KDMC: Privacy rules pass test
Federal regulations designed to protect patients’ privacy inhospitals were tested during this winter’s influenza outbreak, buthospital officials here said the system performed well.
Hospitals were able to release the necessary information to thepublic to make them aware of the threat without compromising theprivacy of their patients, according to Cathy Bridge, risk managerand infection control practitioner at King’s Daughters MedicalCenter.
The federal Health Insurance Portability and Accountability Act(HIPAA), which took effect in April, 2003, requires healthproviders, insurance companies and pharmacies to limit disclosuresof patient medical information.
The flu outbreak, which began in October, was the first majortest of the HIPAA rules in how those limiting factors would affectthe medical profession’s ability to warn the public of a potentialdanger.
According to Bridge, HIPAA rules simply made law rules mosteveryone in the medical profession already followed.
“We could release some information. We just could not, nor couldwe ever, release patient information,” Bridge said.
Information the hospital could release included the number ofcases being seen and their severity, she said. Information thehospital would not release includes personal information, such aspatients names, ages or condition.
“But I wouldn’t have given anyone that information 10 or even 20years ago,” she said. “What was once considered professionalethics, HIPAA has made federal law.”
HIPAA has not changed how KDMC reacts to an emergency situation,Bridge said. The hospital is required by law to report on a largelist of specified illnesses or injuries to the health departmentwhen they encounter them.
It is the role of the state health department to warn thecommunity of any potential threats, she said.
“HIPAA hasn’t changed what we would do as a medical facility,”she said. “We want to be cooperative, but we feel that any issuethat could possibly affect the community needs to be addressed bythe proper agency.
“Our goal,” she continued, “is to protect the privacy of ourpatients. We rely on our local health department to communicate anyhealth issues affecting the community at their discretion.”
At the height of the flu outbreak, Bridge said, the healthdepartment did add influenza to its list of reportable diseases andviruses and the hospital participated in reporting its cases.
Influenza is still a reportable virus, but she did not expect itto remain on the list very long.
“I don’t expect it to be added permanently to the report listbecause it’s such a common illness,” she said. “This year wasdifferent because it was a different variant strain of the flu andthe season started much earlier than expected.”
Other states, however, are having difficulty navigating theletter of the law, according to The Associated Press.
When Arkansas announced three flu deaths in December, the statewould not say whether the victims were young.
Previously, Colorado had already reported it had six deaths andthey were all children. The Colorado cases first raised questionsabout whether this year’s flu strain was especially hard on theyoung.
In that regard, whether the Arkansas deaths were children oradults was believed to be important. Eventually, and afterconsulting with lawyers, Arkansas reported they were adults.
Most states, including Mississippi, have taken the position thatthe public is helped by the release of more information, however,and have begun releasing such information as risk factors and howwidespread the threat is.
Navigating the letter of the law and intent with HIPAA is aserious matter for medical professionals. A potential $10,000 finewas imposed by Congress for violations of HIPAA’s rules.
Those fines can be levied at the institutional and/or individuallevel, which means even a nurse or office worker at a medicalfacility who discloses too much information can be hit with anindividual fine.
“You have to be careful what you disclose,” Bridge said, “butthat’s no different from the way it’s always been.”