Researchers listen up as Joanne Pollak, general counsel, outlines HIPAA directives. Below, Pollak; below right, Carol Richardson, privacy officer, slogs through HIPAA's reams.

On April 14, millions of Americans will no doubt visit their doctors seeking relief for any number of ailments: miserable pollen allergies, a painful torn rotator cuff, back pain brought on by overzealous gardening. They will need to sign the usual consent and insurance forms. And for the first time, they will need to review a detailed document about their privacy rights, one now required by federal law.

Until recently, patient privacy was largely a matter of trust. Historically, patient information belonged to health care providers and insurers. In fact, patients didn't even gain the right to view their own medical records until some states began passing laws in the late 1970s and early 1980s.

Now there's been a 180-degree turn with a federal law called the Health Insurance Portability and Accountability Act (HIPAA) which puts control of medical information squarely into patients' hands. The sweeping new regulations govern everything from how to store medical charts (facing the wall, please) to the proper way to dispose of patient information (shredding). When the policies take affect in mid-April, they will represent a sea change in how institutions like Hopkins operate.

"There's no question that a patient's right to privacy is important," says Joanne Pollak, vice president and general counsel and vice president for compliance for Johns Hopkins Medicine and for The Johns Hopkins University and Health System. "There's also no question we'll have to follow the HIPAA rules on privacy. These rules will cause an administrative burden, but HIPAA is not something we can choose to ignore."
The original purpose of HIPAA, which Congress passed in 1996, was to ensure that employees could carry their health care coverage with them from one employer to another (hence, the "portability"). "HIPAA was an insurance law," says Pollak. "There was only one small section in a very long statute that addressed privacy."

When Congress failed to issue detailed privacy rules by its self-imposed deadline in August 1999, the job fell to the Department of Health and Human Services. The first version, published late in 2000, left the health care industry afraid that the regulations would disrupt routine operations and research, and impose unreasonable, costly burdens on doctors, hospitals, pharmacists and other providers. The medical community, including Hopkins, spent the next two years working with the federal government to make the rules less onerous.

"We lost some battles and we won others," says Pollak. "But for the first time, I can sit here and tell you what the regulations will be."

Leading off the changes is the privacy notice that informs patients of their rights and that all patients now will be required to review. At Hopkins, where some half-million patients are seen each year, the document is four, single-spaced pages long, and takes a fairly well educated person at least 10 minutes to read.

In addition, HIPAA will result in many changes for health care workers at all Hopkins entities, and not just the usual suspects, says Carol Richardson, HIPAA administrative coordinator and privacy officer for Hopkins. In addition to doctors, nurses and billing personnel, anyone who comes into contact with patient information, even incidentally, needs to be taught about HIPAA. Although some training will be face to face, the majority will be done online. "The point is, everybody needs to be trained, and we're talking maybe 12,000 people," says Richardson.

"If our employees are fixing an electrical outlet and see patient information on a doctor's desk, or they see a report in the trash that shouldn't be there, we need to make them aware of what to do," she continues.

In an instance like this, employees should ask themselves, Do I need to know this information? "Need to know" is one of two guiding principles of HIPAA. Nurses, for instance, need to know the health information about patients on their own unit, but not the facts about patients on another. Security guards can know the name and location-but not the diagnosis and treatment plan-of people they are paid to protect.

The second guiding principle is the "minimum necessary" concept. "In the simplest sense," says Richardson, "people should only use the patient data they need for a particular purpose." A billing coordinator, for example, needs access to information about the patient's current visit, not the entire patient history, to be able to submit a claim for reimbursement. A physician planning a teaching lesson does not need to identify a patient by name, date of admission or any other data to conduct the lesson. The concept does not apply to treatment situations, however, meaning that physicians and other providers should have full access to patient information for treatment purposes.

"The intent [of HIPAA] is to raise patients' awareness," says Richardson. "We are putting patients on notice: this is how we can or cannot use your data. Patients should know that Hopkins always has been concerned about privacy. This is a chance to enhance our privacy policies, not just to create another document."