This is the second article in a series about HIPAA in the Midwife Workflow.
Imagine if in 1925 when Mary Breckinridge founded the Frontier Nurse Service, and pioneered nurse-midwifery and rural healthcare in the US, she had to maintain HIPAA-compliance. Traveling on her horse caring for the women of Appalachia, obtaining written authorizations and informed disclosures would have been as foreign as the professionalized midwifery model she introduced.
All reform brings challenges and contradictions. As any practicing midwife in the U.S. knows, we stand on the shoulders of those who came before us. As we work to move midwifery forward, we have to balance the need to modernize our profession without compromising the essential components of our model of care. One of the hallmarks of midwifery is the personal relationship we have with our clients. We are at times more than healthcare providers, we are mentors, connectors, and friends. Parity between the relationships and connections that come with being a “community midwife” and the rules and regulations that come along with professionalism doesn’t have to hinder the inherent connections that we share with our clients and their families.
The HIPAA Privacy and Security Rules are reforms that we as providers may find frustrating to integrate into our professional practices that are already constantly threatened by regulations that are not well suited to our model of care. If we try to keep in mind the good intentions (protection of the public) that are behind HIPAA, it makes it a little easier to take the effort to make these steps routine.
Communication under HIPAA
As I said in the first part of this 3 part series, HIPAA applies only to those providers and their business associates (or “covered entities”) who engage in electronic transmission of protected health information (PHI). However, the actual law itself addresses rules for how ALL records are managed, including paper, fax, and oral transmission.
HIPAA was not intended to hinder your ability to communicate with or about your clients. In fact, the intent is to encourage those necessary communications with clarity of purpose and awareness of boundaries. Think of HIPAA as a container for your communications and maybe it can help serve to organize your workflow.
Authorizations–the fine print
Anyone who has visited a health care provider in the last 5 years has probably signed a HIPAA authorization. There is not a single-use HIPAA authorization form that everyone has to use. That is because the idea is for you to actually write your own that tells your clients what you do with their PHI in your practice.
There are some specific areas that need to be addressed in your general authorization at the onset of care, which HIPAA calls your “Notice of Privacy Practices”. This form can look like a bulleted list and here is what it should include:
- Situations that require no permission that are routine in your practice:
- Consultations or transfer of care
- Sharing a chart with a back up midwife
- Situations related to public benefit: reporting victims of abuse, neglect, domestic violence, legal proceedings, national security, and law enforcement
- Situations where verbal or written consent is required:
- Disclose information to family or friends involved in client’s care
- Public displays- bulletin boards, Web sites, Facebook
- Patient Rights (HIPAA requires that you inform your clients of their rights under the law) You clients have the right to:
- Request access and corrections to their record
- Request an accounting on how their information was used and who it was released to in the course of their care
- Request that all communications be confidential
- Complain about a perceived violation of privacy- to you, your practice’s manager (if you have one), your licensing or certifying agency, or the government
Now that you’ve disclosed or gotten permission to communicate, there are some guidelines under HIPAA about how you communicate PHI in any situation.
It’s not about the messenger, it’s about the message
In our world of instant communication and rapidly changing technology, it is very difficult to create a standard for communication that is universal. The HIPAA rules are not intended to limit your use of speedy and convenient communication, the government primarily just wants you to think about what your are doing before you do it. This is highlighted by a phrase used in the law to describe the guidelines for disclosures:
“Covered entities also must implement reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed, and requested for certain purposes.” 45 CFR 164.502(a)(1)(iii)
In legal terms, “reasonable measure” and “minimum necessary” are something that the law didn’t really want to define because it was recognized that what would be reasonable for one provider wouldn’t be reasonable for another. Once the law is in place for awhile things like case law and community standards start to define these subjective terms.
As individualized as midwifery practices are, community standard is hard to define for everyone. The basic idea is to apply these concepts to everything that you do with PHI, including sending information or allowing access to information in your office or work place.
The first “reasonable measure” to consider when sending info is make sure you are sending the message to the right person.
- Confirm the address, phone or fax number
- For written information (mail, email, fax), include a cover letter or signature with a instructions for the recipient to contact you and destroy the contents if they are not the intended recipient
The second “reasonable measure” is to send the minimum information necessary to achieve the goal of the communication. A great example would be that when you need to leave a voice mail for your client about their recent lab report, you can just ask them to call you back rather than leaving the details about the report on a machine that others might overhear.
Storage and Access to information in your office
In large practices, there is usually a “privacy/security officer” who is in charge of drafting policies and training everyone else. If it’s just you and some students, you are your own privacy officer! Most of the “reasonable safeguards” HIPAA requires that you take in your workplace have to do with basic professional conduct and common sense -for instance:
- Speak quietly when discussing a client in public areas of your office so that you aren’t overheard by family members or people in the waiting room
- Don’t have incidental conversations among your colleagues that are not necessary for treatment- keep it on a need-to-know basis
- Isolate or lock file cabinets or records rooms
The basic idea is to take a look around your practice and notice the places where you are already taking care to ensure confidentiality and get a little more formal about it. The process will likely show you areas or habits that you hadn’t thought about before that could probably improve your practice while also increasing your HIPAA-compliance.
Did you miss Part 1 in this series? The Basics – read it now.
Read Part 3 – The Security Rule – keeping electronic information safe
Disclosure: This article is an attempt to provide information about HIPAA to midwives and related parties who are struggling to understand and integrate HIPAA-compliance. It is meant to support, not supplant, any previous understanding that you may have about HIPAA and should not be considered the first or the last word on HIPAA-compliance.