Home > Articles By Issue >Security > Article Feb. 2003

New HIPAA speech privacy rules should protect patients and their personal health information.

By Patrice Walker, JD

Federal and state mandates for protecting oral privacy will clearly have an impact on health care facility design practices. With an April 14, 2003 deadline for HIPAA (Health Insurance Portability and Accountability Act) compliance, many hospitals, pharmacies, clearinghouses, physician offices, medical bases, life insurers, information systems vendors, and other related health care facilities are scrambling to find ways to meet the new patient privacy guidelines to safeguard personal health information.

What's HIPAA?

In 1996, Congress passed HIPAA. A portion of that legislation mandated the development of laws to protect the privacy of patient medical information.In response, the U.S. Department of Health and Human Services (HHS) enacted extensive regulations. For the most part, those regulations will take effect this year.

Although HIPAA was primarily concerned with protecting electronically transmitted health information, the HHS regulations cover "oral" communications as well. Because violations of the HIPAA regulations can result in fines of hundreds of thousands of dollars and possible prison terms, facility managers need to know how HIPAA affects their work.

What Does HIPAA Cover?

The privacy regulations govern health care providers, plans, and clearinghouses that electronically transmit protected medical information. Most of these transmissions are for billing purposes to health insurance companies, Medicare, and Medicaid.

The regulations also cover business associates of health care professionals, including attorneys, accountants, peer review organizations, and medical records copying services. HIPAA also applies to health care records in clinics maintained by employers, universities, and others.

The regulations protect "individually identifiable health information" and related financial information. Medical records, billing records, and health insurance reports are all covered.

HIPAA's Requirements

The HIPAA regulations and the guidance to those regulations published by HHS and the Office for Civil Rights (OCR) are extraordinarily complex and all encompassing. Generally, they require medical and related financial information to be treated confidentially.

In most cases, patients have the right to review medical records and demand corrections of inaccuracies. Covered entities must designate a privacy official, train staff, record disclosures, and discipline employees who violate confidentiality requirements.

Once an entity is subject to the HIPAA regulations, those rules apply to oral communications of protected information. For example, if two physicians discuss a patient's condition in a hospital elevator, that conversation is governed by HIPAA. If a clinic receptionist calls out a patient's name and indicates a patient's medical condition or other medical information in a waiting room, HIPAA comes into play. If two patients share a room and can hear conversations concerning each other's condition, HIPAA applies. If a pharmacist answers a customer's questions about a medication in the presence of others, HIPAA covers the interaction.

HHS amended the privacy rules in August 2002, partly in an effort to clarify the oral communication provisions. The Office of Civil Rights, charged with enforcing the privacy rules, published a guidance on December 2, 2002. It further explains the oral communication language of the rules.

New Regulation

The new rules explicitly permit "incidental uses" of protected information. HHS says an "incidental use" is one that:

1. Cannot reasonably be prevented;

2. Is limited in nature; and

3. Is a by-product of an otherwise permitted use.

HHS allows incidental uses only to the extent that the covered entity has applied "reasonable safeguards" and implements a "minimum necessary standard" where applicable.

One key question is how HHS will define "reasonable safeguards." In the guidance, OCR states soundproofing is not required. OCR recommends that providers "speak quietly" and "avoid using patient's names" to meet requirements. HHS says pharmacies can paint a line on the floor away from the pharmacy counter for customers to stand behind while the pharmacist answers the patient's questions.

These simple measures do not account for uncontrolled variables and may not be enough to provide consistent protection of personal health information. This may leave corporate entities open for exposure. However, common sense approaches, such as sound masking and acoustical ceiling tiles, can help address speech privacy issues.

Consider the impact on a hospital that employs 1,000 people for an eight-hour shift. Assume that those 1,000 employees will have at least five discussions about particular patients during each hour they work. In that one hospital, during that one shift, HIPAA will govern 40,000 conversations. The hospital, during that one shift, will have 40,000 opportunities to violate the privacy regulations. During one day, there will be 120,000 covered conversations.

There are understandable limits to these common sense approaches. Avoiding the use of a patient's name may well contribute to costly medical mistakes. Speaking quietly to a patient won't work when the patient is hearing impaired.

Moreover, how will individuals know if their particular conversational tone is quiet enough on a day-to-day basis? How will a provider be able to prove how loudly he or she spoke on a given occasion if HHS decides to prosecute? With this kind of exposure, a comprehensive overall privacy plan should be instituted.

Guidelines

Without stringent guidelines or publicly outlined practices for safeguarding personal health information, companies are relying on previously established standards to show they are providing solutions that are "reasonable." In determining whether a facility has taken precautions to avoid having conversations overheard, HHS says it will look to what other "prudent" providers are doing to protect confidentiality.

Complying with the oral privacy rules will require a team approach for most facilities. Facility management, human resources, records management, legal counsel, the appointed privacy officer, and outside experts in the field of sound management should be included on the team.

1. All personnel will need to be trained concerning the oral privacy rules. Tell employees that the privacy rule covers what they say as well as what they do.

To capture the employee's attention, managers must stress the severity of the federal penalties and explain that the facility must discipline any employee who violates the privacy rule. Be specific about the disciplinary actions that will be taken when an employee violates the rule. Raise employee awareness of areas in the facility where conversations can be overheard. Discuss the need to control the volume of conversations. Give employees concrete examples of how they must limit discussions that can be overheard.

2. Make a list and map of the areas in the facility where conversations can be overheard. Waiting rooms, hallways, cafeterias, elevators, emergency rooms, and semi-private patient rooms should be on the list. Go into other areas of the facility and check to see whether conversations can be overheard in adjoining areas. If the facility has an at risk area, consider options that will reduce confidentiality breaches. First, can this clerk be moved to a more secure area? If not, are there changes that will reduce opportunities for these conversations to be overheard? Otherwise, instruct the clerk to speak in a tone that is not likely to be overheard. Further, give the clerk suggestions on ways to communicate the needed information without revealing confidential data.

3. Consider what steps have already been taken in other areas to increase security for oral communications and determine whether those practices can be applied in the at risk areas that have been identified.

4. Even before HIPAA, the courts have held that certain types of information are especially sensitive and must be treated with the highest concern for privacy. Consult with colleagues who manage facilities that commonly handle such information to determine the steps they have taken to protect confidentiality.

Consider solutions that already meet ASTM standards for speech and oral privacy. These industry accepted and defined measurements can substantiate efforts.

5. Consult colleagues who manage facilities similar in size and function to brainstorm about effective privacy protection measures. Remember, HHS says a facility will be judged according to what other similar facilities have done.

6. Consult with experts in the field of sound control to determine what is available to help control sound. It is especially important to consider privacy concerns when planning new construction. Architects, contractors, and others should be made aware of the oral communications provisions of the privacy rule. Investigate the mandate by searching the Web and downloading information on HIPAA oral privacy.

Unfortunately, the HHS response to requests for clarification of the provisions uses vague terminology and suggests unrealistic compliance mechanisms. Several lawsuits have already been filed to challenge the privacy regulations.

It will be some time before facility professionals will know exactly how to comply with the rules governing oral communications. In the interim, managers must turn to colleagues and industry professionals for networking ideas and potential solutions.