Facing a looming Apr. 14 deadline for compliance with the national Health Insurance Portability and Accountability Act, the Health System began training its employees Monday in the new privacy and security regulations concerning medical records.
HIPAA, the first federal law comprehensively dealing with patient medical privacy, represents more than 100 regulations on security standards and the proper use of health information. The law is backed up by severe civil and criminal penalties for noncompliance, including fines up to $250,000 and/or imprisonment for a maximum of 10 years for knowingly misusing personally identifiable health information.
All employees, administrators and medical researchers within the Health System--including the Medical Center, the School of Medicine, the School of Nursing and the Private Diagnostic Clinic--are required to undergo approximately 20 minutes of HIPAAtraining, which will be offered online, on video and in person. Clinical researchers, however, will require more rigorous training in the regulations than other employees, said Professor of the Practice in the Center for Ethics and Humanities Angela Holder, who helped write the training programs for Medical Center staff.
"The goal is to have 100 percent of employees and medical staff trained by Apr. 14," said Britt Crewse, associate vice president and chief compliance and privacy officer of DUHS.
For the Medical Center, which already has extensive privacy regulations, HIPAA is not predicted to radically change operations. "The rules won't affect how [Duke] practices greatly... but it will formalize things," Crewse said.
HIPAA limits the non-consensual release of private information, most strictly when it identifies specific patients. However, allowances are made if they are necessary for medical care.
"We're still allowed to disclose patient information for treatment purposes, payment and operations... like peer review and quality improvement," Crewse said.
Also beginning Apr. 14, the Medical Center will be required to ask new patients to sign a six- to seven-page document indicating they understand Duke's privacy practice.
Lauren Dame, associate director of the Center for Genome Ethics, Law and Policy, said HIPAA offers detailed and badly needed federal regulation of medical privacy law, which until now had been decided state-by-state. "Patients care very much about the privacy of their medical records," said Dame, also a senior lecturing fellow in the School of Law. "A major part of the doctor-patient relationship is confidentiality."
Dame emphasized the growing importance of medical privacy considering the greater use of computerized information that can be easily shared and accessed. "Nowadays, medicine is delivered in a much more interrelated fashion," she said. "People are more aware of the privacy issues, and they're concerned with them."
The increasing sophistication of genetic knowledge also demands strengthened protection of patient information, Dame said. "As we enter the world of genomic and genetic medicine, people are particularly worried about genetic information being revealed to others."
She explained that sharing patients' genetic information might allow insurance companies to improperly assess the risks of disease not only for the patients themselves, but also for their families.
To meet these demands, HIPAA comprehensively standardizes the proper security measures covering patient databases and computer records, even requiring encryption for e-mails to and from hospitals.
Get The Chronicle straight to your inbox
Signup for our weekly newsletter. Cancel at any time.