February 6, 2003
Training under way to comply with April date for federal HIPAA rules
Training is now taking place at UW Medical Center, Harborview Medical Center, and in other units to make sure that UW operations will comply with federally mandated privacy rules slated to go into effect on April 14, 2003.
These new rules, finalized just last August, were required by the Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA.
The regulation affects the security of systems on which patient data is stored, protections for the privacy of personal health records, and also the requirements for safeguarding individually identifiable health information, also called protected health information (PHI) under HIPAA.
Richard Meeks, HIPAA program manager for UW Medicine, which includes both medical centers and other patient care units, noted that many of the provisions included in the HIPAA rules are already in effect under Washington state law. While there will be some changes and new procedures, Meeks noted that his program is integrating the new requirements with current processes.
One visible addition will be a new brochure that all first-time patients receive, outlining their privacy rights and describing how UW Medicine uses their health information. The five fundamental patient rights, many already covered by state law, are:
—the right to file a complaint
—the right to have access to the medical record
—the right to have the record amended
—the right to an account of any disclosures
—the right to receive confidential information (for example, asking information to be sent to another address)
Health care providers and systems are, of course, still able to use individually identifiable information for treatment, payment and health care operations, such as risk management and quality assurance.
“Most of the issues we have been working on arise when individual information is conveyed outside the UW Medicine system,” Meeks said. “We are looking at such things as information for public health programs and trauma registries, or even record reviews by professional organizations. In some cases we may need to change our practice.”
Some research work will also be affected by the new requirements. Along with tightening up security on computer systems housing PHI, Meeks and colleagues are working with the Human Subjects Division of the Office of Grants and Contracts to integrate the new rules into existing procedures for approving applications. There is a transition period allowed, Meeks noted, so that existing, ongoing projects will have time to adjust.
Training, using both classes and Web-based training sessions, has already begun at UW Medical Center and Harborview Medical Center. Other units, including the Neighborhood Clinics, are also being trained. The Web-based training is set up by unit, with each trainee getting an individual user ID so that it’s possible to keep track of who has completed the work.
Meeks noted that the law requires training of an institution’s entire “workforce,” so volunteers and students, as well as regular employees, are required to complete the training.
For the UW Medicine system as a whole, John Coulter, associate vice president for medical affairs and executive director of health sciences administration, is designated as the “privacy officer.”
At UW Medical Center, Theresa Bervell is the privacy coordinator. She can be reached at 206-598-4342.
At Harborview, Ellen Rubin is the privacy coordinator and can be reached at 206-731-6048.
Meeks, the overall program manager, works out of the Northgate-area UW Medicine Information Technology Services office. He can be reached at 206-543-0300 or by e-mail at meeksr@u.washington.edu
The UW HIPAA Web site, which includes the entire list of privacy practices for the UW Medicine system and other information on requirements, is at http://home.mcis.washington.edu
