Most people associate mid-April with the April 15 tax-filing deadline. In 2003, this time of year has taken on a new association for the healthcare profession. On April 14, the Health Insurance Portability and Accountability Act (HIPAA) privacy rules -- covering doctors, hospitals, clinics, health plans, and pharmacies -- took effect. HIPAA was passed in 1996 to protect the privacy of individuals' medical information, but the rules were not finalized until mid-2002. HIPAA prohibits healthcare organizations from disclosing patients' health information without their consent for any reason unrelated to healthcare, and requires healthcare organizations to inform patients that they have the right to lodge complaints with the U.S. Department of Health's Office for Civil Rights.
Within the healthcare industry, there is still much confusion about this law and how it should be implemented and enforced. But what about the patient's perspective? As these new policies are taking effect, do healthcare patients feel their privacy is being respected?
According to Gallup's recently released 2002 patient satisfaction and loyalty database, patient attitudes regarding respect for privacy have not changed over the past three years. But there is some variation by service sector. The greatest vulnerability is among emergency department patients, only 47% of whom were "very satisfied" with the level of respect for their privacy in 2002. Outpatient surgery patients were most likely to be very satisfied with the protection of their privacy (66%), as were 53% of inpatients. The fact that only around half of both inpatient and emergency department patients are very satisfied with respect for their privacy suggests that hospitals should be doing more to reassure patients that their rights are being protected, and perhaps HIPAA may be a step in that direction.
In looking at the data, one might be inclined to think that little has been done to improve patient privacy protection over the past three years. But it would clearly be inaccurate to suggest that healthcare organizations have not been actively preparing for HIPAA.
Most healthcare organizations have invested significant amounts of staff time and resources to these HIPAA preparations, but the focus of many of these changes has been on information systems and other processes that may be invisible to patients. Also, in many instances, healthcare facilities may have implemented changes in early 2003, after the data for Gallup's 2002 database were collected. Still, these data provide healthcare organizations with a warning.
Gallup's data suggest that while healthcare organizations may have come a long way in formal system improvements to protect privacy, the development of safeguards against incidental disclosure of information by staff may still be lacking. These types of disclosures are the most frequently visible to patients. When it comes to privacy protection, healthcare organizations must shift emphasis from process and system improvements to the "people" elements -- staff and patient education. Staff members must be educated about how to comply with the new regulations, and patients must be proactively educated about the protections that are in place for them.