Patient privacy law sparks changes

By Theresa Agovino
Associated Press

NEW YORK — Patients visiting Drs. Jeffrey Mazlin or Howard Shaw remark on how much nicer the office looks since a wall was removed, creating a bigger, more open space.

Barbara Velez, right, the office manager for a physician, makes certain every patient receives a privacy notice. Federal regulations went into effect April 14. Associated Press

The wall was knocked down two months ago to ease patient traffic that often clustered around the reception desk because someone inadvertently might see a medical file. Such an accidental glance now could be construed as a federal offense.

Federal regulations that went into effect April 14 mandate that health providers, insurance companies and pharmacies limit disclosures of patients' medical information. Providers have spent millions of dollars and countless hours readying for the privacy portion of the Health Insurance Portability and Accountability Act of 1996, known as HIPAA.

Compliance has meant changes big and small, from building or tearing down walls, to door locks on rooms with patient files, to removing bulletin boards with patient notes to upgrading software and computer systems.

Enforcement is another matter. The Department of Health and Human Services has hired only 40 people to monitor compliance, so surprise or regular inspections aren't part the review plan.

Instead, HHS is counting on individuals to report infractions. It estimates that 21,000 complaints will be filed in the first year; in the first 2 1/2 weeks, 70 were registered.

HHS spokesman Bill Pierce said half of the complaints probably won't be privacy-related, and facts and circumstances would determine how the agency proceeds.

For example, he said, leaving a medical file out on a desk once wouldn't necessarily be a violation, but doing it repeatedly most likely would be.

Mazlin and Shaw, Manhattan obstetricians and gynecologists, thought removing the wall was necessary.

"There could be medical charts on the desk, on the computer screen," said Barbara Velez, who manages the practice. "We had to find a way to reduce that traffic."

The regulations mandate that doctors, hospitals and insurers notify patients of the privacy regulations, describing how their medical information may be used and their rights under the new rules.

Directions on how to report violations must also be included, and patients must be told they have a right to review their records, request errors be changed and limit who has access to it.

Many healthcare providers have been giving patients forms detailing their rights, and asking patients to sign releases.

News organizations can also be affected by the regulations, and are concerned about restrictions on information important to the public. If, for example, victims of disasters, accidents or crimes are taken to a hospital, officials might not release any information without patients' consent, making it nearly impossible to learn the names and conditions of the injured.

Those regulated by the rule are leaving nothing to chance.

"The preparation was massive — massive and all-consuming," said Kathryn Bakich, vice president-national director for healthcare compliance at The Segal Co., a benefits consulting firm.

"People are getting hysterical. There is a lot of wiggle room in the regulations, so people have to decide what is a reasonable effort at compliance and what is not."

Penalties for privacy violations range from a $100 fine to up to a $250,000 fine and 10 years in prison. The most severe punishment is reserved for people who intended to sell medical information for personal or financial gain or to harm the patient.

So far, patients have had little reaction. The University of Texas Medical Branch at Galveston provided patients with a phone number to call if they had HIPAA questions, but many of the calls have been to check on doctor's appointments.

When Robin Ruffner went into a Manhattan hospital recently for plastic surgery, she was irritated at having to sign a form when she was jittery about the procedure.

"I was really nervous and didn't feel like reading a form," the 31-year-old social worker said.

Ruffner also signed a HIPAA release form at a visit to the allergist earlier this month. But overall, Ruffner said, she doesn't mind signing the forms because she thinks laws to protect patients' medical records are a good idea.

The medical community has spent vast amounts to show patients and the government it is serious protecting medical records.The University of Texas at Galveston has spent about $1.5 million, not counting all the personnel time, on compliance. The U.S. Department of Health and Human Services estimates compliance will cost the industry $17.6 billion over 10 years.

Some observers worry that these costs will trickle down to consumers, but HHS spokesman Pierce said efficiencies from electronic transfer of records will save nearly $30 billion over the same time. One of HIPAA's mandates is to standardize the electronic transfer of patient records, but this part of the regulations does not go into full effect until Oct. 16.

Bakich said health insurers are telling clients administrative costs will rise because of updating systems to comply with the regulations, which in turn could increase premiums.

"This comes at a bad time because health care costs were going up anyway," Bakich said.