Regents expected to approve health information privacy policy

The Board of Regents is expected to approve a new policy today aimed at ensuring the confidentiality of individuals’ private health information.

The policy is just one piece of the University’s ongoing and intensive efforts to comply with broad new federal regulations introduced under the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA.

The University likely will spend thousands of dollars and countless person-hours implementing the law’s privacy requirements by the April 14 deadline.

Congress approved HIPAA to set a national standard for the use and transfer of individuals’ private medical records. The goal was to make it easier to transfer health care coverage from one company to another.

Congress – concerned that easing the electronic transfer of medical records might also make them more vulnerable to privacy violations – included rules to ensure the confidentiality of medical records.

For the University, that means more paperwork and tighter controls in any departments working with medical data. The regulations affect more than just the Academic Health Center. Areas of the athletics department, College of Liberal Arts and the School of Music are impacted. In all, 25,000 employees will undergo HIPAA training.

The U.S. Department of Health and Human Services – charged under HIPAA with defining the privacy standards – only finalized the rules in October, but the University has known they were coming for years, said Ross Janssen, HIPAA privacy officer for the University.

“Right now, HIPAA is my life,” Janssen said.

The University appears to be ahead of the game compared to other schools, he said, attributing it partially to Minnesota’s already-strict state medical privacy laws.

Employee training is completed primarily online through the University’s WebCT system. Students and employees required to go through the training will receive reminders via their University Internet accounts.

The most minimal training consists of a seven-minute HIPAA awareness video. Those working in more specialized areas such as research or clinical settings will watch up to two and a half hours of courses.

Training dates will be staggered throughout the next two months to avoid overloading the WebCT system.

Because WebCT already exists, there was little cost in setting up the training program. Instead, lost employee work hours due to training account for much of the cost.

The Department of Health and Human Services estimates HIPAA will cost covered entities $17.6 billion over the next 10 years. Janssen said the University allocated $585,000 for HIPAA-related spending this year, with annual spending after that estimated at approximately $335,000.

Janssen said HIPAA mostly formalizes University practices already in use, but it could make things more cumbersome for researchers, at least in the beginning.

One of the law’s main provisions limits the use of a person’s health information if it could identify that person. The list of restricted fields includes not only names, phone numbers and social security numbers, but also information potentially valuable to researchers, such as birth dates, zip codes and photographs.

Researchers wishing to use the restricted information can only do so with written permission from subjects or approval from the University’s Institutional Review Board.

“It’s going to be confusing for researchers and for the public until we all get up to speed,” said Moira Keane, Research Subjects Protection Program director, which oversees the review board.

All research involving human subjects already requires review board approval. The Research Subjects Protection Program will integrate the HIPAA procedures into that process.

State privacy regulations will need to be integrated with the new standards as well. HIPAA will serve as a federal floor, trumping less strict state laws but allowing for more stringent ones.

A group of lawyers and administrators – of which Fairview Health Services lawyer George Chresand is a part – are currently sorting out how HIPAA meshes with Minnesota law.

“We’re still working on it, but what we’re finding is that there are conflicts between Minnesota law and the federal law,” Chresand said. “It doesn’t necessarily mean you can’t follow both, but it makes it difficult to figure out how to go about doing that.”

The writers welcome comments at [email protected] and [email protected]