You may have heard the story that claims there were more than 30 breaches of patient confidentiality within the first 30 minutes of Christopher Reeves’ admission to a Virginia hospital in 1995 after falling from a horse and being paralyzed. Whether truth or pure urban legend, such breaches won’t be happening anymore — if HIPAA’s new Privacy Rule does its job.

April 14th is the deadline for the HIPAA Privacy Rule which establishes that healthcare providers, health plans and healthcare clearinghouses conducting healthcare transactions electronically must implement standards to protect and guard against the misuse of individually identifiable health information. (Smaller practices have another year to gain compliance. Some providers also have applied for extensions until Oct. 16th to get their electronic systems in order.)

The protections include provisions to put in place administrative, technical and physical safeguards to protect patient information against uses and disclosures not permitted by the Privacy Rule and limit incidental uses or disclosures. Thus, safety nets need be in place to assure patient information is viewed by essential eyes only, information is released only to proper entities, and that all personnel are trained on privacy policies. Healthcare facilities also must get business associates to sign new contracts agreeing to hold information in confidence.

The Privacy Rule should not change the practices and procedures of responsible healthcare providers greatly, but instead bring about a greater awareness of privacy of patient information. It is kind of like when a neighbor’s house is burglarized — you have renewed awareness to lock your doors.

For more expert advice on HIPAA’s Privacy Rule, please turn to page IM-32 and read up on what Pam Waymack, founder and managing director of Phoenix Services Managed Care Consulting Ltd., recommends to meet the privacy standards.

Waymack recommends that if your equipment and IT vendors don’t have something for you to test in April or if it doesn’t work by April, start looking for a new vendor; a vendor that is already there.

Even for facilities with strong security technology leadership and strong privacy practices, the leap is large, Waymack says. The changes required on the people practice side are generally the biggest challenges. Providers also have to document them now.

And the good news? There are some excellent toolkits available through a variety of organizations that are less than $1,000; some of them are free through professional associations.

Waymack predicts that we’ll see a widespread change over the next 5 years. Those that will come out on top are vendors supporting electronic transactions and providers that take this opportunity to redesign their operations to optimize their electronic transactions.

Beneath all the details, these new rules are aimed at helping both superheroes and the average Clark Kent as well. (For more information, visit: http://www.hhs.gov/ocr/hipaa  or http://www.hhs.gov/news/press/2002pres/20020809.html.)

Mary C. Tierney, Editor
mtierney@mwc.com