1. Wielawski, Irene M.


Six years after implementation, many have changed their minds.


Article Content

Mention HIPAA-the Health Insurance Portability and Accountability Act-in a group of nurses today and you'll still see some wincing and rolling of the eyes. But such reactions are fading along with the confusion and fear that followed Congress's passage of the law in 1996.

Figure. After the HI... - Click to enlarge in new windowFigure. After the HIPAA privacy rule was enacted in 2003, Barbara Velez, right, the office manager at a physician's practice in New York City, oversaw the remodeling of the small office space, which included high countertops designed to prevent patients from glancing at other patients' records. Photo from Associated Press / Bebeto Matthews.

Nurse leaders say the law's mandates to protect patients' privacy and the confidentiality of personal health information have become standard nursing practice. And, although debate continues about how best to apply HIPAA's privacy rule, the conversation today is much calmer than it was when the rule took effect in 2003. Back then, all anyone could talk about were the alarming sanctions it set out for privacy breaches: fines and jail terms.


This early focus on HIPAA's punitive aspects led health care organizations to adopt strict privacy procedures and policies that left little room for clinical staff to exercise professional judgment in communicating patients' health information. Now, most have relaxed this approach in response to feedback from clinical staff and consumers, as well as a friendlier informational Web site from the U.S. Department of Health and Human Services (DHHS), whose Office for Civil Rights ( oversees compliance.


"I do see things changing," says Carole A. Klove, JD, RN, chief privacy and compliance officer for the University of California, Los Angeles (UCLA) medical services complex. "Bear in mind that privacy protection has been part of nursing practice for a long time, and now the privacy rule has been with us for six years. The pendulum is swinging from a time when the interpretation was extremely rule-bound to one where professional judgment is supported."



Protection of patients' privacy and the confidentiality of their medical information has long been a tenet of nursing ethics and practice. It's a central theme of the Nightingale Pledge, and the American Nurses Association's Code of Ethics for Nurses says in provision 3.1, in part, "The need for health caredoes not justify unwanted intrusion into the patient's life." Provision 3.2 notes that "the patient's well-being could be jeopardized and the fundamental trust between patient and nurse destroyed by unnecessary access to data or by the inappropriate disclosure of identifiable patient information."


The words unnecessary and inappropriate acknowledge that sometimes it is necessary and appropriate to disclose information. In writing HIPAA, Congress recognized this, too, as did the DHHS when it promulgated the privacy rule. Unfortunately, the rule's "real world" provisions were largely overlooked at first.


This was the result of both the DHHS's emphasis on compliance and the way hospital lawyers and risk managers interpreted the law (see "HIPAA and Talking with Family Caregivers," August 2006, for more). With legal teams worried about fines and criminal prosecution, the early HIPAA-mandated training sessions for staff enumerated far more don'ts than dos.


Adding to the confusion was the absence of efforts to teach the public about the law and what it requires of health care organizations, leading to upsetting and sometimes acrimonious exchanges between clinical staff and patients' bewildered family members or friends.


"In the beginning, we got stuck in the middle between following the regulations in a pretty rigid way and the public not knowing anything about them," recalls Mary Anne Gallagher, MA, RNC, clinical director of nursing at Montefiore Medical Center in Bronx, New York. "I work in maternity. So, for example, you'd get family-grandmothers-calling up and asking about whether the baby was born yet, and you had to say, 'I'm sorry, I'm not authorized to talk to you about that.'"



Such incidents didn't go unnoticed at the DHHS, which responded with improved professional and consumer education and a more user-friendly Web site designed to clarify the law's provisions.


"The privacy rule gives patients an array of rights regarding the use and disclosure of personal health information, but it also provides for flexibility for health care professionals to carry out their clinical roles," a staff attorney explained. "The privacy rule was never intended to interfere with care or with how medical professionals provide that care or how they communicate with patients or caregivers." In another effort to clarify matters, the DHHS began posting updates to the Web site when unusual events raised compliance issues for health care organizations and providers, such as following Hurricane Katrina in 2005.


The thinking of health care organizations has also evolved. The earlier emphasis on avoiding the law's punitive measures has given way to a more balanced approach that recognizes the role of professional judgment in safeguarding patients' best interests. In UCLA's clinical departments, for example, faculty and staff are instructed to take "reasonable precautions" to protect privacy, but not at the expense of timely and appropriate medical care or in a manner that unnecessarily burdens patients with completing legal forms and procedures.


"We emphasize that when you're having a conversation about a patient, speak quietly and be aware of who's near enough to overhear,' says Klove. "We generally ask visitors to step outside the patient's room, but if the patient says, 'No, no, this is my neighbor and she knows everything and I want her to stay," that's fine. We don't ask the patient to put this in writing-verbal direction is sufficient-but we do encourage staff to document the conversation in a clinical note."



For all the dust HIPAA's introduction kicked up, the law is gaining fans among nurses. Cory Sevin, MSN, RN, a director for the Cambridge, Massachusetts-based Institute for Healthcare Improvement, believes it's helped to spotlight areas where nurses and others were being insufficiently careful about patient privacy and to encourage systematic thinking about safeguards.


"HIPAA provides a framework for professional discussions about privacy and also for discussions with patients about their privacy rights," says Sevin. Recalling her early HIPAA experience as a nurse administrator, she says, "Once we were confronted with the mandates, we realized we had to develop tighter controls on our medical records, for example, because we really didn't have a good way of discarding them-they were just shoved in a storage shed. And we were forced to deal with ongoing issues that had to do with staff having inappropriate access to the records of people they knew."


Sevin now works on projects that will improve health care quality by instituting innovations in nursing practice. In every one of these initiatives, she says, HIPAA has come into play, providing a jumping-off point for valuable discussions on the effect proposed changes in clinical procedures will have on patient privacy.


Sometimes that amounts to having a well-timed conversation with the patient that, pre-HIPAA, probably would have taken place only if a problem arose. Gallagher believes HIPAA has systematized and improved communication with patients over all. At Montefiore, nurses sit down with patients at admission to discuss in advance of surgery or other treatment whom they want their medical information to be shared with.


"In a way, it ends up benefiting us, too, because it protects the nurses from getting drawn into family dynamics," Gallagher says. "The family still might argue, but the nurse has been instructed by the patient whom to share the information with."


Similarly, when a nurse suspects that a patient has been abused or is intimidated by the presence of a family member or acquaintance, HIPAA is a handy tool for excluding that visitor from the patient's room. Under other conditions, it protects clinicians who decide what information to share with a family member or caregiver if the patient is unconscious or unable to understand discharge or other instructions.


"When HIPAA first came out, it was a big to-do, and there was all this stuff about government mandates and fines and criminal prosecution," says Gallagher. "But now we're seeing this as helpful and exactly what nurses have been concerned about all along."


Irene M. Wielawski