SUPPORT US ADVOCACY EDUCATION RESEARCH RESOURCES ABOUT US

HOME
JOIN
LOGIN
E-NEWSLETTER
SHOPPING CART
CONTACT US
 
 

 

Essay Archive
BACK TO LIST

How Will HIPAA Regulations Affect Healthcare Design?
By Sheila F. Cahnman, AIA, ACHA

HIPAA, the Health Insurance Portability and Accountability Act, which was enacted by Congress in 1996, includes recognition of the need for national patient privacy standards. A three year deadline was set for Congress to enact such provisions. When they failed to meet the deadline; the U.S. Department of Health and Human Services (HHS) was required to adopt health information privacy protections through regulation based on certain HIPAA parameters.

The proposed HHS federal privacy standards were first issued in 1999 and received over 52,000 public comments. The standards were formally published in December 2000 and subsequently modified this year after 11,000 more public comments. The final version was published in August 2002. Most covered entities have until April 14, 2003 to comply with the regulations.

Covered entities under HIPAA include: Individual or Group Health Insurance Plans Healthcare Information Clearing Houses Healthcare Providers including Hospitals, Physicians, Clinics etc. The Department of Health & Human Services Business Associates of Healthcare Entities that receive Protected Health Information One goal of HIPAA is the security and privacy standards (Standards for Privacy of Individually Identifiable Health Information 45 CFR Parts 160 & 164) that require that secured information can be accessed and seen only by authorized personnel. This preserves the patient's right of consent to disclosure of their personal information. The Privacy Rule will be enforced through the Office of Civil Rights (OCR). A person who believes that a covered entity is not complying will file a written complaint with the OCR within 180 days of the complaint.

What are the Patient Privacy Standards?

164.530(c) (1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical and physical safeguards to protect the privacy of protected health information.

The Patient Privacy Standards require administrative procedures, technical security services and mechanisms, and physical safeguards to protect the integrity, availability and confidentiality of patient information. Obviously much of the responsibility for compliance rests with personnel training and information system development. However the term "physical safeguards" has a direct bearing on designers of healthcare facilities. Incidental disclosures of information are allowed "if the minimum necessary and reasonable safeguard requirements are met" per HHS interpretation. But what are these minimum safeguards? How will the guidelines be interpreted?

What is Incidental Use and Disclosure?

The concept of "Incidental Use Disclosure" in HIPAA has evolved over the last few years of public debate. For instance, HHS has indicated that leaving patient charts outside exam room doors is allowable "as long as the clinic takes reasonable and appropriate measures to protect the patient's privacy". These are interpreted as limiting access to treatment areas and facing private information out of view.

HHS has also stated that "if these (minimum necessary) requirements are met, doctor's offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at nurse stations without fear of violating the rule if overheard by a passerby." HHS is trying not to interfere with good healthcare practice, but to institute a new sensitivity towards patient private information.

Anecdotally we are aware of Joint Commission on Accreditation of Healthcare Organization (JCAHO) reviews that have cited hospitals, under HIPAA guidelines, for registration areas that do not have acoustical privacy beyond open desks with acoustical partitions. As the regulations are enforced several more issues come to mind:

  • Will bedside registration in an emergency room be allowable if the treatment bay is not enclosed? Can a patient information board be posted in view of other patients?
  • On inpatient units, are totally open nurse stations with easily accessible chart racks really allowable? Do acoustically private areas need to be created for staff?
  • How will confidentiality requirements affect hospitals with a patient/family focused care philosophy (such as Planetree) that encourages open access to charts and joint staff/patient meeting areas?

How will HIPAA affect Workspace Design?

HIPAA specifically addresses controlled access to computer systems and secure workstation location requirements. Based on this, the Association of American Medical Colleges has recommended to its member organizations that "sensitive protected health information processing facilities (be located) in secure areas, protected by a defined security perimeter..." and that facilities should "position workstations to minimize unauthorized viewing of protected health information either by shoulder surfing or by other direct physical means of obtaining access to data present on the workstation". They define workstations as devices such as data terminals, printers and fax machines.

The current trend towards decentralized design on inpatient units and elsewhere typically locates workstations in proximity to patient rooms or treatment areas in open unprotected areas. Although access to hospital or clinic spaces are relatively monitored, the trend towards more family centered care allows for far more access by those outside of healthcare personnel and patients. As the guidelines are interpreted, the following issues could arise:

  • Will the "cockpit" design of decentralized nursing desks outside patient rooms be allowable since it promotes "shoulder surfing"? Will "timing out" procedures on data terminals be enough to hide patient information from unauthorized on-lookers?
  • Will there be a trend back to enclosed nursing / staff work areas to create a secure perimeter? How will this effect visibility of patient spaces?
  • Can recessed monitors in public areas accomplish the intent of the privacy standards?

Conclusion

As in the case of other federal government mandates, it will be years before a new standard of practice is developed and accepted by reviewing agencies and the courts. As designers we must hold an open dialogue with these agencies and healthcare entities to help balance the need for privacy with operational needs and family involvement. The psychology of HIPAA's privacy standards has already affected healthcare institutions; it remains to be seen how the actual regulations will be instituted.

Sheila Cahnman is Associate Vice President with HLM Design in Chicago, Illinois. She can be reached at scahnman@hlmdesign.com.

 
   
   
© 2008 THE CENTER FOR HEALTH DESIGN       SITE SEARCH   SITE INDEX   SITE CREDITS   PRIVACY POLICY                                                                      PHOTO CREDIT