Hopping HIPAA Hurdles: The UOA Visitation Program
VOLUME: 49 Issue Number: 8 / author: Gwen B. Turnbull, RN, BST
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was intended to streamline inefficiencies within the insurance system, protect against fraud and abuse, and prepare the healthcare industry for standardized electronic transmission of administrative and financial transactions associated with the provision of medical care. At the core of these changes is a requirement to adhere to certain privacy and security rules regarding who has access to Protected Health Information (PHI). The law defines PHI as individually identifiable health information, including demographic data, that relates to a person's past, present, or future physical or mental health condition; the provision of health to that person; or the past, present, or future payment for the provision of healthcare to the person that either identifies the person or for which there would be reason to believe the information can be used to identify a particular person. Generally, this includes name, address, date of birth, and Social Security Number.
Because the law is broadly written (as most government regulations are), organizations must step back and examine how the Privacy Rule regulations mandated in this law actually play out in every aspect of the day-to-day operations of a particular setting or business where PHI is exchanged. Due to individual discretion on interpreting this law, a lack of uniformity is inevitable as to how each organization, hospital, clinic, insurance company, and physician's office interprets and implements the rules. What is not subject to interpretation are the financial penalties for those who fail to comply. Therefore, vested parties may be a bit skittish about the method and process in which PHI is shared with the United Ostomy Association (UOA) and they are taking a variety of approaches to ensure it is secure.
Basically, three players are involved with HIPAA: 1) the individual patient; 2) the "covered entity" - ie, any organization subject to the Privacy Rule (hospital, physician's office, insurance company, clinic, and so on); and, 3) a "Business Associate" - a person or an organization that performs certain functions on behalf of or provides certain services to a covered entity that involves the use of identifiable PHI. Generally, Business Associate services are legal, insurance, accounting, consulting, accrediting, or financial services - basically, anyone or any organization that has access to PHI.
So what does this have to do with ostomies? Before HIPAA, a physician or a WOC nurse could refer patients to the local chapter of the UOA simply by providing them with the patient's name, age, type of surgery, location (hospital, home, nursing home), telephone number, and a brief overview of the patient's clinical and emotional situation. The UOA would then arrange for a trained visitor (matched by age, sex, and surgery type) to contact the patient directly.
The Health Insurance Portability and Accountability Act has changed all that. Now, the referring healthcare provider first must obtain the patient's permission to release PHI to the local UOA chapter (or even the patient's family, for that matter) and provide reassurance that this information will remain confidential. Each and all of these steps must be clearly documented in the patient's medical record according to the referring organization's internal HIPAA processes. The patient may be asked to sign a written consent form that becomes part of the medical record, authorizing the referring institution to release this information to the UOA.
However, if the WOC nurse provides information directly to the patient about the local UOA chapter, no written or verbal consent is required if the patient chooses to contact the chapter directly. Again, protocols will vary among institutions.
The trickle-down effect to the local UOA Chapter's Visitation Program is as follows: Each chapter should identify its individual referral sources within its community and schedule a meeting with each referral's HIPAA Compliance Officer to learn relevant internal HIPAA processes and how they impact the UOA Visitation Program. During this meeting, the purpose of the UOA Visitation Program should be reviewed with the HIPAA Compliance Officer and the "old" process of referrals reexamined. Once the old process has been reviewed, both parties can discuss ways to continue the service while maintaining internal HIPAA compliance. In some instances, the referral source may even ask the UOA to sign a Business Associate agreement.
The UOA recommends that the local chapter provides the HIPAA Compliance Officer with a copy of the UOA Patient Referral Form (available at: www.uoa.org/new/files/hipaa_referral.pdf.) and requests that it be approved for use within the institution or organization. An explanation of how specific patient information (sex, age, type of surgery, etiology) is used to match the UOA visitor to the patient should be provided to substantiate the need for obtaining identifiable PHI.
WOC nurses and nurses caring for patients with stomas (regardless of the clinical setting in which they practice) can play an integral role in ensuring that their local UOA chapter's Visitation Program survives under current HIPAA regulations by proactively contacting the local chapters, walking them through the required internal HIPAA processes, and meeting with key personnel within their institution. WOC nurses may wish to participate in the joint meeting with the HIPAA Compliance Officer and the UOA representative to ensure a seamless process of matching patients to ostomy visitors - one that remains secure, HIPAA-compliant, and professional - and ultimately, positively impacts a person's life. - OWM