release any information to the media. Hanle said that is because in most cases when the media is interested -- bad car wrecks or patients involved in disasters -- the injured are usually not conscious to decide.

"Then we have to act in the best interest of the patient," she said. "That is to assume they want their information kept private."

According to a letter sent out from both hospitals to media outlets, the only exception the hospitals are making is in the case of a disaster. Then they would follow the HIPAA guidelines.

Doctors office visits will also be a bit different. Hicks with Immediate Health Care said the intent of the law is good, even though it has created a burden on most health-care providers.

"Like anything in life, most people were trying and successfully doing the right thing before HIPAA," he said last week. "But there are a few that haven't really been guarding the information as much as they need to."

At Immediate Health Care, charts now are turned around against doors or laid upside down on counters, Hicks said. Computer screens will have to be blocked out or go immediately to screen savers so people can't see information.

Workers also may ask patients to step back a few feet in the check-out line, he said. Originally, they thought they were going to have to assign numbers to patients in the waiting room. But now they've learned they don't have to do that, Hicks said.

But they've still included a warning to patients in their privacy statement that they will be calling them by name in the waiting room.

Hicks initially thought the laws were going overboard.

"But since we've been working on this and talking with people about it, I've heard people say things like 'Well, I didn't want my neighbor to know I was in the hospital,' or something like that," he said. "It seems like there have been enough patient concerns to warrant something like HIPAA."

smoyers@semissourian.com

335-6611, extension 137