• We are sorry, but NCBI web applications do not support your browser and may not function properly. More information
Logo of phimLink to Publisher's site
Perspect Health Inf Manag. 2007; 4: 1.
Published online Mar 23, 2007.
PMCID: PMC2082070

Assessing the Effects of the HIPAA Privacy Rule on Release of Patient Information by Healthcare Facilities

Shannon H Houser, PhD, MPH, RHIA, assistant professor, Howard W Houser, PhD, professor, and Richard M Shewchuk, PhD, professor

Abstract

The HIPAA privacy rule (HIPAA) has had both positive and negative effects on the release of patient information by healthcare facilities. Although the intention of HIPAA was to protect patient privacy and to promote security and confidentiality of patient information, it has had unintended consequences for facilities. To identify some of these unintended effects, two expert panels of health information management directors from healthcare facilities participated in the nominal group technique meetings. They identified 70 barriers related to release of patient information associated with the implementation of HIPAA. The perceived biggest barriers were increases in the public's misunderstanding about release of patient information, lack of an umbrella policy or regulation defining infractions and enforcement that allows individual institutions to make their own interpretations, and challenges to health information management professionals in controlling safeguards related to release of information given the transition to electronic health records and the increased involvement of information technology. The findings from this study suggest there is a need for additional clarification of the regulations governing HIPAA, standardized instructions, and extensive training of healthcare workers.

Key Words: HIPAA privacy rule, nominal group technique, release of patient information

Introduction

Intending to establish minimum federal standards for safeguarding the privacy of individually identifiable health information, the new federal regulations under the Health Insurance Portability and Accountability Act (HIPAA) privacy rule became effective on April 14, 2003.1 HIPAA governs how healthcare providers may use and disclose personally identifiable health information regarding their patients, and it also addresses individuals' rights to protect their own health information. While HIPAA protects individuals' health information, it has the potential to interrupt the flow of health information needed to provide and promote high-quality healthcare in a timely fashion.

The HIPAA regulations influence both personnel and the organization in a covered entity, including health plans, healthcare clearinghouses, and healthcare providers (physicians, hospitals, and clinics) who transmit health information in electronic form in connection with certain transactions.1 The effects of these transactions related to release of information after HIPAA implementation are especially pronounced for health information management (HIM) professionals and have required changes. In particular, HIM practitioners had to comply with regulations and meet the regulation expectations. HIM professionals were facing challenges from different dimensions: patients, the public domain such as political figures and news media, and other healthcare providers, while interpreting the rules by themselves. According to Firouzan and McKinnon, a statewide survey of HIPAA privacy implementation issues in Pennsylvania healthcare facilities revealed that HIM professionals held a central role in the HIPAA implementation in addition to their development of policies that affect all healthcare professionals within their organizations.2

After more than three years of HIPAA privacy rule implementation, some questions and issues have emerged regarding how HIM professionals should be implementing the HIPAA regulations, what barriers or problems have been encountered while implementing HIPAA, and what the severity and intensity of those barriers were or problems that influenced HIM professionals in the release of health information. The objectives of this study were to identify the effects and their intensity of the HIPAA privacy rule on release of patient information by healthcare facilities and examine barriers and problems that emerged post-HIPAA privacy rule relating to the release of patient information.

Methods

Nominal Group Technique

The nominal group technique (NGT) was originally developed by Delbecq, Van de Ven, and Gustafson as an organization-planning technique.3 It has been applied to behaviors and issues in health research, and identifying factors affecting continuing medical education in physicians.47 The NGT is considered a cost-effective and time-efficient method for eliciting information from panels of key informants for needs assessment and formative phases of broader research.8

The NGT approach is a consumer-oriented formal brainstorming or idea-generating technique that is assumed to foster creativity and to be particularly effective in helping group members articulate meaningful disclosures in response to specific questions.9 The format of each NGT meeting consists of five basic steps: generating ideas, recording the ideas, discussing the ideas, selecting and prioritizing the collection of responses individually, and aggregated individually ranked selections across participants.9

The highly structured NGT process minimizes the process loss, or the information that is not obtained due to the interpersonal dynamics digression that often occurs within unstructured focus groups, particularly when there are real or perceived power differentials among group members.5,6,10

Question Development

Unlike traditional focus group sessions, responses provided by NGT meeting participants are circumscribed by a single question. Before specifying the question used for the NGT in the study, several candidate questions were qualified using a cognitive interviewing process to assess how they were evaluated and whether they were understood and elicited information as intended for the study. A cognitive interviewing process is a form of usability assessment that ensures the questions are understood as intended by the respondents.11 These questions were subsequently pilot tested with local experts. A single question was selected after final refining and discussion.

Study Sample and Procedure

The NGT meetings conducted in this study were intended to collect primary information for a survey design that will be distributed to a larger group of HIM professionals.

The two NGT meetings were conducted in October 2005, in conjunction with the AHIMA annual convention in San Diego. Fourteen HIM directors were selected from the annual AHIMA meeting member attendee list and placed on Panel 1 (n = 6) and Panel 2 (n = 8). Seventy-nine percent of those participants have had more than 20 years' experience in the HIM profession, and 43 percent held a master's degree. The expert panels represented 14 healthcare facilities in 10 states. Participants were compensated with a $25 gift certificate for participating in the NGT session. Institutional review board (IRB) approval was obtained from the university and informed consent was attained from study participants.

Measures

Initially, the participants were asked to independently generate a list of brief responses to the question, “From the perspective of HIM professionals, what barriers and problems regarding the release of patient information have emerged as a result of the HIPAA privacy rule?” Using a round-robin format, participants were given an opportunity to individually present their responses to the group. To avoid the disruptive effects of discussion on information generation, participants were asked to refrain from providing any response's rationale, justification, or explanation during this phase of the meetings. Each response was recorded verbatim on a flip chart to help participants recollect previously nominated responses and avoid repetition. This nomination process ended when participants were unable to generate additional responses. The list of responses was then reviewed briefly for clarification but not evaluation. Each participant was then instructed to individually select from the entire list of responses what they perceived were the three most significant barriers or problems related to the release of information. Each participant then ranked the significance of the barriers they selected (rank 1 = least severe problem and 3 = most severe problem). The individual rank ordered responses were then aggregated across all participants to obtain a group-level prioritization.

Results

Panel 1

Panel 1 (n = 6 panel members) generated 33 key responses. Of these 33 responses, 11 were endorsed by at least one panel member as among their three significant barriers to release of patient information. In other words, there were 11 of 33 responses selected and assigned votes reflecting an individual rank order of 1 to 3. Results reflecting the aggregation of these individual rank orderings are presented in Table Table1.1. There were three panel members who perceived response #2, “Additional barriers in releasing health information to caregivers with legitimate need to know,” as one of their three most significant barriers affecting the release of information. They assigned three weighted votes (i.e. rankings of 2, 3, and 3) representing 22.2 percent of the total available weighted votes. Two members of the panel endorsed response #17, “Conflicts between nurses and HIM professionals regarding interpretation of HIPAA,” as a significant barrier by assigning six votes or 16.7 percent of the total available votes to this response. Response #1, “Increase in public's misunderstanding about release of information,” received five weighted votes, which counted for 13.9 percent of the total weighted votes. The three response items (#2, #17, #1) accounted for 53 percent of the total available weighted votes (19 out of 36). In addition, response #23, “The lack of an umbrella policy or regulation defining infractions and enforcement allow individual institutions to make their own interpretations,” and response #8, “Uncertainty of clinic or staff in verifying identity of family or authorized persons in the context of patient consent,” were both endorsed by two of the six panelists as one of their three most significant barriers and accounting for 8.3 percent and 5.6 percent of total available votes respectively. Finally response #5, “If requested to account for disclosures, will present myriad problems,” although not endorsed by multiple panelists, was considered by one participant as the most significant barrier and accounted for 8.3 percent of total available votes (Table (Table1).1). A bar chart represents the weighted vote assignment to barriers identified as most significant by this panel is shown in Figure Figure11.

Figure 1
NGT Panel One Responses
Table 1
NGT Panel One Ranked Vote Responses

Panel 2

Panel 2 (n = 8 panel members) generated 37 key responses. Fourteen (14) of them were endorsed by at least one panel member as among their significant barriers to release of patient information. Results reflecting the aggregation of these individual rank orderings are presented in Table Table2.2. There were four panel members who perceived response #21, “Given the transition to electronic records and the increased involvement of IT, what constitutes health information, its tracking and release, challenges HIM in controlling safeguards in release of information,” as one of their three most significant barriers affecting the release of patient information. They assigned four weighted votes (ranking of 1, 2, 2, and 3) representing 16.7 percent of the total available weighted votes. Three members of the panel endorsed response #31, “Given that HIPAA is so complex, it is difficult to hire and find qualified staff who can make decisions regarding release of information,” as a significant barrier by assigning seven votes, or 14.6 percent of the total available votes, to this response. Response #4, “The requirements for release of information forms are so structured, staff doesn't know whether to honor a given request for information,” received six weighted votes, which counted for 12.5 percent of the total available votes. Response #12, “Given the scope of mandated government demands and requirements, disclosure accounting has become overly burdensome,” and response #34, “Ensuring compliance with HIPAA has caused hospitals to incur substantial additional costs,” each received four weighted votes, which endorsed 17 percent of the total votes. A bar chart represents the weighted vote assignment to the barriers identified as most significant by Panel 2 shown in Figure Figure22.

Figure 2
NGT Panel Two Responses
Table 2
NGT Panel Two Ranked Vote Responses

Discussion

When asked to focus on barriers and problems that have arisen because of the HIPAA privacy rule, the two groups were able to identify 70 responses that could be reduced to 25 nonredundant responses. Examination of the overlap among the prioritized responses from both NGT meetings indicated considerable agreement concerning the most significant barriers to the release information. Both Panel 1 and Panel 2 participants agreed that increases in the public's misunderstanding about release of patient information, lack of an umbrella policy or regulation defining infractions and enforcement that allows individual institutions to make their own interpretations, challenges to health information professionals in controlling safeguards related to release of information given the transition to electronic records and the increased involvement of IT, difficulty in following the rules, and finding qualified staff who can make decisions regarding release of information with confidence are all significant barriers affecting release of information. A common theme of many responses—given by stakeholders ranging from the public to health professionals to politicians to family members—was the lack of knowledge of the new rules and conditions imposed by HIPAA. These observations may be a commentary on how loose and unrestrictive the conditions were before HIPAA.

A major response arising from the second panel focused on the loss of control by HIM professionals over release of patient information when electronic health records emerge and information technology personnel control some of the information. This observation suggests a need for clarification within the law regarding control over release of information and definition of limits on personnel not possessing an HIM credential. Another viewpoint would be that as electronic health records evolve to a paperless state, the disciplines of HIM and IT may of necessity merge, or HIM could be submerged or even eliminated within IT given inadequate definition and clarification within the law.

The complexity of HIPAA was felt by many to limit possibilities for employing individuals who are confident that they already understand and can operate in a decision-making capacity when applying the law and managing the release of patient information. Reinforcing this point is the observation by group members that additional costs have been experienced in training programs to prepare existing and new employees to operate within the law. It will be interesting to see if these observations are borne out in the larger study.

Two additional responses reflect some of the administrative baggage that has been added to the process of releasing patient information. Many thought the structure of release of information forms is perceived to be so structured that often staff do not know whether to honor as legitimate some of the information release forms presented if they differ from their own in format. The primary author has experienced this phenomenon frequently in the context of a large national research study obtaining patient records from hundreds of health providers. Likewise, disclosure audits mandated by the government related to this law have become overly burdensome on operations as HIM professionals attempt to be accountable and to monitor, document, and control all facets of information release.

In human dimensions, one of the highest ranked responses was the observation of increased conflict between nurses, the most numerous, ubiquitous, and major contributors to patient information records, and HIM professionals who are custodians of the records regarding the interpretation of HIPAA rules. The sheer numbers of nurses in a healthcare organization provide occasions of individual interpretation of the rules that do not always coincide with those of HIM. This again is perhaps a recommendation to clarify and define who will have the final say in conflict situations arising over the interpretation of HIPAA.

Conclusions

Healthcare organizations have virtually always created patient-related information in what are known as medical records. With authorization and within the confines of existing laws, (mostly state), they have released that information to third parties ranging from health professionals, other healthcare organizations, families, and other members of the public. Few would disagree that at the perimeter there has been a substantial amount of historical carelessness with patient information and that the HIPAA privacy rule attempts to address these deficiencies. In doing so, there were bound to be problems in implementation and interpretation of the intent of the law. This research is attempting to document some of the natural and unintended consequences of making this change. The nominal groups used to initiate this study have identified many responses common to their experience and they are recorded here. The study will continue on a much larger scale, seeking similar information from a large random sample of HIM professionals and a special sample of HIM professionals working in teaching hospitals. The overall results should produce documented barriers and concerns related to release of patient information in the context of the HIPAA privacy rule. This information can in turn be used to encourage changes in both the law and regulations related to the law to enhance the efficient and effective release of patient information authorized by patients.

HIPAA has created great challenges to HIM professionals regarding release of patient information. More clarification of the law, standardized instructions, and extensive training of healthcare workers should be addressed.

Acknowledgements

This study was supported by a funding grant from the Foundation of Research and Education (FORE) of the American Health Information Management Association.

Contributor Information

Shannon H Houser, Health Services Administration at University of Alabama at Birmingham, in Birmingham, AL.

Howard W Houser, Health Services Administration at University of Alabama at Birmingham, in Birmingham, AL.

Richard M Shewchuk, Health Services Administration at University of Alabama at Birmingham, in Birmingham, AL.

Notes

1. Department of Health and Human Services Standards for Privacy of Individually Identifiable Health Information. Final rule. Federal Register. December 29, 2000;65(251) Available at http://www.hhs.gov/ocr/hipaa/privacy.html.
2. Firouzan P. A, McKinnon J. HIPAA Privacy Implementation Issues in Pennsylvania Healthcare Facilities. Perspectives in Health Information Management. 2004;1(3):1–7. [PMC free article] [PubMed]
3. Delbecq A. L, Van de Ven A. H. A Group Process Model for Problem Identification and Program Planning. Journal of Applied Behavioral Science. July/August 1971;VII:466–492.
4. Elliott T. R, Shewchuk R. Using the Nominal Group Technique to Identify Problems Experienced by Persons Living with Severe Physical Disability. Journal of Clinical Psychology Medicine. 2002;9(2):65–76.
5. Kurylo M. F, Elliot T, Shewchuk R. FOCUS on the Family Caregiver: A Problem Solving Training Intervention. Journal of Counseling and Development. 2001;79:275–281.
6. Miller D, Shewchuk R, Elliot T. R, Richards S. Nominal Group Technique: A Process for Identifying Diabetes Self-care Issues among Patients and Caregivers. Diabetes Education. 2000;26:305–310. 312, 314. [PubMed]
7. Kristofco R, Shewchuk R, Casebeer L, Bellande B, Bennett N. Attributes of an Ideal Continuing Medical Education Institution Identified through Nominal Group Technique. Journal of Continuing Education in the Health Professions. 2005;25:221–228. [PubMed]
8. Potter M, Gordon S, Hamer P. The Nominal Group Technique: A Useful Consensus Methodology in Physiotherapy Research. Journal of Physiotherapy. 2004;32(3):126–130.
9. Delbecq A. L, Van de Ven A. H, Van de Ven, Gustafson D. H. Group Techniques for Program Planning: A Guide to Nominal Group and Delphi Processes. Genview, IL: Scott Foresman; 1975.
10. Gallagher M, Hares T, Spencer J, Bradshaw C, Webb I. The Nominal Group Technique: A Research Tool for General Practice? Family Practice. 1993;10:76–81. [PubMed]
11. Willis G. B. Cognitive Interviewing: A Tool for Improving Questionnaire Design. Sage Publication Inc.; 2005.

Articles from Perspectives in Health Information Management are provided here courtesy of American Health Information Management Association
PubReader format: click here to try

Formats:

Related citations in PubMed

See reviews...See all...

Cited by other articles in PMC

See all...

Links

  • Cited in Books
    Cited in Books
    PubMed Central articles cited in books
  • PubMed
    PubMed
    PubMed citations for these articles

Recent Activity

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

See more...