Research, Marketing and
Joanne Pollak, general counsel
When a first draft of the HIPAA privacy regulations was
released in December 2000, Joanne Pollak spent days absorbing
the provisions and subprovisions laid out in the three-inch-thick
document. What alarmed her most was that, as written, the
regulations would make it nearly impossible for Hopkins
and other academic medical centers to conduct clinical trials
or to ask for contributions.
At a standing-room-only meeting for researchers on HIPAA
in early February, Pollak, vice president and general counsel
and vice president for compliance for Johns Hopkins Medicine
and for The Johns Hopkins University and Health System,
said matter-of-factly, "Johns Hopkins was very active between
2000 and 2002 in seeking changes to eliminate the burdensome
aspects of HIPAA."
But, in fact, it was thanks to Pollak and others who took
the lead in presenting their case to the federal government
that changes were made in some of the major provisions of
Some important victories occurred in the area of research.
First, the government agreed to permit one privacy authorization
to cover all uses of patient information for research and
clinical trials and combine it with the informed consent
already in use for research after institutional review board
Also, it met research institutions halfway in their concerns
about demands to keep track of every disclosure of information
during the course of research. Health and Human Services
(HHS) said "if we get a signed authorization that states
whom this information might be disclosed to-in a multi-center
clinical trial, for example-we don't have to keep track
of every disclosure," Pollak explains. "That would
have been almost impossible to undertake."
Lastly, the agency revised the complex privacy criteria
which the IRB must apply when granting a waiver of authorization
for protocols where it is impractical for investigators
to obtain a subject's authorization.
Another victory occurred in marketing. Now medical centers
may contact patients about their own services without an
authorization. Hopkins, for example, can mail information
about a new low-vision product to a patient who has been
treated for a severe eye problem without having first obtained
the patient's permission.
But it was in fund-raising, "the area that will affect
us most," according to Pollak, that the Hopkins general
counsel was most dogged in her lobbying efforts.
As originally written, the regulations prevented medical
centers from contacting patients for donations for a disease
for which they'd been treated unless they had agreed to
this at the time of admission. Although demographic information
like name, age and address could be used to contact grateful
patients, the regulations did not allow specific information
such as clinical department or physician to be used without
obtaining a complex authorization. "It's the service
or the physician that patients are grateful to," Pollak
says. "This is how Hopkins raises almost all of its
funds to support important research."
The regulations concerning philanthropy still stand, but
the government has left some wiggle room. A physician now
can at least broach the subject of a gift with a patient
before asking for a written authorization to send that information
to development officers.
Still, the battle isn't over for Pollak. "HHS can't
amend these regulations for another year," she says,
"but we'll go back in and push hard for more changes."
Do treat all patient information
with the utmost concern for confidentiality and
privacy. Do tell your supervisor
if you see patient information that is unattended or a PC
with patient information on the screen. Do remove patient information
from trash bins and shred or dispose of patient information
in confidential bins. Do access only the information
required to perform your job. Do report any suspicious
activity to your supervisor. Do refer patient information
questions to employees in the appropriate department.
Don't open sealed, confidential
envelopes addressed to someone else. Don't throw patient information
in the trash. Don't tell friends or
relatives about patients in the hospital. Don't send patient information
in e-mails. Don't discuss patient
information in public areas, including elevators. Don't discuss patient
information on phones in public areas. Don't leave patient information
unattended in public areas during deliveries. Don't share patient information
with those who do not have a need to know. Don't
access health information of co-workers, family members
or celebrities. Don't sell patient information.
Beginning April 14, HIPAA creates new privacy rights for
patients. These include, among other things:
The right to receive a Notice of Privacy Practices
about how Hopkins will use and disclose* protected health
information (PHI). The notice sets forth HIPAA requirements,
state law requirements and Hopkins' specific policies.
The right to see their protected health information
and get a copy of their PHI.
The right to request that their PHI be changed if they
believe Hopkins has recorded it incorrectly.
Under certain circumstances, however, such as if Hopkins
did not create the PHI or if it finds the PHI is, indeed,
accurate and complete, Hopkins does not have to agree to
HIPAA also requires Hopkins to do things to protect patient
Make sure patients receive the Privacy Notice.
Make sure the workforce uses only the "minimum
necessary" PHI to get the job done.
Get special authorizations from patients for uses or
disclosures of PHI that involve research, fund-
raising or marketing.
Keep records of disclosures of PHI that are made to
public authorities, health authorities and others in connection
with some research activities-and give patients a list
of those disclosures when asked.
Have policies and procedures that include these responsibilities,
and train the workforce about them and enforce them. * Generally, "use" means the sharing of
PHI within the Hopkins family, and "disclosure"
is the sharing of PHI with any person or entity not within
the Hopkins family.