Feature Story

 title
 

cap today

Taking care of business as HIPAA draws near

Key terms

September 2002
Karen Titus

If you’re expecting your LIS vendor to tame the beast of HIPAA compliance for you, you’re waiting on the wrong party. Likewise, if you’re hoping the final regulations will serve as a detailed TripTik for your laboratory, don’t hold your breath.

But if you’re looking for insight from a well-respected vendor, you could do worse than to listen to John Travis, director of product management at Cerner Corp., Kansas City, Mo.

Travis talked about HIPAA compliance in a breakout session at The Dark Report’s Executive War College, held in May, and recently with CAP TODAY. He raised provocative questions, offered reassuring answers, and banished some of the myths swirling around this ticklish topic.

By now, everyone knows the Health Insurance Portability and Accountability Act contains a lengthy privacy rule designed to protect consumers from misuse of their medical information. While primary care providers are the main targets of the rule, laboratories are by no means off the HIPAA hook, especially those that deal directly with patients.

First, labs need to realize that privacy and security are an itchy fit at best. Or, as Travis put it, they go "hand in glove...sort of."

Can privacy exist without security? he asked. Is privacy a procedural challenge, and security a technical matter? Can the privacy concept of "minimum necessary" (the provider’s policy definition of using the minimum information necessary for the purpose at hand) be supported absent the "need to know" security rule concept (the provider’s policy definition of what information staff can use or disclose in line with their responsibilities)?

These two aspects of HIPAA were originally intended to be implemented simultaneously, but recently finalized changes to the privacy provisions have altered the landscape. In particular, the finalized amendments to the privacy rule contain a more relaxed version of the original rule, such as making optional the need for patient consent before providers could use or disclose information for basic health care activities.

In addition to the moving-target nature of HIPAA regulations, providers are wrestling with a slew of definitions that are less-than-illuminating. (See "Key terms.") Despite its diminutive size, the word "use," for example, has befuddled more than its share of providers. "I think a lot of people confuse ’use’ as being within consent, and ’disclosure’ as being outside consent," Travis said. "Use is simply a use of information internal to your organization—you as custodian of the patient’s data being the one who is using that information. A use can be within consent, or it could be outside of consent purpose. So they are not quite synonymous."

"Disclosure" is the sharing of personal health information, or PHI, outside of the covered entity, or provider. "Any kind of disclosure, whether or not it’s related to a health purpose," Travis said.

Consent covers three broad categories of purpose: treatment, which is a direct or indirect patient care interaction or the related use or disclosure of patient information; payment, which includes auditing, remittance processing, and documentation required for claims payments; and health care operations, which includes medical education, quality assurance, peer review—anything that helps the organization maintain quality of care and the credentialing of its staff.

"All of those, when the patient gives you their consent, as it’s outlined in the original final rule, are permissible activities, unless some other restriction has been applied," Travis noted.

"Authorization" consists of permissions to use or disclose PHI for nonconsent purposes. "They’re always specific, they’re always for a particular individual or a particular instance," he said. "They are not blanket, they don’t cover a wide range of uses."

Then there’s minimum necessary and need to know. The two terms are similar, as noted, but with a nuance of difference. "Minimum necessary is aimed at the thing that’s being done," he said; it’s a more general look at how information is used. Need to know, on the other hand, defines who is authorized to use the information. "Both are intertwined," Travis said. "I don’t know how you can divorce the two. Which is why it’s such a fallacy to think of the privacy rule as going first, and the security rule as going second.

"And if you’re looking for relief in terms of the security rule being something that you can defer on thinking about, it’s going to be a very expensive proposition for you, for more than one reason," he warned.

Providers may catch a break with the recent privacy rule amendments on minimum necessary. "I’ve never seen anything in the Federal Register that used the words ’reasonable’ or ’reasonableness’ so much," Travis said. "It’s not the minimum amount you could use, but a reasonable definition of what’s necessary to use. It is procedurally based, and I think common sense dictates what you say there. You can use the whole record if it’s justifiable by your policy. That’s really what they’re after—to make good decisions."

That, of course, feeds into need to know under the security rule, arguably the heart of HIPAA. "It’s the need to have security, it’s the need to have accountability controls." And, given that it’s largely unaffected by the recent amendments to the privacy rule, "It’s staying in there," Travis predicted.

He noted one exception to minimum necessary—disclosures made for a treatment purpose. "When you disclose to a business associate, you’re not responsible for necessarily defining minimum necessary for that." That falls to the party making the request for release. Moreover, Travis said, once the information is disclosed, it’s nearly impossible to manage it; therefore, there is no direct regulatory control after the primary disclosure has been made.

Confidentiality is upheld by the framework of security, which includes everything from policies and procedures to systems controls and the technical infrastructures for paper and electronic records. "Privacy doesn’t just touch the electronic record. It also doesn’t start with systems," Travis cautioned. "It starts with policy."

So that’s where labs should start, too—with policy. "Anybody who is implementing systems or reviewing systems must first deal with the question, What is our policy and procedure that stand behind how patient information is used or disclosed? That sets the table for what you should expect of systems."

One of the bigger burdens HIPAA places on providers involves consent and informing patients of their privacy rights. One element persists with the finalized privacy rule amendments—the notice of privacy, which requires providers to give to patients a written notice explaining how their information will be used in their care. "That’s oversimplification, but that’s the gist," Travis said.

The recent privacy rule amendments make consent optional. "People are leaping on the bandwagon saying it went away," he said. "It did not go away." Labs that choose to administer consent under the recently finalized amendments are free to choose the manner in which they do it, such as the form used and how frequently consent is obtained and at what level of the organization. But with regard to restrictions or revocations of consent, labs that choose to administer consent are still under the requirements of the final rule. Those who decline to administer consent must still provide patients with a notice of privacy and make a good-faith effort to obtain, in writing, the patients’ acknowledgment that they understand the policy. "Now, they can refuse to sign the policy, and if they refuse to sign it, you can still use their information without restriction," Travis said.

Many providers are muddying the waters unnecessarily, thinking they need to ply patients with dense, 15-page notices. Travis urged a different tack. "It’s an opportunity for patient education. Give them a summary, something written to a 5th- or 8th-grade reading level that most of them can understand, that fits on one page. If you educate them and demystify how you use their information, they will probably not have any reason to object. And the things that they object to are probably things that you ban by policy anyway."

The HIPAA consent document differs from consent forms currently collected for billing. Bear in mind that the consent status must be managed. "If you change your privacy policy, you have to go get consent again," Travis said. "If they [patients] revoke their consent status, which they can do at any point, you have to record that and track it and make that change in status available to your staff as common information."

While most hospital-based labs may not be directly involved in obtaining consent or in administering the notice of privacy practices, their systems need to store the status of either the consent or the notice and make it available for viewing. "I would hope that most of your organizations that are hospital-based are centralizing the process by which consent is obtained and managed, or notice given, and not leaving it up to every point of access in your institution," he said. "Because consent only needs to be obtained one time unless they revoke it, or unless you change your privacy policy."

The spirit of the amendments emphasizes notifying the patient. Consent, on the other hand, is a legal obligation. With no consent, there’s no treatment. This issue bears close watching, Travis cautioned. "I don’t think we’ve heard the last word on it."

What if consent or the notice of privacy practices acknowledgment is restricted? Then policy dilemmas become even more interesting. Travis is certainly intrigued by the problem. "From a software development standpoint, I’m trying to figure out, What is a rational response to a restriction?" he said. "Do I try to do some dynamic access control to manage it, or do I create an audit system that you can set up to monitor violations of a restriction?"

Travis indicated he’d likely lean toward the second option. "But most providers I talk to, probably three out of four, have said, ’We’re not even going to accept restrictions. They’re just too hard to manage. The risk management issues of accepting them, and the potential for violating them, are very dangerous.’"

Travis also hears this from providers: "How are we going to document these and make these something that people can understand and use? If we document the restriction too fully, we may inadvertently disclose part of the condition the patient’s trying to restrict us from disclosing." Sounding like a country lyricist, Travis said, "You can’t go very far without going too far." Labs that decide to accept restrictions need to figure out how to honor them. "That’s tricky," he acknowledged.

Security support for minimum necessary rests on three elements: authentication, authorization, and accountability. These are not merely IS concepts, Travis said; they are inseparable from use of medical information, in paper or electronic form.

Homing in on authorization security, Travis noted that the proposed security rule outlines three authorization models. The role-based approach contends that an individual’s work responsibilities give him or her the right to see, use, or disclose patient data. Under the user-based concept, those rights are based on an individual’s identity.

Context-based is slightly more complicated. "It’s a combination of who you are, where you are, what you are, and when you are at what you are that defines your authorization right. A good example of this is the multicredentialed lab tech who could work at any number of performing sites within your operation. You want them doing only the work that is assigned to them when they’re at that performing site."

Most applications allow laboratories to establish simple boundaries for the clinical operation of the lab system. But the gray areas are never far off. Most applications also have registration components, order management components, and charge or billing components. In reference labs, there may be considerable patient or access management activities. "So it may not be as simple as saying, ’You have access to the lab system.’ Maybe the lab system is part of a larger application suite."

Every lab needs to handle authorization security in its own way. The goal is not to provide every possible layer of security, but to incorporate only what’s needed. Let your policy objective be your guide. "None of us should be here in a vendor role saying, ’You need this to be compliant.’ That’s a fallacy," Travis said. In other words, vendors need to understand client demands, not dictate them.

Under minimum necessary, laboratories have two possible classes of users: interdepartmental and extradepartmental. The second group—those who receive results—"broadens your risk exposure in terms of how a result is communicated. How do you define and control distributions?" Travis asked. "I get questioned more about security of fax machines, security of result messaging for remote distribution from the lab, than I do anywhere else. And I don’t know that there are strong answers."

The more that labs can control distribution, based on policy, the better. And if users have remote access to make result inquiries directly into the LIS, he said, "you need to think about the access rights you give them. You probably want them only in an inquiry mode in a certain set of functions."

U.S. providers are up against a cultural bias as well, one that doesn’t affect their counterparts in Canada, Europe, or Australia. In those countries, Travis maintains, "it’s very well understood that providers don’t own the data. The individual owns the data. You house the data, you use the data on the individual’s behalf, but you’re not the owner."

In this country, however, "We feel a greater freedom to use or disclose that data without permission. So it’s a cultural change for a lot of organizations."

For that reason, labs may find it hard to swallow the right of inspection—the right of patients to view or receive their records. Does this mean labs will give patients LIS access? "Probably not," Travis said. "But you do need to think about how you provide data to them."

His suggestion? Treat it like any other release of information, since the mechanics may already be set up. The chief challenge likely will be defining the release format. "The patient is not used to looking at medical information. So consider a consumer-friendly format."

Patients also have the right of amendment—the right to ask for a correction of their record. "If you believe the information is complete and accurate, you can turn them down. But the lab systems are going to have a role in this, because error correction, if it is accepted, is going to flow back to the system that originated the data."

LISs will be expected to have error correction capabilities, Travis predicted. "This should not pose any more requirements than error correction does today for other reasons. It just happens to come from the patient as opposed to another source."

Finally, patients have a right to understand how their record has been disclosed if it was for a reason unrelated to their consent. Amid all the technical terms and jargon lies the so-called confessionals—"my favorite category," Travis said. "If you do breach their privacy, if you did happen to inadvertently release their information, you must tell them—if they ask." A better policy is to inform patients even if they don’t ask, "because this is an area of accounting that you’re going to be responsible for." Freestanding labs need to think about this carefully. Hospital-based labs, on the other hand, need to take note of their organization’s centralized efforts. "That’s really where it belongs, not at a departmental level."

That last observation, in fact, is the crux of handling HIPAA, Travis said. "If you’re an independent, you have quite a few responsibilities, just like any other covered entity. If you’re part of a large covered entity, you need to understand what is being done in your setting."

Karen Titus is CAP TODAY contributing editor and co-managing editor.