October 8, 2001

Preparations are well under way at the Health Center for a new federal law designed to protect patients' private health information.

The new law, the Health Insurance Portability and Accountability Act of 1996, sets several new standards for health care providers that will:

• give patients more control over their health records;

• set boundaries on the use and release of health records;

• require health care providers to protect the privacy and security of health information;

• set standards for billing and claims transmissions; and

• provide for civil and criminal penalties for violations of patients' privacy rights.

As the Health Center moves to comply with the new law, many of its business practices will be affected, from the way medical records are written and stored, to the way bills are sent out and patient information shared, whether in writing, electronically, or in conversation.

"We are reviewing all our computer applications to see what needs to be done to make them conform with the new law," says Robert Brandner, assistant vice president for information technology, who heads the Health Center's HIPAA program. "And we are working with all our vendors to make sure they have taken appropriate steps to comply with the law."

Under HIPAA's privacy standard, health care providers can share private medical information for treatment, payment, or health operations purposes, but they must secure that patient information from those who don't need it.

The law includes considerable penalties for violations - up to $25,000 per year per HIPAA standard.

"Fortunately, the Health Center has always given high priority to confidentiality of patient information," says Iris Mauriello, the Health Center's compliance officer. "The new law, however, requires us to take additional steps to safeguard information and to monitor our efforts on an ongoing basis."

The Health Center must now develop and post its privacy procedures so patients are aware of them. And it has to train all its employees so they understand the new procedures.

"Initially, there was some concern that hospitals would have to build sound-proof rooms and encrypt all their communication systems so health information couldn't be overheard," says Mauriello. "Clarifications to the federal regulations have made it clear that kind of retrofitting isn't required. It does, however, require us to take reasonable safeguards to avoid disclosing private information. That could mean shielding a computer in a treatment area, or using cubicles or shields in large treatment areas to allow some privacy for patient-staff communications."

The Health Center has established a project office under Brandner. "We are working with other health care providers and payers around the country to make sure our practices are in step with others throughout the industry," he says.

The law gives health care providers time to comply, with the first deadline in October 2002. Says Brandner, "I feel confident that we're in pretty good shape."

Kristina Goodnough