Some of the effects of HIPAA, the nations sweeping new health-care privacy rules that took effect last week, are readily apparent at hospitals and doctors offices in the Inland Northwest.


Take the practice of signing in for a doctors appointment: It used to be that youd add your name to a list on the receptionists desk, but now, in an effort to protect patient privacy, its more common to fill out a slip of paper and hand it to the receptionist. Or, where a surgeon once might have come out into a waiting room to update family members on a loved ones health, the surgeon now would be more likely to take family members aside for the discussion.


Other effects of HIPAA, which officially is called the Health Insurance Portability and Accountability Act, have occurred behind the scenes at health-care organizations, and include extensive staff training and reworking computer systems to restrict access to patient information.


The goal of the 1996 legislation was to set for the first time a national standard for the protection of individuals health-care information in doctors offices, hospitals, pharmacies, and health-insurance offices. One part of HIPAA, which standardized electronic transactions within the health-care realm, took effect last year. Another, concerning the security of health-care information, is due to take effect in two years.


HIPAAs requirements are wide-ranging, but Inland Northwest hospitalswhich, by virtue of their size and patient volumes, stand to be impacted the most by the rulessay they havent had a tremendously difficult time meeting those requirements because they long have put a premium on patient privacy. Whats more, Washington state, unlike many other states, already had its own patient-privacy rules on the books before HIPAA took effect.


The biggest impact is just an increased awareness, Barbara Tuttle, HIPAA project manager at Sacred Heart Medical Center here, says of the legislations effects. It gave us an opportunity to revise and tighten up some of the procedures in place.


Janice Marich, spokeswoman for Empire Health Services, which operates Deaconess Medical Center and Valley Hospital & Medical Center here, sees things the same way. She says that getting ready for HIPAA meant tweaking and refining current practices rather than making wholesale changes to procedures.


More paperwork


Hospital representatives agree that the biggest change wrought by HIPAA has been the requirement that patients sign a statement saying theyve been made aware of their privacy rights. The multiple-page privacy documents, are supplied when patients check in at hospitals.


The privacy notices could prove to be fairly expensive over the long run due to printing costs, the cost to store the signed statements, and the labor involved in having hospital personnel provide and explain the statements to patients, says Amy Johnson, HIPAA project manager for Holy Family Hospital here as well as for affiliated hospitals in Deer Park, Chewelah, and Colville, Wash.


In general, patients can expect to receive more paperwork any time they go to the doctor or check into the hospital, says Kris Finch, spokeswoman for Pullman Memorial Hospital.


Another HIPAA issue is how hospitals and health-care providers are allowed to exchange patient information. HIPAA allows the exchange of information thats necessary to provide medical care, but they have to be documented, so a person will know where their (medical) record has been and whose hands its been in, Finch says.


Whats more, medical records only should be seen by those who have a need to see them.


Under HIPAA, therefore, a doctor can request by telephone information about a patient, but the hospital must take reasonable steps to ensure that the caller really is a doctor and has a need for the information, says Johnson, at Holy Family. That can mean asking the doctor for a telephone number and calling him or her back, or verifying the number in the telephone book, she says.


In another effort to ensure that health-care workers see medical records only on a need to know basis, hospitals have tightened the security of their computer systems so that only those who have specific job codes or passwords have access to patient records. When necessary, computer monitors have been repositioned so that someone standing behind a reception counter, for example, cant see a patient record at a nurses station. Where thats not possible, hospitals use screen overlays that make it hard for someone to see information on the monitor unless theyre directly in front of it.


Hospitals also must comply with strict rules about what information they can disclose to the public or the media about their patients.


Only someone who has a patients full name will be given information about a patient over the telephone, and that information will consist only of approved one-word descriptions of the patients condition, such as serious, critical, satisfactory, or deceased. A hospital spokesperson can disclose that someone was treated and released, or was stabilized and transferred, but cant say when the patient was released or where they were transferred.


Patients also have the right to decline inclusion in a hospitals directory of patients, meaning no information will be given out to callers or visitors.


Confusion still exists


Because the HIPAA rules are so new, some issues still are arising that must be addressed, hospitals say.


At Sacred Heart, for example, meetings were to take place last week to decide whether patients who elect not to be included in the hospitals directory still could receive flowers and cards during their hospital stay, Tuttle says.


You want to protect patients privacy and above all their medical records, but theres a lot of gray areas, she says.


Kootenai Medical Center, in Coeur dAlene, already has made its decision on the flower issue: Patients who arent listed in the directory wont receive them, says hospital spokeswoman Lisa Johnson. The answer to all inquiries about those patients always will be, We have no information on that patient, she says, although patients can change their mind about being listed in the directory during their hospital stay.


Tuttle says theres also been confusion among medical providers about exchanging information on patients.


Unfortunately, some people are not releasing information for treatment purposes and saying its a HIPAA issue, and its not a HIPAA issue, she says. HIPAA is clear that information needed to treat patients may be exchanged, she and others say.


Tuttle says that one patient, for example, came to Sacred Hearts emergency room after having been treated at a hospital in another town. Sacred Heart doctors requested the patients medical records from the other hospital, but were told the records couldnt be provided because of HIPAA rules, she says.


One of the supervisors here called one of the supervisors over there, and I know they finally got the information, but it did take a little bit of work, she says.


Marich, at Empire Health, says examination areas separated only by curtains present another potential problem for health-care professionals.


In an emergency department that uses curtained areas, for example, people might be able to overhear a doctors comments to and even treatment of a patient.


The penalties for intentionally violating HIPAA rules are severeup to $250,000 or 10 years in prison. Unintentional violations carry a penalty of up to $25,000, says Johnson, at Holy Family.


HIPAA, however, uses the word reasonable umpteen times, so a health-care provider who takes reasonable precautions to protect a patients privacy likely wouldnt be fined, she says.


Although the HIPAA privacy rules will take some time to get used to, hospitals and health-care workers are subject to new regulations all the time, so this is just part of peoples jobs, Tuttle says.


Moreover, says Finch, at Pullman Memorial Hospital, I expect there will be annual changes to HIPAA laws, which will require annual changes to forms and procedures and information. I think this is one stage of a process.