John, a father of three, met with a plastic surgeon to go over options for the procedures he wanted, and upon leaving the office, requested that more information be e-mailed to him. Later that night, when checking the family's e-mail in-box, John's younger daughter found a message from the surgeon outlining John's options, based on the procedures he was inquiring about, along with associated health risks, based on his current health status, and a cost estimate.

According to the US Department of Health and Human Services (HHS), John's medical privacy had been violated.

What went wrong? The information had been sent as requested. To understand the privacy violation, let's go back 11 years to 1996, when Congress passed a major health care law called the "Health Insurance Portability and Accountability Act," commonly referred to as "HIPAA."

The Need for HIPAA

In 1996, the Internet was just being tapped into and Google wasn't even a word yet. Even then, the government and health insurance companies knew that they needed to standardize and improve the efficiency of the electronic transmission of certain health information. So, HIPAA was enacted.

It is unlikely that any medical professional has not heard about HIPAA and its considerable impact on the health care industry. The HIPAA Privacy Rule was the first of its kind to create national standards to protect individual patients' medical records and other personal health information.

HIPAA is designed to work in two ways. First, it provides patients with

• more control over their own health information;
• the ability to make informed choices when seeking care and reimbursement for care, taking into account how their personal health information may be used;
• the right to know how their information may be used, and about certain disclosures of their information that have been made;
• limited release of their information to the minimum number of people reasonably needed for the purpose of the disclosure; and
• empowerment to control certain uses and disclosures of their health information.

Second, HIPAA gives health care facilities and medical professionals

• boundaries for the use and release of health records;
• appropriate safeguards that must be achieved to protect the privacy of health information;
• a balance when public responsibility supports disclosure of some forms of data—for example, to protect public health; and
• the threat of being held accountable: fines up to $25,000 for multiple violations of the same standard within a calendar year; and fines up to $250,000, and potentially imprisonment up to 10 years, for knowingly violating patients' privacy rights by disclosing private medical information.

Who must comply with HIPAA standards? All health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically, such as billing and fund transfers.

Loopholes and Reluctance

Federal regulations gave an October 2003 deadline for required compliance with the new HIPAA national standards. Almost 4 years have passed since compliance became required—so in 2007, how are we doing?

Not well, according to William Yasnoff, MD, a physician and computer scientist who was with HHS from 2002 to 2005. In a February 2007 article in The New York Times, Yasnoff said, "The Department [of Health and Human Services] does not have a comprehensive approach to privacy."¹ He explained that stronger privacy protections were needed, saying, "Anything you do to make information more accessible for good, laudable purposes will simultaneously make it more accessible for evil, nefarious purposes. People intuitively understand that, and they are worried."

Yasnoff may have a valid point. Not only do HIPAA critics cite loopholes, as well as violations that are rarely prosecuted, but they also point to a lack of participation by medical centers and concern over patients giving accurate information in the first place. A 2005 survey by the California HealthCare Foundation found that one in eight respondents said they tried to hide a medical problem by skipping a prescribed test.² Most were fearful that their private health information could be held against them for job opportunities.

The results of a study conducted last year by researchers at Massachusetts General Hospital in Boston and George Washington University in Washington, DC, revealed that only one in four US physicians used electronic health records in 2005, and fewer than one in 10 used electronic technology for important tasks like prescribing drugs, ordering tests, and making treatment decisions.

Our international counterparts are less hesitant. In Britain, 89% of primary care doctors use them, along with 98% in the Netherlands, according to an online edition of the journal Health Affairs, as reported by The New York Times on December 3, 2006.³

Not only are most US physicians not using technology for efficiency, they are also not using it to communicate with their patients directly. Harris Interactive conducted an online survey in 2005, asking adult patients if they receive e-mail communications from their physicians, and only 8% said yes.⁴

With many patients who complain about blink-and-you'll-miss-it consultations with their physicians, and who may have questions once they leave your offices, e-mail may be an answer. It can enhance the level of trust and care between a physician and a patient. It's quick and relatively free. But, what physician has the time?

Besides the time issue, many physicians worry about compromising their patients' health privacy over the Internet by sending physician–patient e-mails. This brings the next obvious question: How can physicians remain connected to patients without violating HIPAA?

Tips to Remain Compliant

Today's technology offers secure Web sites that physicians or health care organizations can use to keep e-mail and medical records private—but it may come at a cost. One option, though not absolutely necessary, requires patients to log onto a secure Web application with a user name and password, which the application confirms and then routes the e-mail to the appropriate physician, who also has to log onto the application with his or her own user name and password. This method replaces the office assistant as the go-between for patient and physician, and also ensures that you're taking privacy to a higher level.

Many offices already handle administrative contact with patients or prospective patients—including appointment requests and confirmations, questions and responses regarding billing, and administrative issues such as an address change or forwarding medical records to another practice—through e-mail. For these administrative issues, the patient's privacy must be upheld first and foremost, and all records must be kept on a secure server.

To ensure that you remain HIPAA compliant within your own practice, the HIPAA Compliance Journal  has provided the following tips:

• Train your current and new office staff on the necessity and rules of HIPAA compliance.
• Designate a staff member as your security officer, who will stay up to date with HIPAA laws and news and ensure that your office is educated and updated annually.
• Secure the confidential data of patients in an electronic form that is inaccessible to any outsider.
• Display privacy policies related to HIPAA very prominently at your workplace and on your Web site.
• Install security software, and review its logs once per month.
• Prepare documents related to HIPAA compliance, along with the trainings conducted and the certifications completed.

HIPAA-Related FAQs

Here are some common HIPAA-related FAQs from the HHS Web site⁶ regarding patient communications orally, by fax, by e-mail, and by phone:

Q: Does the HIPAA Privacy Rule require that covered entities document all oral communications?

A: No. The Privacy Rule does not require covered entities to document any information, including oral information, that is used or disclosed for treatment, payment, or health care operations.

The Rule includes, however, documentation requirements for some information disclosures for other purposes. For example, some disclosures must be documented to meet the standard for providing a disclosure history to an individual upon request.

Where a documentation requirement exists in the Rule, it applies to all relevant communications, whether in oral or in some other form. For example, if a covered physician discloses information about a case of tuberculosis to a public health authority as permitted by the Rule at 45 CFR 164.512, then he or she must maintain a record of that disclosure regardless of whether the disclosure was made orally, by phone, or in writing.

Q: Does the HIPAA Privacy Rule permit a physician, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?

A: Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise. For example:

• A laboratory may fax, or communicate over the phone, a patient's medical test results to a physician.
• A physician may mail or fax a copy of a patient's medical record to a specialist who intends to treat the patient.
• A hospital may fax a patient's health care instructions to a nursing home to which the patient is to be transferred.
• A physician may discuss a patient's condition over the phone with an emergency department physician who is providing the patient with emergency care.
• A physician may orally discuss a patient's treatment regimen with a nurse who will be involved in the patient's care.
• A physician may consult with another physician by e-mail about a patient's condition.
• A hospital may share an organ donor's medical information with another hospital treating the organ recipient.

The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used.

For example, when faxing protected health information to a number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may preprogram frequently used numbers directly into the fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a physician may be able to reasonably safeguard the information by lowering his or her voice.

Q: Is it OK to leave a voice mail message for a patient or when confirming an appointment by phone?

A: Yes. The HIPAA Privacy Rule permits health care providers to communicate with their patients regarding their health care. This includes communicating with patients at their homes, whether through the mail, by phone, or in some other manner.

In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual's privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.

A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present.

See also "More Patients at Your Fingertips" by Glen Lubbert in the January 2007 issue of PSP.

Medical records privacy and complying with national standards to protect the privacy of protected health information (PHI) has become a hot topic, and an important one in Washington and around the world over the last decade with the explosion of the Internet. Ensuring that you, your office staff, and your entire practice remain HIPAA compliant in all your communications and daily activities will eliminate the risk of leaking secure PHI. It's an ongoing process and an important one to monitor.

Now back to our original example on the HIPAA violation with John, who was e-mailed information per his request on plastic surgery options: To ensure that the e-mail was HIPAA compliant, it should have been sent to an e-mail address that only John had access to, and the sender, to be safe, should have avoided including any of John's PHI.

For more detailed information about HIPAA and how to ensure that your practice becomes and remains HIPAA compliant, please visit the HHS Web site at www.hhs.gov/ocr/hipaa.

Glen Lubbert is the president of Mojo Interactive Inc, an Internet marketing company that offers the patient-referral service LocateADoc.com. He can be reached at or via his Web site, www.mojointeractive.com.

References

1. Pear R. Warnings over privacy of US health network. New York Times. February 18, 2007. Available at: www.nytimes.com/2007/02/18/washington/18health.html?ex=1175918400&en=1a48ea57303682fd&ei=5070. Accessed April 5, 2007.
2. California HealthCare Foundation. Americans have acute concerns about the privacy of personal health information. November 9, 2005. Available at: www.chcf.org/press/view.cfm?itemID=115814. Accessed April 5, 2007.
3. Freudenheim M, Pear R. Health hazard: Computers spilling your history. New York Times. December 3, 2006. Available at: www.nytimes.com/2006/12/03/business/yourmoney/03health.html?ex=1175918400&en=3bf7271d91412ec1&ei=5070. Accessed April 5, 2007.
4. Harris Interactive. New poll shows US adults strongly favor and value new medical technologies in their doctor's office. October 14, 2005. Available at: www.harrisinteractive.com/news/allnewsbydate.asp?newsid=980. Accessed April 5, 2007.
5. Venkatesh P. Tips on HIPAA compliance. HIPAA Compliance Journal. October 28, 2006. Available at: www.hipaacompliancejournal.com/tips/index.html. Accessed April 5, 2007.
6. United States Department of Health and Human Services. HIPAA—Frequent questions. Available at: www.hhs.gov/hipaafaq. Accessed April 5, 2007.