Taking care of
business
as HIPAA draws near
Key terms
September 2002 Karen Titus
If you’re expecting your LIS vendor to tame the beast of HIPAA compliance
for you, you’re waiting on the wrong party. Likewise, if you’re hoping the final
regulations will serve as a detailed TripTik for your laboratory, don’t hold
your breath.
But if you’re looking for insight from a well-respected vendor,
you could do worse than to listen to John Travis, director of product
management at Cerner Corp., Kansas City, Mo.
Travis talked about HIPAA compliance in a breakout session at
The Dark Report’s Executive War College, held in May, and
recently with CAP TODAY. He raised provocative questions, offered
reassuring answers, and banished some of the myths swirling around
this ticklish topic.
By now, everyone knows the Health Insurance Portability and Accountability
Act contains a lengthy privacy rule designed to protect consumers from misuse
of their medical information. While primary care providers are the main targets
of the rule, laboratories are by no means off the HIPAA hook, especially those
that deal directly with patients.
First, labs need to realize that privacy and security are
an itchy fit at best. Or, as Travis put it, they go "hand in glove...sort
of."
Can privacy exist without security? he asked. Is privacy a procedural
challenge, and security a technical matter? Can the privacy concept
of "minimum necessary" (the provider’s policy definition of using
the minimum information necessary for the purpose at hand) be supported
absent the "need to know" security rule concept (the provider’s
policy definition of what information staff can use or disclose
in line with their responsibilities)?
These two aspects of HIPAA were originally intended to be implemented
simultaneously, but recently finalized changes to the privacy provisions
have altered the landscape. In particular, the finalized amendments
to the privacy rule contain a more relaxed version of the original
rule, such as making optional the need for patient consent before
providers could use or disclose information for basic health care
activities.
In addition to the moving-target nature of HIPAA regulations,
providers are wrestling with a slew of definitions that are less-than-illuminating.
(See "Key terms.") Despite its
diminutive size, the word "use," for example, has befuddled more
than its share of providers. "I think a lot of people confuse ’use’
as being within consent, and ’disclosure’ as being outside consent,"
Travis said. "Use is simply a use of information internal to your
organization—you as custodian of the patient’s data being
the one who is using that information. A use can be within consent,
or it could be outside of consent purpose. So they are not quite
synonymous."
"Disclosure" is the sharing of personal health information, or
PHI, outside of the covered entity, or provider. "Any kind of disclosure,
whether or not it’s related to a health purpose," Travis said.
Consent covers three broad categories of purpose: treatment, which
is a direct or indirect patient care interaction or the related
use or disclosure of patient information; payment, which includes
auditing, remittance processing, and documentation required for
claims payments; and health care operations, which includes medical
education, quality assurance, peer review—anything that helps
the organization maintain quality of care and the credentialing
of its staff.
"All of those, when the patient gives you their consent, as it’s
outlined in the original final rule, are permissible activities,
unless some other restriction has been applied," Travis noted.
"Authorization" consists of permissions to use or disclose PHI
for nonconsent purposes. "They’re always specific, they’re always
for a particular individual or a particular instance," he said.
"They are not blanket, they don’t cover a wide range of uses."
Then there’s minimum necessary and need to know. The two terms
are similar, as noted, but with a nuance of difference. "Minimum
necessary is aimed at the thing that’s being done," he said; it’s
a more general look at how information is used. Need to know, on
the other hand, defines who is authorized to use the information.
"Both are intertwined," Travis said. "I don’t know how you can divorce
the two. Which is why it’s such a fallacy to think of the privacy
rule as going first, and the security rule as going second.
"And if you’re looking for relief in terms of the security rule
being something that you can defer on thinking about, it’s going
to be a very expensive proposition for you, for more than one reason,"
he warned.
Providers may catch a break with the recent privacy rule amendments
on minimum necessary. "I’ve never seen anything in the Federal
Register that used the words ’reasonable’ or ’reasonableness’
so much," Travis said. "It’s not the minimum amount you could use,
but a reasonable definition of what’s necessary to use. It is procedurally
based, and I think common sense dictates what you say there. You
can use the whole record if it’s justifiable by your policy. That’s
really what they’re after—to make good decisions."
That, of course, feeds into need to know under the security rule,
arguably the heart of HIPAA. "It’s the need to have security, it’s
the need to have accountability controls." And, given that it’s
largely unaffected by the recent amendments to the privacy rule,
"It’s staying in there," Travis predicted.
He noted one exception to minimum necessary—disclosures made for a treatment
purpose. "When you disclose to a business associate, you’re not responsible
for necessarily defining minimum necessary for that." That falls to the party
making the request for release. Moreover, Travis said, once the information
is disclosed, it’s nearly impossible to manage it; therefore, there is no direct
regulatory control after the primary disclosure has been made.
Confidentiality is upheld by the framework of security,
which includes everything from policies and procedures to systems
controls and the technical infrastructures for paper and electronic
records. "Privacy doesn’t just touch the electronic record. It also
doesn’t start with systems," Travis cautioned. "It starts with policy."
So that’s where labs should start, too—with policy. "Anybody
who is implementing systems or reviewing systems must first deal
with the question, What is our policy and procedure that stand behind
how patient information is used or disclosed? That sets the table
for what you should expect of systems."
One of the bigger burdens HIPAA places on providers involves consent
and informing patients of their privacy rights. One element persists
with the finalized privacy rule amendments—the notice of privacy,
which requires providers to give to patients a written notice explaining
how their information will be used in their care. "That’s oversimplification,
but that’s the gist," Travis said.
The recent privacy rule amendments make consent optional. "People
are leaping on the bandwagon saying it went away," he said. "It
did not go away." Labs that choose to administer consent under the
recently finalized amendments are free to choose the manner in which
they do it, such as the form used and how frequently consent is
obtained and at what level of the organization. But with regard
to restrictions or revocations of consent, labs that choose to administer
consent are still under the requirements of the final rule. Those
who decline to administer consent must still provide patients with
a notice of privacy and make a good-faith effort to obtain, in writing,
the patients’ acknowledgment that they understand the policy. "Now,
they can refuse to sign the policy, and if they refuse to sign it,
you can still use their information without restriction," Travis
said.
Many providers are muddying the waters unnecessarily, thinking
they need to ply patients with dense, 15-page notices. Travis urged
a different tack. "It’s an opportunity for patient education. Give
them a summary, something written to a 5th- or 8th-grade reading
level that most of them can understand, that fits on one page. If
you educate them and demystify how you use their information, they
will probably not have any reason to object. And the things that
they object to are probably things that you ban by policy anyway."
The HIPAA consent document differs from consent forms currently
collected for billing. Bear in mind that the consent status must
be managed. "If you change your privacy policy, you have to go get
consent again," Travis said. "If they [patients] revoke their consent
status, which they can do at any point, you have to record that
and track it and make that change in status available to your staff
as common information."
While most hospital-based labs may not be directly involved in
obtaining consent or in administering the notice of privacy practices,
their systems need to store the status of either the consent or
the notice and make it available for viewing. "I would hope that
most of your organizations that are hospital-based are centralizing
the process by which consent is obtained and managed, or notice
given, and not leaving it up to every point of access in your institution,"
he said. "Because consent only needs to be obtained one time unless
they revoke it, or unless you change your privacy policy."
The spirit of the amendments emphasizes notifying the patient.
Consent, on the other hand, is a legal obligation. With no consent,
there’s no treatment. This issue bears close watching, Travis cautioned.
"I don’t think we’ve heard the last word on it."
What if consent or the notice of privacy practices acknowledgment
is restricted? Then policy dilemmas become even more interesting.
Travis is certainly intrigued by the problem. "From a software development
standpoint, I’m trying to figure out, What is a rational response
to a restriction?" he said. "Do I try to do some dynamic access
control to manage it, or do I create an audit system that you can
set up to monitor violations of a restriction?"
Travis indicated he’d likely lean toward the second option. "But
most providers I talk to, probably three out of four, have said,
’We’re not even going to accept restrictions. They’re just too hard
to manage. The risk management issues of accepting them, and the
potential for violating them, are very dangerous.’"
Travis also hears this from providers: "How are we going to document these
and make these something that people can understand and use? If we document
the restriction too fully, we may inadvertently disclose part of the condition
the patient’s trying to restrict us from disclosing." Sounding like a country
lyricist, Travis said, "You can’t go very far without going too far." Labs that
decide to accept restrictions need to figure out how to honor them. "That’s
tricky," he acknowledged.
Security support for minimum necessary rests on three elements:
authentication, authorization, and accountability. These are not
merely IS concepts, Travis said; they are inseparable from use of
medical information, in paper or electronic form.
Homing in on authorization security, Travis noted that the proposed
security rule outlines three authorization models. The role-based
approach contends that an individual’s work responsibilities give
him or her the right to see, use, or disclose patient data. Under
the user-based concept, those rights are based on an individual’s
identity.
Context-based is slightly more complicated. "It’s a combination
of who you are, where you are, what you are, and when you are at
what you are that defines your authorization right. A good example
of this is the multicredentialed lab tech who could work at any
number of performing sites within your operation. You want them
doing only the work that is assigned to them when they’re at that
performing site."
Most applications allow laboratories to establish simple boundaries
for the clinical operation of the lab system. But the gray areas
are never far off. Most applications also have registration components,
order management components, and charge or billing components. In
reference labs, there may be considerable patient or access management
activities. "So it may not be as simple as saying, ’You have access
to the lab system.’ Maybe the lab system is part of a larger application
suite."
Every lab needs to handle authorization security in its own way.
The goal is not to provide every possible layer of security, but
to incorporate only what’s needed. Let your policy objective be
your guide. "None of us should be here in a vendor role saying,
’You need this to be compliant.’ That’s a fallacy," Travis said.
In other words, vendors need to understand client demands, not dictate
them.
Under minimum necessary, laboratories have two possible classes
of users: interdepartmental and extradepartmental. The second group—those
who receive results—"broadens your risk exposure in terms
of how a result is communicated. How do you define and control distributions?"
Travis asked. "I get questioned more about security of fax machines,
security of result messaging for remote distribution from the lab,
than I do anywhere else. And I don’t know that there are strong
answers."
The more that labs can control distribution, based on policy, the better.
And if users have remote access to make result inquiries directly into the LIS,
he said, "you need to think about the access rights you give them. You probably
want them only in an inquiry mode in a certain set of functions."
U.S. providers are up against a cultural bias as well,
one that doesn’t affect their counterparts in Canada, Europe, or
Australia. In those countries, Travis maintains, "it’s very well
understood that providers don’t own the data. The individual owns
the data. You house the data, you use the data on the individual’s
behalf, but you’re not the owner."
In this country, however, "We feel a greater freedom to use or
disclose that data without permission. So it’s a cultural change
for a lot of organizations."
For that reason, labs may find it hard to swallow the right of
inspection—the right of patients to view or receive their
records. Does this mean labs will give patients LIS access? "Probably
not," Travis said. "But you do need to think about how you provide
data to them."
His suggestion? Treat it like any other release of information,
since the mechanics may already be set up. The chief challenge likely
will be defining the release format. "The patient is not used to
looking at medical information. So consider a consumer-friendly
format."
Patients also have the right of amendment—the right to ask
for a correction of their record. "If you believe the information
is complete and accurate, you can turn them down. But the lab systems
are going to have a role in this, because error correction, if it
is accepted, is going to flow back to the system that originated
the data."
LISs will be expected to have error correction capabilities, Travis
predicted. "This should not pose any more requirements than error
correction does today for other reasons. It just happens to come
from the patient as opposed to another source."
Finally, patients have a right to understand how their record
has been disclosed if it was for a reason unrelated to their consent.
Amid all the technical terms and jargon lies the so-called confessionals—"my
favorite category," Travis said. "If you do breach their privacy,
if you did happen to inadvertently release their information, you
must tell them—if they ask." A better policy is to inform
patients even if they don’t ask, "because this is an area of accounting
that you’re going to be responsible for." Freestanding labs need
to think about this carefully. Hospital-based labs, on the other
hand, need to take note of their organization’s centralized efforts.
"That’s really where it belongs, not at a departmental level."
That last observation, in fact, is the crux of handling HIPAA,
Travis said. "If you’re an independent, you have quite a few responsibilities,
just like any other covered entity. If you’re part of a large covered
entity, you need to understand what is being done in your setting."
Karen Titus is CAP TODAY contributing editor and co-managing editor.
|