HIPAA REGULATIONS ON PRIVACY
Association of American Physicians and Surgeons Spring Meeting Chicago, Illinois, June 2, 2001
Donna Boswell, Esq., Ph.D.
[Donna Boswell is a partner in the Health Group's Washington, D.C., office of Hogan and Hartson LLP. Her practice focuses on compliance with various federal and state statutes, including confidentiality laws and reimbursement issues. She has represented clients' interests in administrative proceedings before various agencies, and has drafted comprehensive legislation as well as amendments to Medicare, Medicaid, and other health care bills. A former Wesleyan University professor of psychology and philosophy of science, she is a member of the American Health Lawyers Association and the Scientific Research Society of North America.]
I practice health care law. I don't sue doctors or even defend doctors. I actually try to help people comply with these ridiculous third-party coverage rules and make sure that people get paid for the services that they have actually rendered.
How many of you have heard of HIPAA [the Health Insurance Portability and Accountability Act of 1996 or Kassebaum-Kennedy]? Oh good, excellent. And everybody is up with the fact that it has two A's rather than two P's. Part of HIPAA has to do with transactions as well as privacy.
The HIPAA statute, and the regulations and the guidance that have started coming out, are so voluminous and so complex it is going to make Medicare look like child's play. So get ready.
Before I begin, I want to ask some questions that are designed to make sure that you need to know about this. Let's see whether these regulations are going to apply to you. If we can identify you as a person that falls outside the boundary, you can take another hour to go enjoy something different.
Is there anybody who has absolutely zero third party payment-absolutely zero? Okay, a couple. Everybody else is in. Of those people who have zero-I mean zero-no Medicare, no Medicaid, no nothing, right? No VA? No VA reimbursement? No relationships with DOD? No Tri-Care people? No folks in Champus? Right? No relationships with hospitals that require you to communicate electronically? No relationships with laboratories or pharmacies that require any kind of electronic communications back and forth? That's the only people that are outside the scope of these new regulations.
Now, any one claim-any one, and you're in for everything. Again, any one and you are in for >em>everything. No, it was not an enacted in order to boost your membership or the adherence of your members to your principles, but any one claim and you're in. You become what's called, in the parlance of HIPAA, a “covered health care provider,” meaning that you engage in the transactions that are regulated by HIPAA.
The HIPAA piece has actually five different sets of requirements. And the reason that I decided not to give you all of the handouts is because many of you are not going to care about some of them, right? There are five different sets of requirements for claims that go to any third party payers to get reimbursed. These include transaction standards, code sets, electronic signatures, security standards, and privacy.
The new vernacular for people who sell you physician office management software or the new hardware systems, or billing services or repricing services, or any kind of clearing house services, is “HIPAA compliant.” But there are five different HIPAAs, and some of them that are saying “HIPAA compliant” are only compliant with one of them. So this is a prime time to avoid being a sucker, because they will say “HIPAA compliant” while only meeting the easiest part of the standards, not the others that are harder. For example, the transaction standards merely refer to the format in which the electronic claim is transmitted over the wires. It doesn't refer to the standard code sets-using the right ICD-9's, and the right CPT codes to describe what was actually performed. So if you buy a new office system that also lets you send electronic claims, and it says “HIPAA compliant,” it may very well only mean the telecommunications format, not the billing or all the other stuff that your first speaker this morning was talking about, which is also going to have to be in HIPAA-compliant format. And almost none of them are referring at all to the privacy requirements, which I want to spend some considerable time on because that is where you are going to have some interesting issues.
Just so we're clear how important it is, if you are in, if you are a covered health care provider, as of August 16, 2002, any electronic transactions you send, with respect to both the form of the transaction, format, the medical code sets, and the medical content, have to be in standard form. So all of the systems that you currently have got, all of the arrangements that you currently have for sending your payment claims electronically, are going to be changed in order to be in “standard format.” Failure to do so means an annual penalty up to $25,000 for each requirement that's violated. No intent, no knowledge required: $25,000 just for not being in standard format.
Well, you say, do I have to send it electronically? What if I stay with the paper format? Well, you could stay with a purely paper format except that the health plans are being required to use the standard forms, and as a result they may very well change all of their systems in the meantime because they too are subject to the penalties for failure to use standard format. So they may very well be telling you that all of their instructions are going to change, and that all of the ways that your office manager knows about how to code claims even on paper are also going to change.
You may say, “Well, I am never going to use any kind of electronic claims processing service at all in my office-I am a purely paper office.” Well, if you use a third-party billing service that uses electronics to send your tape at the end of the day, and/or if they report back to you in electronic format, downloading into your physician office management system, you are still in. They've got you coming and going every which way.
(Q) What sort of grace period will there be beyond August of 2002?
(A) There is no grace. This is the government, not church. There is no grace. Do you like it? There is no grace.
Now the interesting thing is, when the Bush Administration came in, they said they were going to be all better and friendlier and so forth, but the only place where they have allocated new employees to be hired is in a particular office that will have responsibility for enforcing this rule. They have new full-time-equivalent employees, Federal employees, dedicated to enforcing this rule, not the whole fraud and abuse and everything else on top, but this particular rule.
Will they go after docs first? Probably not, right? They are probably going to go after the big clearing houses and billing services and pricing services and hopefully some of the big payers that are going to be slow-moving but excellent targets-because one reading of the penalty says that the government can go after each transaction they process. But there is no grace period.
So expect a lot of discussion about the HIPAA transaction rules-not the privacy rules, the transaction rules- as we get the run up to next August 16th. That means between now and 2002, look at your contracts with your billing services or with your physician office management system or with the folks that provide you with software service. If they are coming up for renewal you want to start being really hard-nosed about what they are going to do about making their systems compliant with the HIPAA transaction and code set formats.
If you are not interested in replacing your own systems, you are able to comply by contracting with a new kind of entity. It is called a HIPAA clearing house-a clearing house that does nothing but translate non-standard formats into standard formats. This is an entity that is going to have a very short commercial life. The goal of these HIPAA standard formats is to completely get rid of, for the physician community, all of the different proprietary codes sets that all of the different payers have. There is one for Medicare, one for Aetna, one for Kaiser, one for United. All of the plans have to have gotten rid of their proprietary formats by August 16, 2002, but as they are making their transitions, you can use a clearing house to do the translation. By the way, the business of the standard claims clearing houses disappears once everybody converts to standard format. The only reason that places like Envoy and NDC and some of the others exist now, besides just doing the telecommunications routing of electronic claims, is to convert all of your office claims into the proprietary formats of all of the different health plans. So once everybody is on the same wavelength with respect to what codes are to be used for what kinds of procedures, they won't need to be in existence. So they are going to make a little money over the next couple of years as everybody needs to do the translations, and then they will go away.
By the way, thank you for asking the question. All of this stuff is such gobbledy gook that if you don't ask questions as they occur to you, there just won't be any questions left at the end. It's too hard to keep them in your mind.
(Q) Has the time run out for Congress to overrule this?
(A) Congress would have to enact a new law to repeal this law. This law was enacted in 1996, and it's there. It can't go away without Congress actually enacting a new law, so there is no time left without official action.
The transactions for which there are going to be standard forms are claims for payment, referrals, requests for prior authorization or certification for admission to hospitals, and referrals from one doctor to the other through the health plan. There will be a standard format that your office manager can use to see why the health plan hasn't paid you. There will be a new standard format for them to send remittance advice to you, to let you know what has been paid and what has been denied so that eventually, eventually, those of you that still have relationships with payers will get a much more organized set of books back from the health plans. You will be able to compare what Aetna paid with what United paid with what Medicare paid with what Medicaid paid and so on. This theoretically simplifies the whole works.
The only thing that is in standard format right now, that has been issued by the Secretary of Health and Human Services, is the little electronic format piece which you will need a technical person to help you put in place, or at least I will. I had one of my colleagues print it out. I said I want to see what it looks like. It was on this website, available for everyone to print out. It completely jammed the whole law firm's computer system because it was so huge-it was gargantuan. So I am saying get a techie for that. It's not a lawyer or a doctor thing to do; it's all this gobbledy gook, and I didn't take engineering, and definitely not computer engineering.
Then there are the code sets. The standard code sets that have been chosen for coding medical content are the ICD-9 codes for diagnoses and prevention. There are CPT codes for physician services, a set of NDC codes if you are prescribing drugs or submitting them to the pharmacy in a prescription format, codes for dentists, and so forth. There are codes issued by Medicare for home care items and durable equipment. It is all just technical junk. One more set of giant amounts of paperwork that the government is imposing. There is a rigorous time table, but none of it should actually reform the way you practice medicine. It should reform the way you bill third-party payers, but it should not reform the way you practice medicine.
You ask, what is this woman talking about, reforming the way I practice medicine? Who on earth would imagine that the government would decide to tell me how to practice medicine? And then we get to the privacy rule. This rule goes into effect in April, 2003.
Any one electronic claim and you are covered by the new medical privacy rule, and it does reform the way you practice medicine. It completely changes, as a matter of law, the requirements that must be put in place for you to interact with your patients and for you to keep your own medical records-not just electronic records, paper records as well. Any medical or billing records that you maintain-paper, electronic, tape recorded, dictated, any form in which you maintain them-are governed by the new Federal Medical Privacy Regulation.
You way well say, “I am in favor of medical privacy, I promise my patients all kinds of privacy, I believe in privacy,” and it's very true. The profession has prided itself on privacy and an ability to keep its patients' confidences, but the new Federal law does some very interesting things.
The first thing it does for you is to say that before you can use or disclose any patient medical information to provide that patient with medical care-they may tell you something but before you may use it, right?-you must have them sign a written consent in the form prescribed by Federal law. This written consent has to be a consent to use and disclose health information for treatment, payment, and health care operations, if you are using it for those things. Otherwise, you will be in violation of the Federal law if you use the information you have.
Suppose that Physician A refers a patient to Physician B, and in the course of making the referral sends over information that he obtained with the patient's consent under the right form. Physician B may look at the information and may have it in his file but may not use it until the patient comes in and signs the new form.
Suppose that Physician B, to whom the patient has been referred, gets a call from the patient who says, “Dr. A sent me over to see you, do you think that I will need to bring anything, do you think I need to do anything, do I need to fast, before I come to your office for this specialty care?” You know what? It would be a violation of the law for the physician who received the referral to use the information in the chart that has been sent, even to help the patient know what he or she should do before coming in for care. It's a violation of the law.
Now, it's a civil violation, $500 per incident- small potatoes, right? But if the patient for some reason decided that that was a real big problem for her-say the patient was one of these folks who just loves to sue or, God forbid, somebody who was part of a class action to test whether or not physicians are complying with the new law-that little act of using information that had been lawfully sent from one physician to the next, without having a new signed form in the office of the physician who received it before using the information, is subject to criminal penalties. Go to jail for one year, pay a $100,000 fine for each patient with whom this occurs.
(Q) Has the government also provided these standardized forms?
(A) The forms are going to be very straightforward; however, it's easy to get tripped up in the forms. For example, it can't be on the same form that you routinely use to ask your patient to consent to treatment. Most of you have forms that you use when you first see a patient. It can't be in that form. It can't be an add-on to that form. You probably have some form that you copied from somebody when you first set up your practice, which says “I hereby authorize Dr. So-and-so to give me treatment and to disclose my information for payment,” something like that. Again, the use-and-disclose-information part can't be in the same form that authorizes treatment. So the first thing you have to do is to get rid of the existing forms. Your consent-to-treatment form has to be cleaned up so that it doesn't mention any disclosure. You have to have a new form, a simple form, that authorizes Dr. So-and-so to use and disclose my information for treatment, payment and health care operations. If it doesn't have all three-use and disclose for treatment, payment, and health care ops-then you are in the catch 22 again.
(Q) So if I as a radiologist get a referral from my colleague here for say a barium enema examination, and the patient calls in, I cannot tell him anything about the prep until he has already come in and signed the form in my office?
(A) There is an exception for certain kinds of physicians who do not have a direct treatment relationship with the patient, and I believe I remember that radiologists are in that category, so you are blessed in that you can actually talk to the patient without the form being signed. But if you're another type of specialist, you've got to have the form signed.
Think about your pharmacist. You called in the prescription, right? Not a problem, you had authorization.
Now the patient calls the pharmacy and asks, “Is my prescription ready?”
The pharmacist must say, “I can't tell you.”
Say the patient arrives at pharmacy and asks, “Is my prescription ready?”
The pharmacist must ask “Who are you? Do you have a prescription?” “No, it's for my husband.”
“He's home sick in bed.”
Or, “It's for my mother.” She is in the nursing home, right?
The pharmacist has to say, “Nope, sorry can't give it to you.” He can give you the form to take to the patient. If you bring it back signed, then he can give you the prescription.
I am from the government and I am here to help you, right? We are going to protect privacy, protect privacy at all costs.
(Q) May you ask the patient for information over the phone, and use that information to advise him?
(A) Yes you can. But if the patient is confused and doesn't remember what his referring doctor told him, you are out of luck.
(Q) If this is about protecting privacy, how was it abused in the past?
(A) That is not the relevant question, according to the government. According to the government, the relevant question is whether patients have the ability to control their own information and to precisely authorize everybody who uses or discloses sensitive medical information.
Now you may be interested to know that this particular requirement was not one that the government proposed. Under the proposed regulation, doctors and other “providers” would generally have been allowed to use information for treatment and payment and medical care-the usual office administration purposes-without getting these little signed forms. But your friends at the AMA decided that that was a big mistake, and that patient consent was the sine qua non of getting the trust of your patient, and that this written consent is required. So when the final rule came out, we had this new requirement that every provider in a direct treatment relationship with the patient has to get written consent before using his information, and that the consent can't be in the same form in which the patient consents to treatment.
(Q) Are there any special provisions to expedite care in situations that are emergent?
(A) There are exceptions for emergencies. Now the interesting thing is that it doesn't just say in an emergency you can treat the patient without consent. It says in an emergency you can treat the patient without consent provided that at the next immediate opportunity you attempt to get consent, and if you are unable to get consent, that you document that you tried and that you were unable to get consent. Paperwork, right? More paperwork. Imagine...there are going to be forms for this and forms for that. Those of you that have been in the military know that there are going to be millions of forms, right?
Imagine the ambulance driver. Ambulance drivers are “providers.” And they have to get written consent to use information before rendering treatment or as soon as possible thereafter, or to try to get consent and to document if they failed. So suppose that the ambulance driver drops the patient off and he is rushed into the operating room but doesn't make it. What does the ambulance driver have to do? He has to come back to the hospital and document that he tried to get consent but was unable to do so because the patient expired. We want our ambulance drivers to be doing this? And is this is privacy enhancement? Better yet, the patient is admitted and goes to the intensive care ward. The patient is seriously ill. The ambulance driver has to come back and try to get consent from the patient in the intensive care ward? Ridiculous.
(Q) So then the person who treats the patient has to get consent. Does that mean the ICU has to get consent when the patient is transferred there? And the cardiology unit has to get consent again when the ICU transfers the patient there, within the same hospital?
(A) Well, there is a provision that will allow the hospital to put everybody that works within its provider unit under a joint consent. But you've got to be good boys and girls when you are practicing in the hospital because if you don't adhere to that hospital's policies when you are visiting your patients in the hospital, you will get the hospital thrown in jail.
Say your patient is brought to the hospital in an emergency. The hospital admits him under its consent and starts creating a record. If you come to visit your patient, either you are going to play by the hospital's rules or before you look at the hospital's records for treating your own patient, you are going to have to get a written consent from the patient. Ugly.
(Q) Is it really the AMA that brought all this about?
(A) Absolutely, positively, we can document it. Their comments are actually available on the internet-the comments that they submitted on the proposed rule, railing about the fact that the thing did not require consent. They resubmitted those comments as recently as in March, when a new comment period was opened up because some of us asked what this is going to mean.
(Q) Whose responsibility is it that government agencies can get the information almost freely?
(A) Well, that's the government, the Department of Justice's fault. That is another set of requirements that we have to deal with. That's a big issue.
(Q) If the patient has been in the hospital, can I get the x-rays, blood work, and other reports?
(A) If you have the patient's consent, you are able to call the hospital and it is able to disclose the reports to you. The obligation is put on each provider not to use or disclose without having a consent, right? But once the hospital got the consent upon admission and once you get the consent with the patient in your office, there shouldn't be any difficulty.
(Q) Is there a chance that this will be changed?
(A) We have been trying very hard to get the consent eliminated-just that one requirement. The AMA is our biggest opposition, and Bush Administration officials have said that if the AMA continues to oppose them, they won't make the changes we want. We have been working on behalf of the hospitals to try to get this eliminated because it's just not going to work....
Now, some features of the consent form. It does not expire, so it doesn't have to be redone each time the patient comes in, although the patient can revoke it. You can agree to an expiration date if you want, but otherwise there is none. It is the stupidest form you ever saw because it's a blanket done deal. You can have it for a 100 years if you treat this patient this long, and it never expires.
There is no requirement that you must see that the patient is competent to sign the form. There is no age limit, but there are state laws concerning minors.
(Q) What happens to the nursing home in the situation in which patients don't even know where they are? What if they drool on the form?
(A) I think it's going to be a big problem. Remember it's not just the civil penalties of up to $25,000 per requirement violated, but this is also a criminal statute. I am pretty sure that your legal advisors are not going to want you to permit drooling. They may not require you to verify to the nth detail but they are going to want something, which would mean contacting the patient's representative or having someone authorize the written consent on the patient's behalf.
(Q) Say I go to a nursing home to take care of a person, generate a note that I keep in my office, and say I write a letter to the consulting physician. Am I in violation?
(A) Yes, sir, that's wrongful disclosure.
(Q) Say I don't write the letter.
(A) If you don't write the letter, it is only a civil penalty: Use of information without consent.
(Q) I feel much better.
(A) You feel much better. You are just up to 25K with a civil violation.
(Q) If you don't take any insurance, you don't have to worry about this?
(A) If you don't engage in any electronic transactions with any payers, with any hospitals, with any pharmacies, with any anybodies, okay? That's the only way docs can get out of it. What brings you within this statute is if you do any of the listed transactions electronically, okay?
And remember, the rules apply to your dealings with all patients, if you submit a claim for any one patient, or transmit any information electronically.
(Q) Define electronic transmissions.
(A) It includes FAXes.
(Q) Telephone calls?
(A) Could be but they say no.
(Q) Dictation within the hospital?
(A) It doesn't appear to be at this point; however, they are looking at the fact that some of the dictation services are now internet based and they send wave files. So I ask you, are you in the hospital?
(Q) I think all of us are sitting here thinking, what planet did we land on?
(A) Okay, so .....
(Q) What is the likelihood that the rules are going to stay in this form?
(A) As long as the AMA sits on its principles and says we are not getting rid of the consent form, we are going to have it. You guys should march down the street and go get 'em. They are the only ones that are holding onto the consent, the only ones. It's amazing.
(Q) What about peer review and quality improvement?
(A) Peer review and QI is carved out so that information can go from the patient record files and into the QI or quality improvement files or the PRO's files without having to have authorization of the individual patient. So that's expressly carved out.
(Q) What about sending prescriptions to a pharmacy electronically?
(A) When the law was enacted in 1996, Congress did not know that we were all going to be Palm Pilot junkies, so writing an electronic prescription is not currently one of the covered transactions. The covered transactions are claims for payment, referrals, checking eligibility of the patient for a health plan, pre-authorization and certification, claim status checks, and remittance advice. Sending prescriptions to a pharmacy is not there, but if the program automatically bills on the side, the transaction may very well be covered. Additionally, the Secretary has the authority to add more. And the first thing that the Bush Administration did, the first thing in their budget proposal, was to add a provision to Medicare saying that it was going to cost you more if you submit Medicare claims in paper format. So simply, if you are asking me how you can get out, if you think you are going to escape by doing paper claims, it is going to cost you more money. They didn't get that provision passed yet, but it's in their budget proposal, and it's still up for consideration.
(Q) Will death will do it?
(A) Death will do it.
Let me tell you about some of the other requirements. One of the things that this bill does in addition to the AMA's little consent thing is that it gives every patient the right to have access to your medical records and your billing records if they are kept in what's called a designated record set. If you have anything that keeps either your medical records or your billing records in a whole set-this is how we get the PRO and the quality assurance records out-and they are used in making decisions about patients, you have to be willing, with 30 days notice, to provide each patient with a copy of his or her record. Or, if you choose to deny the request, you must provide an appeal mechanism to have someone else review whether or not the patient can have access. Failure to give access is subject to the penalty provisions, only the civil penalty provisions. Moreover, if after the patients get access to their records, they disagree with your records (they say, for example, that they don't have senile dementia), they have the right to require you to put a notation in your records that will state their point of view. This is called appending the record. So you must put that note in your record and, whenever you then transmit your record to someone else for referral purposes or whatever, you have to transmit their stuff along with it. Is there a limit on how much they can put in the record? Suppose they ask you to put the DSM III or IV in there? It's going to an interesting time.
(Q) This could cost you a lot of money.
(A) You can charge reasonable copying fees.
(Q) What if you don't have the records on site?
(A) If you don't keep your records on site, you've got an extra 30 days, and if you just can't get there, you've got another 30 days. But that's all. You get 90 days basically.
(Q) What if you leave practice?
(A) Now, there is a lovely little thing. If you are truly going in the pizza business-or better yet, since you know so much about medicine, come join me, as I am going to make tons of money for the people who stay in practice trying to comply with this law-if you are really getting out, if you no longer maintain the records, you don't have to provide access. So as long as you check the requirements of the jurisdiction in which you are licensed with regard to the retention of medical records and as long as you comply with the requirements of that jurisdiction, you can get out.
You also can require or ask someone else to comply with this law for you. So if you're staying in practice and you just don't want to deal with all of the patients who will just would just like to see what their doctor said about them (I'm basing this on the credit report thing), you can, for example, use one of the new billing services that are probably going to be in the business of setting up a format for providing individuals with access to their records. You can let them append notes to their records electronically to try to get it out of your hair.
(Q) For a fee?
(A) Absolutely for a fee, a fee that you can charge the patient; it's a reasonable cost of doing business. And all of this is in the name of privacy. Privacy!
(Q) Can you get around some of this stuff if you don't take any insurance at all, and give the patient a copy of the encounter that defines the service he received that he can submit to the insurer if he likes?
(A) You might reduce some of the demand for the service but if the patient loses it or wants another or just wants to check because he is paranoid to make sure what you've got in your files, you have to make your own files available, and I will bet you are not going to get rid of all of the records on that patient. You are going to keep them for defense against malpractice claims for some period of time; you're going to keep them for accounting purposes if you charged a credit card. You're going to have some records, even if you didn't charge a third-party payor.
I'm not done yet. In addition, patients have the right to request that you restrict the way in which you communicate with them, with each patient. So if it's your practice to call up folks and say, “Mrs. Jones, your lab tests are ready, give my nurse a call,” or if it is your practice to leave those messages on the voice mail, or if it's your practice to ask the patient to call your office, the patient might say, “I don't want anybody knowing I have been to Dr. Brown's office. You must send me letters at this new Post Office Box that I have opened expressly for purposes of communicating with you.” You are required to accommodate such a request-on pain of civil or criminal penalties.
Suppose the patient says he doesn't want you to tell another doctor anything about him. Patients have the right, and you have the obligation to tell them they have the right, to ask you to do that. You don't have to agree. The regulation says you don't have to agree-maybe your sense of medical ethics tells you should protect your brethren by letting them know what you know when they are trying to practice medicine so they are not operating blind or completely without knowledge of what this patient has been through. You don't have to agree, but if you do agree-even verbally, say to calm a frantic crazy person in your office- and you then disclose, you are liable to civil or criminal penalties. Verbal agreement violation, the law says. You don't have to agree but if you agree, you're toast.
(Q) What if the husband gets a copy of the insurance claim, am I still liable?
(A) Absolutely. If you agreed not to disclose, you can't. If the patient says no, no, I am not paying you over the counter, send it to my insurance company, I pay a fortune in insurance premiums, and the insurer won't pay without the diagnosis, you are now in criminal territory if you want to get paid because that would be a disclosure in violation of an agreement you made to the patient. You don't have to agree, but if you are going to agree, get the money first. And the rule says that you can make all kinds of financial arrangements if you are going to agree to a restriction.
(Q) What if the patient is on Medicare?
(A) You can agree. Now the Medicare rules and the privacy rules haven't quite been reconciled, but if there is one good thing about this, it's that Medicare has to abide by these rules too.
(Q) You are not allowed to collect from a Medicare patient.
(A) I understand that you are not. So you don't have to agree to the restriction. Remember I said it is going to change the way you practice medicine. The law says you have to tell patients that they the right to request that you restrict the information. They can say “please restrict,” and you say “no I am sorry I can't agree.” The law requires you to have this dialogue before they sign the consent.
In the notice of practices that you have to give your patients, the law very precisely prescribes what you have to tell them. You are going to have a nice little form that you are going to have to give out to each new patient. And that form had best describe very precisely what you do with respect to all of the things that are in the regulations. Because if you use somebody else's form and if it doesn't match what you do, you can go to jail. This precise description of how you handle and treat information in accord with all of the rights that the regulation refers to has to be given to the patient before he or she signs the consent; it is the basis of the “informed consent” to be used in disclosure of their information. If you left out something in the form-you relied on a cheap lawyer to help you draft the form, or you got it from a free vendor booth-and you had patients sign that form, forget the life-time validity of the form. If you change the form, you have got to start all over again.
If the patient revokes the consent, and you permit the patient to revoke the consent, you've got to have a way of knowing that you let them revoke the consent. Otherwise, the next time they come in and want to schedule an appointment, if your office person says “Oh yes, I remember you, Mrs. Brown, you are the person who was in here before with your twins,” that is a disclosure in violation of the rules if Mrs. Brown already revoked her consent.
So, unless the AMA backs off and gets rid of the consent, not only do they have this notice which may be useful in making patients less naive about how you have to use their information, you also have legal liability as a result of having them sign the form.
(Q) How does the AMA benefit from supporting this?
(A) The AMA hasn't quite figured it out yet, right? But what they thought they were getting by allowing the doctor to control the consent and to design the scope of the patients' authorization to disclose for payment purposes was the ability of doctors to hurt managed care. They would be able to say to managed care, “I am sorry, but I can't disclose this information to you because I don't have the patient's permission.” I can't imagine why they thought that that would be any good because the plan has the ability under their terms of the plan to have access to the patient's diagnosis. So the consent requirement that the AMA lobbied so hard for doesn't apply to anybody but doctors.
(Q) Do you think they are going to sell us a book?
(A) I bet they sell you an AMA form that you can use in your practice.
(Q) If we submit a claim to a third-party payer, do they have to get consent to use the information?
(A) No, the consent requirement applies only to doctors.
(Q) So when I send in the claim...
Now third parties have to have a notice of practices, they've got to send that notice out to all of their enrollees, they've got to train their employees, and they've got to have policies and procedures just as you do. They just don't have to get the consent, so that their legal liability is not the same as it is for doctors. So the AMA made the addition.
(Q) Do you have to get all these forms signed to buy a Sunbeam appliance?
(A) Only if it's a flat iron.
There is one other form that I need to make you aware of. This form is probably not going to be so onerous. If you are going to make any disclosure of patient information for other purposes-say the patient is applying for life insurance or has enrolled in a clinical trial-there is now a Federal form that prescribes exactly what has to be in such a signed authorization by the patient. And it will be easily available so you don't have to just take a risk that you've got the right stuff.
(Q) Are they going to build more prisons to hold us all?
(A) They probably won't put you in jail, but they will just charge you the fines, which is good for the bankruptcy courts and lawyers.
(Q) How are all of these forms and regulations benefiting the patients? Did anybody think about that?
(A) The privacy advocates claim that they have been acting on behalf of patients. They are the only ones besides the AMA that like the consent issue.
I need to tell you about one other piece. You could throw things at me because this is such bad news. In addition to the right to have access to all of your medical records and billing records, the patient has a right to obtain from you a complete record of all disclosures of his or her information that you've made over the last six years. Every disclosure. Every time you got a form and you sent out information in response to the request, you've got to keep a record. Every time. This is not for [disclosures to] payers, not to other doctors, not to pharmacies, not for health care disclosures. It's for disclosures as for public health reporting-if you called the CDC and said this person got Salmonella at the local Burger King-for child abuse reporting, spousal abuse reporting, communicable disease reporting. And for any kind of extra law enforcement subpoena or court order you must also keep a record. Any external disclosure that you make that is not for health care purposes, you've got to have a record for each patient, six years worth of disclosures.
(Q) How would this apply to situations where you are evaluating somebody for Worker's Compensation or Disability?
(A) Worker's Comp is excluded.
(Q) And disability?
(A) They are all covered by state law so the state law requirements remain in place for disability and Worker's Comp. This is only applies when you are treating your own patients.
(Q) Can you have a sheet in your office for patients to sign in?
(A) Not if someone else can see it.
(Q) What about calling patients back to the examining room?
(A) Well, there are some people who say that everybody's going to have to get a little number system like the deli has so you can hand the patients a number as they come in, so you can say “#14” instead of “Mrs. Jones.” I believe that the HHS is going to issue guidance that says you can say the name of the patient. You can't say “Hey you with the herpes,” but you can say, “Mrs. Jones, the doctor will see you now.”
(Q) What if you should lose your Palm Pilot that has patients' names in it?
(A) I am going to look for doctor class actions, all of the ones that have Pfizer on them, I am going to look because each one of those is a basis for a class action lawsuit, every patient name in there.
(Q) All I have is an identification number or what I have treated them for, is that still close enough?
(A) You will probably be all right because the lawyer will have a hard time figuring out who they are. Technically, it may still be a violation and I would urge you to get some kind of security system. Mine has a little security code, and if anybody that tries to access data without the code, the whole thing deletes. You can have a very short code-I have a two-letter code that's very easy to enter before using it.
(Q) I am an obstetrician and I send prenatal records to the labor room so when I am off call my partners will know about my patients that they may be treating. Now do I have to have patients sign a consent that they are releasing the records from my office to the labor room, and when they get there do they have to sign another consent form for my partners to treat them for whatever is in the records?
(Q) Can patients carry their own records?
(A) Patients can do anything they want with their own records.
(Q) Are you still encumbered by all the things we talked about if they carry their own records?
(A) No, if it's theirs, it's theirs. Now there are companies that allow a patient to create a space on the internet, a secure space for their own records that the patient controls. We may very well want to use those spaces as long as we can know that there is reliable information there. This is going to force a lot of changes in order to get around a lot of this ridiculous stuff.
(Q) I am in solo practice. I have another group that covers for me when I am out. Can I get a consent when I am seeing the patient that would cover them?
(A) No. You have to be part of an organized health care arrangement that is covered by a single consent for that consent to be valid. No consent obtained by one provider is valid for another provider unless they are both part of some organized arrangement.
Get the AMA to get it fixed. Everything else, I promise you that you can deal with. It's going to be a hassle, but you can deal with it. But get the AMA to get rid of the consent form.
(Q)Have you sat down with the AMA and told them this?
(A) Yes, many times. They are hopeless. Just hopeless.
(Q) Say you are covering for somebody else, and a patient calls you. What can you do?
(A) You can do anything that the patients tell you to do as long as they are communicating with you. So you are going to have to have a little relationship with the patients and say, “I am sorry. I am covering for Dr. Brown, but I don't have consent to treat you. Do you give me permission to look up your information?” They can give you verbal consent until you see them in person, and if you never see them in person, you are fine. The law will protect you if you never see them in person, if they only called on the phone.
It's free employment for lawyers, I tell you. I am sorry about it.
Get the AMA to fix it.