Reasonable Safeguards

October 1, 2002

HIPAA allows for some incidental violations of patient privacy. Get the scoop.

It's a scene that occurs daily in physician practices: a patient arrives at the front desk to check in and is asked by the receptionist the reason for her visit. She tries to keep her voice low as she mutters "mysterious rash," and hopes the patients waiting behind her don't overhear.

But let's face it: it's quite possible everyone heard. The truth is, under the Privacy Rules of the Health Insurance Portability and Accountability Act (HIPAA) -- regulations that are set to take effect April 14, 2003 -- such a scenario would be considered an "incidental exposure" of that patient's medical information. In other words, an accidental breach of privacy.

Under the rules, patient information is supposed to be kept out of the hands of those who don't need to know. In reality, there's no way to prevent every overheard whisper, every innocent mistake. There are so many moving parts in a typical physician practice -- too many people in close quarters, too many forms of sometimes-imperfect communication -- that incidental exposures are inevitable.

"It's impossible to make sure this information is always protected," says Nick Zerbi, an attorney heading up HIPAA efforts for the law firm, Polsinelli, Shalton & Welte in Kansas City, repeating a refrain he's heard time and again from his clients.

Overheard telephone conversations, private consultations between doctors and patients and their families that are not-so-private, sign-in sheets that ask for more than patients' names, and dozens of other seemingly innocuous security breaches are commonplace at many busy practices.

The good news: even the federal government seems to have figured out this much, which is why its HIPAA Privacy Rule allows exceptions for such incidental disclosures, as long as the provider has in place "reasonable safeguards" to assure they are kept to a minimum.

Vague language gives leeway

Yet even that concession has some practice managers wondering: What the heck is a reasonable safeguard, anyway? Are soundproof examining rooms the government's idea of reasonable? What about expensive encryption technologies aimed at keeping expert hackers out of computer-stored information? Are practices expected to anticipate every conceivable security breach and spend money to patch it?

In its guidance, the Department of Health and Human Services (DHHS) specifically addresses some of those concerns, saying it isn't necessary for medical offices to be "retrofitted" with private rooms or soundproof walls, and that the agency does "not expect reasonable safeguards to guarantee the privacy of [information] from any and all potential risks." Responding to frequently asked questions on its HIPAA compliance Web site (http://aspe.hhs.gov/admnsimp), DHHS promises to consider "all the circumstances" when applying the reasonable standard, including "the financial and administrative burden of any safeguards."

Still, the legal language is intended to be vague. "Reasonable" is a fairly common term in HIPAA and other laws, one that's meant to be flexible without being meaningless, according to HIPAA legal experts polled by Physicians Practice. The government is likely to interpret the provision in HIPAA with a presumption of leniency, the lawyers say, employing the same standard that's typically applied in determining reasonableness in other legal settings -- that is, if others in more or less the same boat are doing it, it's probably reasonable.

"There is no black and white definition of reasonableness," says Eve Horwitz, a solo healthcare lawyer in Lexington, Mass. "It's determined on a case-by-case basis." Indeed, says Michael Corta, a senior associate with Greenberg Traurig, a Boston law firm, "because it's such a loosey-goosey term, it's intended to allow providers the flexibility to [decide] for themselves what the reasonable safeguards are."

But the provision is meant to give healthcare providers leeway, not a free pass. That being the case, there are several guidelines physicians and practice managers should keep in mind before they consider themselves off the reasonable safeguard hook.
 
Look at your peers

Remember, the simplest gauge for determining "reasonableness" is whether other practices, similar to yours in size and revenue, are doing the same things. Legal experts agree: what's reasonable for a major hospital chain isn't the same as what's reasonable for a mid-sized multispecialty group or even a solo practitioner in a low-income area.

For example, lawyer John R. Christiansen has a large hospital client that spent thousands printing cards and placards reminding staff to be careful about where they discuss patient care, and then placed those materials strategically throughout the facility. The hospital also bought an expensive digital record management system.

"I wouldn't consider [things] like that necessary" to meet the reasonable standard for a medical practice, says Christiansen, of the Seattle law firm Preston, Gates and Ellis. But simpler, cheaper steps probably are necessary. Many such measures are common sense and may be accomplished without spending any money -- or very little. Start by asking your colleagues what they're doing, and consider whether you need to make the same changes.

Self-evaluate

Having a broad perspective is important, but there's nothing like good, honest self-evaluation to find genuine gaps -- not just potential legal problems -- in your privacy practices. So, walk through your practice and put yourself in your patients' shoes.

"For a small practice, it's a question of taking an objective view of the office," says Horwitz. "Try to be objective as you do your walk-through; see it as a patient would see it." Make sure you conduct your walk-through during business hours, while patients are there. Wear plain clothes to blend in. Can you hear private patient matters being discussed in the office corridors? You may need to have a conversation with the booming-voiced radiologist about his volume, for example.

"It sounds funny to have to have a policy that says 'speak softly,' but you should" when patient matters are being discussed, says Zerbi.
On your walk-through, do you see individuals' medical records strewn about, or private information in faxes sitting in plain view? Don't overlook the importance of the physical placement of any device -- be it the fax machine, telephone, or computers -- where visitors might be able to see or hear things they shouldn't.

Next, step back into your role as physician or practice manager, and walk through your back offices. Scrutinize the care with which patient files are handled. Do your file cabinets lock -- and are they kept locked?

By doing the walk-through objectively, Horwitz says, practices can "be their own consultants," rather than hiring expensive experts to do the leg work for them.

Watch electronic communications

How often do staff members change their computer passwords? Have they ever? Taking such a step is basic to securing information stored electronically -- and as more information is stored on computers, the need to keep it safe increases.

In seminar presentations, Christiansen says he frequently asks physicians to raise their hands if they make a habit of changing their passwords. "It consistently amazes me how infrequently" most physicians bother to take the simple step, he says, or to instruct their staff to do the same. He advises practices to have an explicit policy governing the changing of computer passwords by physicians and staff -- at least three or four times a year.

For practices that maintain a lot of patient-specific information electronically, including medical records and account information, (or expect to in the future), it may be a good idea to lease access to an Internet-based information management system. It's usually cheaper than hiring technologists to build a custom system, and the Web-based solutions come with their own security -- though frequent password changing is still advisable.

Yet it is more than the mere digital storage of patient files that must be protected; it's also the electronic communication of information. Telephones, voice mail, fax machines, and e-mail all present complications because it's impossible to know for sure that messages left through these methods are being received only by the intended party.

"The important thing to remember is to watch where the health information is flowing," says Cheryl Camin, an associate with the law firm Gardere, Wynne and Sewell in Dallas. "You have to make sure that whoever touches this information is authorized."

That becomes more difficult when communicating with patients indirectly, through any means other than in person or in a live phone call. Practices should keep in mind the possibility of indirect messages being intercepted. Think twice before leaving a message with an office receptionist -- even if you think it is vaguely worded.
The same goes for messages left on a home answering machine or office voice mail. The message at home could be played by family members or a roommate, and employers have the right to tap employee voice mail and e-mail.

"You have to be very careful with contact into family situations," Christiansen says. "Not that you can't do it, but you have to be cautious. It's the same with calling into someone's office. They might not have told anyone [about their condition], they may not want anyone to know, and you have to be very sensitive to that."

Put it in writing

If you don't yet have a HIPAA compliance plan in writing, you should create one -- and soon. In it, include your office's policies on privacy, and make sure everyone -- from the front-desk receptionist to your most senior physician -- has a copy, and knows what it says.


"The only thing you can do is develop a compliance program, where [employees] know what the rules are, they know what the consequences are of breaking them, and there is some kind of review and audit process to ensure they're being followed," says Corta.

Government lawyers investigating such complaints want to know whether the practice managers are taking the issue seriously. The very existence of such a [policy] document goes a long way, though not all the way, toward making the case that you had considered the incidental exposure problem and acted to resolve it. The policy should contain remedies for employees who break the rules, and those should be followed and documented.

The policy "doesn't have to be very long, but it should be clear and everyone should know about it," says Christiansen. "I always want my clients to document why they made a decision, in case I have to defend it."

Perhaps most important is not to panic. Lawyers agree the reasonable safeguard rule won't be applied in a draconian manner; in fact, they say it might be the easiest provision within HIPAA to comply with because it requires mainly that healthcare providers use common sense and follow each other's lead.

"There's good news: the rules aren't as burdensome as they might seem," says Zerbi. "But you have to be aware of them."

Bob Keaveney, associate editor for Physicians Practice, can be reached at bkeaveney@physicianspractice.com.

This article originally appeared in the October 2002 issue of Physicians Practice.