HIPPA

CASE District VII Conference
Anaheim, CA
December 8 – 10, 2002

“The Method and the Magic:
Ethics and Information Management”

Micheal Seymour, Presenter

Healthcare and medical non-profits privacy: Get a grip on HIPAA

I. Foundations for Privacy and Confidentiality in Healthcare / Medicine

A. The Hippocratic Oath
B. Moral and Political Aspects of Privacy and Confidentiality

II. HIPAA

A. Definition and Scope
B. Goals
C. Background on Regulations
D. Important and Relevant Terms
E. Fund Raising Issues
F. What the regulations fail to address
G. Impact on fundraising and how to succeed despite HIPAA

III. Conclusion

Foundations for Privacy and Confidentiality in Healthcare / Medicine

The Hippocratic Oath
“What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.”

The BIG question: Is giving patient information to a fundraiser violating the Hippocratic Oath ?

Moral and Political Aspects of Privacy and Confidentiality

American Medical Association (AMA) Code of Ethics -- there are multiple versions, but it was originally adopted in 1957.

        American Psychiatric Association Code of Ethics – 1987

       American Hospital Association -- adopted “A Patient’s Bill of Rights” in 1973

       World Medical Association -- ethical code adopted first adopted in 1948

If confidences are not kept, patients will not be forthcoming with information, which may impact treatment and medical care

HIPAA   [Health Insurance Portability and Accountability Act]
(also known as “Patient Privacy Rules”)

Definition and Scope

HIPAA is the most sweeping and intensive legislation to affect healthcare and medicine since Medicare in 1965. Nearly everyone involved in healthcare and medicine will be affected in some way:
               Healthcare providers (doctors, hospitals, clinics)
               Payors   (insurance companies)
               Employees
               Clearing Houses
               Practice Management system vendors
               Billing Agents
               Service Organizations

Goals

Ensure access to and the portability of healthcare insurance [this was the impetus of the legislation]

Reduce healthcare fraud and abuse

Simplify and standardize electronic administrative processes

Guarantee security and privacy of health information [this was the primary concern by the public as well as legislators]

Background on Regulations

   In the past, no federal laws existed on the books governing patient privacy. Existing state laws vary widely, with many states having more stringent laws than the federal guidelines from the Department of Health and Human Services [HHS].

    *   If a state law provides greater protection than the baseline provided in HIPAA, then the stronger state law would prevail.
The objectives of the legislation were to:

Improve efficiency by standardizing electronic data interchange thru standardized formats, code sets, language, and unique health identifiers

       Reduce costs

       Ensure security and privacy of healthcare transactions and information

Fund raising is mentioned in only 8 paragraphs in the HIPAA Final Rules, which is over 1,000 pages.

Specific to fund raising, HIPAA seeks to regulate patient privacy through the restricted use of protected health information (PHI) for fund raising purposes.

Privacy Rule enforcement begins April 14, 2003

Implementation and enforcement will be handled out of the Office of Civil Rights within the Department of Health and Human Services (DHHS)

Civil and criminal penalties for non-compliance range from $100 to $250,000 per offense and up to 10 years imprisonment

Important and Relevant Terms

   Covered entities:   all health care providers, health plans and clearing houses which maintain patient data.

   Protected Health Information (PHI):   all individually identifiable health information and other information on treatment and
care that is transmitted or maintained in any form or medium (electronic, paper, oral, etc…)

Protected Health Information is owned by the patient. HIPAA gives patients rights as to how their PHI is used:

- right to a copy of The Notice of Privacy Practices
- right to access, inspect and copy one’s PHI
- right to request restrictions of disclosures
- right to amend one’s PHI
- right to an accounting of disclosures
- right to authorize non-routine disclosures

   Individually Identifiable Health Information: a subset of PHI, including demographic information collected from an individual.

   Consent: the communication process between caregiver and patient, referring to the use or disclosure of protected health information (PHI) to carry out treatment, payment or health care operations.

   Authorization: the mechanism for obtaining consent from a patient for the use and disclosure of health information for a purpose that is not treatment, payment or health care operations. For example, a written authorization is needed before a patient’s health information can be included on a list for marketing purposes.

   Authorization:

- is a customized document that gives a Covered Entity permission to use
PHI for specific purposes

- covers only uses and disclosures of PHI stipulated in the authorization

- contains an expiration date

- may also state the purpose for which the information may be used or disclosed

Authorization is NOT required if:

- fund raising for own benefit   AND

- use or disclosure for fund raising purposes is included in the Covered
Entity Notice AND

- an individual may opt-out of receiving fund raising materials AND

- the Covered Entity only using an individual’s demographic information AND/OR

- dates of health care service
   In the initial draft of the HIPAA regulations…

Marketing and fund raising were grouped together and were not considered part of “health care operations.” Access to all PHI, including demographic data, is required prior authorization.

Limited to computer access and transmission of patient data. It did not address hardcopy or personal communication of patient data.

In the final draft of the HIPAA regulations…

Marketing and fund raising are separate functions and are considered part of “health care operations.” There is limited access to PHI, and other data might require authorization.

Fund Raising Issues

Almost 90% of funds raised at major medical centers come from grateful patients, who are referred by their physicians, who want to usually give to areas of interest (most often their treatment area) and who are approached by development officers

Physician involvement and interaction is critical for successful fund raising

Campaign fund raising targeted by groups by physician or treatment area will be limited

Under the current proposed HIPAA guidelines, the most basic fund raising practices (physician referrals and major gift appeals) will be administratively challenging, expensive and largely less effective, requiring a signed authorization

What the regulations fail to address

The application in disease-specific institutions (e.g., Cancer Centers, Physchiatric Hospitals) where access to patient name and address constitutes, de facto, access to a patient’s disease/prognosis

The application in institutions with de-centralized registration systems (i.e., separate data systems for various departments and units)

Development Office access to other non-medical PHI (such as occupation, employer, next of kin / spouse information)

Impact on fundraising and how to succeed despite HIPAA

HIPAA classifies healthcare fund raising as a “healthcare operation” and allows fundraisers to use the information listed below without an authorization:

i. demographic information relating to an individual and
ii. date(s) of healthcare service provided to an individual

Approved data	Not Approved data
Name	Diagnosis
Address	Treatment or nature of services
Other contact info (phone, e-mail, fax)	Name of the department or divisionof the covered entity where the patient received treatment
Age (birthdate)	Name / specialty of the physician
Gender	Social Security Number
Insurance status
Date(s) of service(s)
	NOTE: any use of this information would require signed authorization by the patient

The Association for Healthcare Philanthropy (AHP) has been diligently monitoring the legislation and is seeking to positively impact the outcome.

Besides demographic data and date(s) of service, AHP is lobbying to add the following data element:

iii. the physician, department, or division on the covered entity from which
the individual received treatment

   NOTE: This would describe only the area of the hospital / medical center where the
patient receives(ed) treatment, and the name and/or specialty of the treating physician. It does NOT include information related to a patient’s specific disease, diagnosis or treatment.

Direct mail communications can no longer be “targeted” to specific patients / patient families for specific diseases (e.g. – diabetes patients). In the past, these targeted appeals (signed by the Department Chief) have been extremely successful with regards to donor acquisition.

AHP (Association of Healthcare Philanthropy) and AAMC (American Association of Medical Colleges) are currently petitioning the Department of Health and Human Services on this issue.

With regards to major gift fund raising, patients cannot be proactively identified as prospects for specific departments. This will make it more difficult for Major Gift officers to have department-specific fund raising goals and strategies

New restrictions on the communication between physician and the Development staff will have to happen. The physician cannot bring a patient name to the Development office anymore unless the patient has given prior authorization.

In order for us to be success in fund raising, Development must take an active role in their institution’s formulation of a clearly articulated authorization statement. One example: The General Counsel’s Office at Johns Hopkins Medical Center has been very proactive in this area.   This authorization can also serve as a “mini mission statement” making the case for support of your organization.

This legislation will require greater cooperation and integration of Annual Fund operations and Major Gift operations.

Volunteer leadership will be absolutely essential as a source for proactive identification of potential new donors. Once a patient becomes a donor to a specific area, you can then move them along for larger gifts.

It will also mean continued education for physicians with regards to the overall Development process.

Conclusion

HIPAA and privacy issues are here to stay and need to be addressed.

Hospitals and medical centers will face many complex issues regarding compliance with the regulations, and no one wants to be the first “test case” for non-compliance.

HIPAA regulations will require more creative ways for the development staff to identify prospects.

Departmental funding priorities will be largely donor-driven.

Development will need to be more committed to educating unrestricted donors on a wide range of funding opportunities.

Web sites for further information:

http://www.hhs.gov/ocr/hipaa/

http://www.afpnet.org.resource_center/hot_topics

The Final Regulations available at:   http://aspe.os.dhhs.gov/admnsimp/

http://www.hipaadvisory.com/

http://www.ucsf.edu/hipaa/HIPAAUpdate-Sept2001/

Source materials were adapted from presentations by:

“Healthcare Issues” Panel Discussion”   by Mark A. Cotleur and Mark P.
Aulisio, Ph.D.    (APRA International Conference   August 2002)

“Ready or Not – Here comes HIPAA” by Suzanne Szalay
(CARA Seminar Day    October 2002)