HIPAA and Pediatric Gastroenterology Practice in the United States
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is one of the most interesting and controversial statutes of our time. Not only does it contain some of the most stringent mandates related to health care fraud and abuse, it also contains certain rules that will revolutionize the privacy and security of electronically transmitted patient medical information in this country. Clearly, the privacy and security of health information is, and should be, one of the foremost concerns in pediatric gastroenterology. There have been laws on the books for many years at the state level that deal with the privacy of specially protected types of medical information including HIV, Drug and Alcohol, Mental Health and State Funded Family Planning information. The onset of technology in the health care industry has unfortunately provided avenues to leak (even inadvertently) patient identifiable information. Many health care information systems do not communicate with one another in a secure fashion, and the use of PDAs and other hand held devices have allowed pediatric clinicians to update patient information at their fingertips. It's no wonder that Congress sought to mandate certain controls over the uses and disclosures of medical information.
HIPAA has created many challenges for pediatric care. For example, the Privacy Rule requires all providers to deliver the organization's Notice of Privacy Practices to all patients (or parents/legal guardians) on their first encounter on or after April 14, 2003. The Notice of Privacy Practices must only be given once and the provider must obtain a written acknowledgment that the patient has received the Notice of Privacy Practices. The written acknowledgment must be signed by the patient (if emancipated under state law) or by the parent or legal guardian of the patient. Moreover, in a pediatric setting, the Notice of Privacy Practices document must be written in language that focuses on the parent or legal guardian (who will read and acknowledge it) and not necessarily on the patient. Hence, references to “your medical information” must be defined to mean “your child's health information”. Since the Notice of Privacy Practices need only be given once, many pediatric gastroenterology practices are amending their registration system to include a new field to check to show that the Notice of Privacy Practices was given to the patient or legal guardian. That way, the next time the patient presents for care, there will be a notation in the registration system showing that the patient has already received the Notice of Privacy Practices.
In a pediatric setting, it is not uncommon to find that someone other than the parent or legal guardian presents the patient for care. Since HIPAA requires that the parent or legal guardian sign the Acknowledgment of Receipt of the Notice of Privacy Practices, it will be necessary to make a notation in the patient's medical record that the parent or legal guardian was not available and the form must be sent home with the patient with the expectation that it will later be signed by the parent or legal guardian. A pediatric gastroenterology practice will need to implement a monitoring process to ensure that these forms are returned and placed in the patient's medical record. It is also possible, that parents or legal guardians will not sign the form. In this case, it is advisable that the registrar makes a notation in either the patient's medical record or in the registration system noting that the parent or legal guardian refused to sign the form.
Emancipated minors present many challenges under the HIPAA Privacy Rule. HIPAA states that if a minor is emancipated under state law, the minor must sign the Acknowledgment of Receipt of the Notice of Privacy Practices and the minor has the authority and right to agree to certain disclosures of their medical information, including disclosures for research purposes. In Pennsylvania for example, a minor who is pregnant or who has ever been pregnant (regardless of age) is emancipated. Therefore, only the minor patient has the right to authorize disclosures of their medical information, including disclosures for research or marketing purposes. In these cases, it will be necessary for the practice to explain the Notice of Privacy Practices and any other disclosures of the patient's medical information in language that they can understand. This will be a particularly sensitive issue in the research context.
The Notice of Privacy Practices outlines the patient's privacy rights under the HIPAA law. These rights include the right to an accounting of every time the patient's medical records were disclosed for reasons other than treatment, payment and healthcare operations. In addition, the patient has a right to request changes in their medical records. These changes need not be made if the pediatrician believes they would not be clinically appropriate. This can be a difficult issue to contend with particularly if a patient requests that references to a pregnancy be deleted from the record. In addition, emancipated minors will have the right to obtain a copy of their medical record. This can present problems in the event that the patients do not understand what medical terms mean.
Since the Privacy Rule is so new, we will all need to take a “wait and see” approach to HIPAA compliance. Given the heightened sensitivity of pediatric medical information, we will also need to be very careful to implement the requirements appropriately and in the best interests of the pediatric patients we serve.
Steven M. Altschuler M.D.
President and CEO
The Children's Hospital of Philadelphia
Lisa F. Murtha J.D.
Vice President of Audit and Compliance
The Children's Hospital of Philadelphia