June 30, 2006 HIPAA knows no boundaries
  HOTLINEmast.gif (13932 bytes)

mgh logo.gif (3422 bytes)

June 30, 2006

HIPAA knows no boundaries

To help MGH employees and staff avoid privacy breaches under the Health Insurance Portability and Accountability Act (HIPAA) guidelines, the MGH offers continuing education about HIPAA rules and regularly publishes questions about patient confidentiality in the MGH Hotline, which are answered by Eileen Bryan, MGH's HIPAA compliance specialist.

HIPAA is a comprehensive law that addresses various aspects of the health care system — such as increasing the portability of health care coverage for individuals changing jobs and increasing efforts to prevent health care fraud and abuse. One of the most significant aspects of HIPAA is that it ensures the privacy and security of electronic interchange of health care information. All health plans, health care
clearinghouses and any health care providers must comply with HIPAA regulations.

The goal is to protect the privacy and security of health information. "At the MGH, our relationship with our patients is built on trust," says Bryan. "Patients trust that they will receive the best quality health care, and that we will protect their health information. If our promise to keep their information confidential is not upheld, patients would be reluctant to share the information that we need to know in order to provide them with the best quality care and services. We treat all our patients, including employees who also are patients, with the same respect and dignity in regard to their health information."

Q. Some employees may feel that it is OK to have a discussion behind closed doors with leadership or medical staff during which a patient is identified and his or her health information is discussed. After all, aren't these meetings confidential in their own right?

A. No. If the individuals present in the room are not involved in a patient's care, they do not have a legitimate need to hear the details about the patient. HIPAA requires all staff to maintain a minimum necessary standard at all times. This means that only the minimum information should be shared to meet the reason for the disclosure or to make one's point about a topic. Staff members should refrain from identifying patients as much as possible while still making the information useful for the intended purpose. Employees may be speaking in front of other MGH employees who are patients, and they too would want colleagues to treat their information with confidentiality. It doesn't matter if the doors are closed and the meeting is labeled as confidential, staff members still should follow the federal standards under HIPAA. For more information, MGHers can access the Minimum Necessary Policy in the Trove Privacy and Security Manual online at intranet.massgeneral.org/hipaa/default.asp.

Return to the June 30 table of contents