Privacy rules and compromising patient care

Q: With HIPAA implementation
in full swing, we find it to be more of a hassle than predicted by our most pessimistic staff. We get complaints from physicians because of the confusion about when information may be transmitted without a specific release. What can we do to improve lab services without compromising patient care?

A: Laboratories throughout the country are suffering from HIPAA jolts, partly because implementation began under one set of rules and finished under another. Confusion remains, especially among patients and physician-office staff, about what can and cannot be communicated and under what circumstances.

One of the most common complaints from medical office staff is their inability to get timely reports of laboratory tests by phone or fax because of the insistence by laboratory personnel that a specific written release be provided. In August 2002, the initial rule, which would have required such release, was modified to permit disclosure for treatment of the patient, submission of bills for payment and for healthcare operations.

Thus, protected information disclosed from one healthcare provider (the lab) may be communicated to another healthcare entity (the physician) for purposes of treatment without the submission of an individual signed, specific release. It remains only to have some mechanism for ensuring that the requesting individual is, in fact, a treating healthcare provider.

It is important to remember that HIPAA provides a federal floor for privacy and release requirements. Some states, for example, prohibit release of lab test results to anyone other than the ordering physician, unless he has indicated that release is permissible. Others require specific confidentiality and release requirements for particularly sensitive information, such as HIV testing or psychiatric-related information. Despite an enthusiasm to meet HIPAA requirements, such relevant super-confidentiality provisions must not be overlooked.

Labs are often required to release information for operational purposes, such as QA/QI, case management, accreditation and licensing. As long as the hospital has a relationship with the patient, such release is also now protected under HIPAA and does not require additional specific permission, as long as the patient has been notified and has assented through the privacy policy. Labs often have an indirect relationship with patients, and if so need not get their written acknowledgement of receipt but must have the privacy policies and disclosure receipts available.

Many institutions have gone overboard in producing notices of privacy policies, releases, consents and all the other HIPAA-associated paperwork, out of fear of being found noncompliant. The rule does not require that each patient be given a slick, three-color brochure of privacy policies. The rule does, however, require that the patient be given the opportunity to review privacy policies, have information about where the policies can be obtained, if desired, and be able to obtain those policies on request.

Some institutions post privacy practices in reception, treatment and admissions areas; others have produced one-page summaries. Compare policies with other institutions or departments to determine what process is working well, and avoid expensive overkill, especially when the reality is that few patients take the time to read the new policies. Evaluate how you are reaching deaf patients (many of whom also have poor reading skills), and those patients with either limited vision or comprehension (for whom a written notice is inadequate to communicate the information).

Now that HIPAA is the law of the land, take stock on how it affects daily operations. Ensure that you are aware of the policies implementing HIPAA in your institution and make sure that your staff members especially those who interface with physicians in an information-sharing capacity are cognizant of the full latitude they may exercise in releasing information. Under HIPAA, the risk is no longer that information will be improperly communicated, but that vital information will be delayed because of a misunderstanding of the requirements surrounding release and consent, even under the new rules.

Barbara Harty-Golder is a pathologist-attorney in Sarasota, FL. She directs the clinical laboratory at Health South Rehabilitation Hospital in Sarasota, and maintains a law practice with a special interest in medical law. She writes and lectures extensively on healthcare law, risk management, and human resources management.

June 2003: Vol. 35, No. 6

© 2003 Nelson Publishing, Inc. All rights reserved.