The federal HIPAA laws go into effect on April 14, and officials at Tyrone Area Hospital say they will be compliant when the day arrives.
HIPAA, the Health Insurance Portability and Accounting Act, is a law that governs the use and release of a patient’s personal health information, also known as “protected health information.” The HIPAA privacy regulations establish a minimum acceptable threshold for the use and release of a patient’s health information.
“Patient privacy has always been a top priority at Tyrone Hospital,” said Thomas Bartlett, chief executive officer of TAH. “All hospital staff – from our physicians, nurses, office personnel and volunteers – are dedicated to protecting our patients’ privacy.
“The regulations affect how the hospital can respond to inquiries from people in the community, the media, contractors and business associates.”
According to George Semko, chief financial officer at TAHS, under the HIPAA regulations, patients must be informed about how their PHI will be used and given the opportunity to object to or restrict the use or release of their information.
“Hospitals may use and disclose PHI without the patient’s consent for purposes of treatment, payment and health care operations,” said Semko. “In addition, the HIPAA privacy regulations have specific provisions for the release of limited information about the patient without the patient’s authorization when someone specifically asks about the patient by name.”
To allow the hospital to reach compliance with the federal standards, Tyrone Hospital employed the services of Parente Randolph, a large Pennsylvania accounting firm, to provide a GAP analysis for where Tyrone Hospital was compared to where it needed to be.
He said the analysis was done on a department-by-department basis and it has amended its processes as necessary.
He said the hospital also engaged the services of the Raytheon Corporation to perform another GAP analysis based upon the security and privacy regulations.
“We have already taken strategic steps to insure the privacy of our patients and the patient identifiable data by changing how we register patients (social security number and birthday verses name only),” said Semko, “this is for HIPAA and safety reasons. We are setting up business associate agreements with our vendors to insure they are in compliance as well. We no longer list our patients’ names in the local newspaper.”
Semko said the hospital has already purchased new computer servers and software to provide a greater level of security for the storage and access to patient identifiable data.
He says based on the information he has seen, the hospital will be in compliance.
“Based on a review of Tyrone Hospital by outside consultants, the hospital has plans and structures in place to meet the HIPAA regulations,” said Semko. “Education for hospital employees and the community is part of the preparation.”
So, what does HIPAA do? Four things.
•Gives patents more control over their health information.
•Sets boundaries on the use/release of health information.
•Establishes safegaurds that hospitals, physicians, health plans and clearinghouses (”covered entities”) and their business associates must have in place to protect the privacy of health information.
•Holds violators accountable with civil and criminal penalties if they violate a patient’s privacy rights.
According to Semko, with the deadline for compliance quickly approaching, it is important to remember that compliance with HIPAA regulations is “truly” an ongoing process to keep patient identifiable information in its proper place and to respect the confidentiality of information and protect patients’ rights.
“These HIPAA regulations are now part of the ongoing regulatory compliance picture for the hospital,” said Semko.
Hospitals and healthcare providers can face fines from $50,000 to $250,000 in fines and/or one to 10 years in prison per occurrence of violation. This, according to the Hospital and Healthsystem Association of Pennsylvania, is based on whether or not the disclosure is made under false pretenses or if there is intent to sell, transfer, or use patient information for commercial advantage, personal gain or malicious harm.
