||Researchers listen up
as Joanne Pollak, general counsel, outlines HIPAA directives.
Below, Pollak; below right, Carol Richardson, privacy officer,
slogs through HIPAA's reams.
On April 14, millions of Americans will no doubt visit their doctors
seeking relief for any number of ailments: miserable pollen allergies,
a painful torn rotator cuff, back pain brought on by overzealous gardening.
They will need to sign the usual consent and insurance forms. And for
the first time, they will need to review a detailed document about their
privacy rights, one now required by federal law.
Until recently, patient privacy was largely a matter of trust. Historically,
patient information belonged to health care providers and insurers.
In fact, patients didn't even gain the right to view their own medical
records until some states began passing laws in the late 1970s and early
Now there's been a 180-degree turn with a federal law called the Health
Insurance Portability and Accountability Act (HIPAA) which puts control
of medical information squarely into patients' hands. The sweeping new
regulations govern everything from how to store medical charts (facing
the wall, please) to the proper way to dispose of patient information
(shredding). When the policies take affect in mid-April, they will represent
a sea change in how institutions like Hopkins operate.
"There's no question that a patient's right to privacy is important,"
says Joanne Pollak, vice president and general counsel and vice president
for compliance for Johns Hopkins Medicine and for The Johns Hopkins
University and Health System. "There's also no question we'll have
to follow the HIPAA rules on privacy. These rules will cause an administrative
burden, but HIPAA is not something we can choose to ignore."
The original purpose of HIPAA, which Congress passed in 1996, was to
ensure that employees could carry their health care coverage with them
from one employer to another (hence, the "portability"). "HIPAA
was an insurance law," says Pollak. "There was only one small
section in a very long statute that addressed privacy."
When Congress failed to issue detailed privacy rules by its self-imposed
deadline in August 1999, the job fell to the Department of Health and
Human Services. The first version, published late in 2000, left the
health care industry afraid that the regulations would disrupt routine
operations and research, and impose unreasonable, costly burdens on
doctors, hospitals, pharmacists and other providers. The medical community,
including Hopkins, spent the next two years working with the federal
government to make the rules less onerous.
"We lost some battles and we won others," says Pollak. "But
for the first time, I can sit here and tell you what the regulations
Leading off the changes is the privacy notice that informs patients
of their rights and that all patients now will be required to review.
At Hopkins, where some half-million patients are seen each year, the
document is four, single-spaced pages long, and takes a fairly well
educated person at least 10 minutes to read.
In addition, HIPAA will result in many changes for health care workers
at all Hopkins entities, and not just the usual suspects, says Carol
Richardson, HIPAA administrative coordinator and privacy officer for
Hopkins. In addition to doctors, nurses and billing personnel, anyone
who comes into contact with patient information, even incidentally,
needs to be taught about HIPAA. Although some training will be face
to face, the majority will be done online. "The point is, everybody
needs to be trained, and we're talking maybe 12,000 people," says
"If our employees are fixing an electrical outlet and see patient
information on a doctor's desk, or they see a report in the trash that
shouldn't be there, we need to make them aware of what to do,"
In an instance like this, employees should ask themselves, Do I need
to know this information? "Need to know" is one of two guiding
principles of HIPAA. Nurses, for instance, need to know the health information
about patients on their own unit, but not the facts about patients on
another. Security guards can know the name and location-but not the
diagnosis and treatment plan-of people they are paid to protect.
The second guiding principle is the "minimum necessary" concept.
"In the simplest sense," says Richardson, "people should
only use the patient data they need for a particular purpose."
A billing coordinator, for example, needs access to information about
the patient's current visit, not the entire patient history, to be able
to submit a claim for reimbursement. A physician planning a teaching
lesson does not need to identify a patient by name, date of admission
or any other data to conduct the lesson. The concept does not apply
to treatment situations, however, meaning that physicians and other
providers should have full access to patient information for treatment
"The intent [of HIPAA] is to raise patients' awareness," says
Richardson. "We are putting patients on notice: this is how we
can or cannot use your data. Patients should know that Hopkins always
has been concerned about privacy. This is a chance to enhance our privacy
policies, not just to create another document."