oral communications and hipaa privacy

7/31/2019 Oral Communications and HIPAA Privacy

1/28

Oral Communication:Myths & Facts

Susan A. Miller, JDWEDI-SNIP Security & Privacy Co-chair

The Kearney Group


2/28

The clock is ticking... Privacy Modification Final Rule -- 8-14-02

Stillretains minimum necessary & oral

communications requirements Compliance deadline is stillApril 03

incidental communication such as

overhearing a fragment of conversation is

permissible--only ifreasonable safeguardsare in place

So what is areasonable safeguard?


3/28

The clock is ticking... Privacy Guidance from OCR -- 12-3-02

Incidental Uses and Disclosures includes oral

communications Two Level Review:

1) reasonable safeguards

2) minimum necessary

Compliance deadline is stillApril 03 So what is areasonable safeguard?


4/28

GUIDANCE states ...

Oral communications often must

occur freely and quickly in treatmentsettings. Thus, covered entities arefree to engage in communications as

required for quick, effective, and highquality care.


5/28

Reasonable safeguards are not ... Structural changes

Encryption of wireless or other

emergency medical radiocommunication

Encryption of telephone systems

Soundproofing of rooms


6/28

OCR Guidance Covered entities also may take into

consideration the steps that otherprudent health care and healthinformation professionals are taking

to protect patient privacy. Best Practices, local, regional, national


7/28

OCR Guidance

In areas where multiple patient-staff

communications routinely occur, usecubicles, dividers, shields, curtains,or similar barriers as may constitute

a reasonable safeguard. Practical Advice


8/28

OCR Guidance

CEs must evaluate what measures

make sense in their environment andtailor their practices and safeguardsto their particular circumstances.

Practical Advice


9/28

Reasonable safeguards are... Standards-based solutions

Best practices-based solutions

Solutions that can be measured &monitored

Solutions that are neither onerous,burdensome, disruptive or expensiveto fix


10/28

Whos policing this? The regulation permits you to file a

complaint against a CE with the Office ofCivil Rights at DHHS

In reality, States Courts are alreadyusingthe HIPAA privacy regulation as thestandard of care to make judgments

See 60 examples atwww.healthprivacy.org


11/28

E.g.,99: Washington, DCA Washington, DC jury ordered a local hospital topay $25, 000 for failing to keep a patientsmedical records confidential. Coworkers

learned of the victims HIV status after anemployee at the Washington Hospital Centerrevealed information in his medical record.

-P. Slevin, Man Wins Suit Over Disclosure

of HIV Status, The Washington Post, 12-30-99, p B4


12/28

E.g.,98: CaliforniaIn 1998, Longs Drugs in California settled a

lawsuit filed by an HIV positive man. After apharmacist inappropriately disclosed the mans

condition to his ex-wife, the woman was able touse that information in a custody suit. However,rather than pursue the suit, the man chose tosettle to avoid a court trial that could result in

news coverageof his illness.Longs Drugs Settles HIV Suit, San Diego

Union-Tribune, 9-10-98, p. A3


13/28

E.g.,02: WisconsinA jury in Waukesha, WI found that an emergency

medical technician (EMT) invaded the privacy of anoverdose patient when she told the patients co-worker about the overdose. The co-worker then

told the nurses at West Allis Memorial Hospital,where both she and the patient were nurses. TheEMT claimed she called the patients co-worker outof concern for the patient. The jury, found thatregardless of her intentions the EMT had no right to

disclose confidential & sensitive medicalinformation, and directed the EMT and heremployer to pay $3000 for the invasion of privacy.

L. Sink, Jurors Decide Patient Privacy Was

Invaded, Milwaukee Journal Sentinel, 5-9-02


14/28

Reasonable safeguards are... Standards-based solutions

Best practices-based solutions

Solutions that can be measured &monitored

Solutions that are neither onerous,burdensome, disruptive or expensiveto fix


15/28

Six Myths & Three Facts

about Oral Privacy

Oral privacy is subjective(no its not)

Oral communication cant be measured or monitored(yes it can)

There are no standards or best practices for oralcommunication(yes there are)

Oral privacy issues will be expensive to fix(no theyarent)

Best solution is to retrain staff to be discrete(good

luck!)

We dont need to do anything thanks to loopholes in the

Rule(doing nothing is not a reasonable safeguard)


16/28

Fact #1: standards are objective,

well known & widely practiced ISO 60268-16

ISO 9921-1 ANSI S3.2

ANSI S3.5 (first published in 1969!)

ASTM 1130-90 ASTM 1110-01


17/28

What the standards do Define the measurement framework (AI)

Quantitatively define three levels of privacy

- confidential privacy (AI


18/28

Fact #2: solutions are

available now & theyre cheap NRC-rated ceiling tiles absorb sound & can

be used where appropriate

NRC-rated, portable panels absorb/blocksound

STC-rated high-TL curtainsseparate patientbeds & block sound

Some white noise systems meet the ASTMoral privacy standard (normal

privacy=AI


19/28

Many solutions are

literally off the shelf Tiles, panels, curtains & white noise

are:

rated to known & accepted standards easy to implement

readily available

very affordable involve no staff re-training


20/28

Blocking speech

intelligibility is a best practice White noise (also called sound masking)

blocks the intelligibility of speech

was developed decades ago and used by DoD

& others for whom oral privacy is a deadlyserious issue (yes, loose lips still do sinkships)

is the most effective way to ensure oral privacy

creates a low-level background sound whichmatches the voice spectrum and isunobtrusive but extremely effective


21/28

White Noise: effective &

affordable White noise or sound masking Used to cost as much as a minimum of $15,000

plus $2.50 or more per square foot of treated

area--but that was awhile ago Miniaturized, digital technology (better

performance than the old way) now costs $150(enough for a waiting room) or about $0.50 per

square foot & can be used only where needed


22/28

Fact #3: Compliance can be

measured & monitored Available instruments measure oral privacyobjectively in order to:

set a benchmark based on a scale ofconfidential privacy or normal privacy

track compliance on a regular basis

maintain an objective record of complianceover time

can monitor compliance in numerous locations


23/28

Case Study: Chain Drug Store


24/28

Case Study: Hospital NursesStation


25/28

Case Study: Hospital

Compliance Complete Survey


26/28

Case Study: Mental Health Clinic


27/28

Summary Oral privacy is protected

The April 03 deadline is real

Standards & best practices abound

Compliance with the law can be

measured Solutions are available & cheap


28/28

Speaker Information Sue Miller may be reached via email at

[email protected]

oral communications and hipaa privacy

Documents