February 15, 2002

New patient privacy regulations that are included in the Health Insurance Portability and Accountability Act (HIPAA), which was passed last year, require MGHers to obtain written consent from patients regarding how employees use and share patient information. As part of the MGH's ongoing patient confidentiality awareness campaign, below are policy changes that MGHers should know about.

The revised patient privacy standards include the following:

• Clinicians must fully inform patients about how their medical information is used.
• Health information may be shared with other clinicians only on a need-to-know basis.
• Employees may only access and/or disclose the minimum information necessary to perform their jobs.
• Patients must be allowed easy access to and influence over their health information.
• A patient's written consent must be obtained to share and use their health information for treatment, obtaining payment for services and conducting normal business operations. These operations include: quality assessment, development of clinical guidelines, case management and coordination of care, referrals to other providers and facilities, training of medical personnel, credentialing of clinicians, accreditation of health care organizations, arrangement of legal services and audits, business planning and management and general administrative activities.
• Business associates who access medical information must follow hospital requirements to protect the privacy of patient information.

"The major change in the policy is that employees will need to offer more detailed information to patients about how their health information will be used. These details will be made available to patients through the Privacy Notice, which currently is being developed," says Eileen Bryan, project manager for HIPAA at the MGH. "We also will be assessing education and training needs based upon employees' roles and will develop resources and needed materials accordingly."

At present, the MGH is involved with several HIPAA-related projects. One such project, currently in its beginning stages, is the development of a department-level assessment of how the hospital uses and discloses patient information. A second project involves the pilot effort in the ambulatory areas to obtain patient consent.

More information about the Patient Consent for Use and Disclosure of Health Information process and the department assessment will be available in the coming months. For more information about confidentiality policies, call (617) 726-6360.