by Arthur W. Williams, III, and Sarah Blackstone
Two health care rules issued recently have made the privacy and transmission of electronic data a significant and more complicated concern for consumers and professionals in the area of augmentative and alternative communication (AAC). The rules govern implementation of the Health Insurance Portability and Accountability Act (HIPAA), a law enacted in 1996 which is designed to protect health insurance coverage for workers and their families after a job loss or change.
One final rule applies to the storage and/or electronic transmissions of patient related information, and is intended to ensure patient confidentiality for all health care-related information. The second--the final privacy rule--covers personal health care information (electronic or non-electronic) that is held or transmitted by a "covered entity" such as a health care provider, a third-party payer, or any of their "business associates" who come into contact with this data. A covered entity that collects, stores, or transmits data--electronically, orally, by fax, or through any form of communication--must comply with all measures described in the HIPAA privacy rule.
AAC devices are electronic machines with speech output that may be PC-based or dedicated devices. They enable people who are unable to speak to construct, store, and transmit intelligible messages. Children and adults with severe dysarthria, apraxia, and aphasia use AAC devices to produce simple words or phrases as well as complex linguistic utterances, letters, email, and even books--depending upon their needs and abilities. The speech output of many communication aids is less controllable than natural speech. Unlike natural speech, which is a transient occurrence, the digitized and synthesized speech of speech output devices is typically stored and can be retrieved and transmitted easily to other devices or people, such as a health care provider.
New assessment techniques involve the collection, analysis, and storage of communication logs. Although researchers' use of these techniques has been governed by institutional review board (IRB) standards, until HIPAA there had been no national guidelines specifying the proper clinical and administrative procedures needed to protect the privacy rights of augmented speakers and other health care patients.
Privacy issues include:
" Storage of logged materials. Several AAC technologies provide the ability to log user and device activity (words, time, buttons pushed, errors, etc.). Although logging is valuable for both research and clinical purposes, it may contain information that the augmented communicator may not want anyone to view. Currently, solutions include improving informed consent procedures, encrypting the log files to restrict access to the information, and providing communicators with the ability to control the logging status of their devices.
" Clinician-patient relationship and use of logs. Confidentiality problems may arise as a result of the informality and closeness of the clinician-patient relationship. Reviewing informed consent criteria with the individuals involved before each logging task could prevent privacy violations and would conform to one of HIPAA's provisions.
" Viewing communication logs. Log files produced by augmented communicators may contain personal information about the communicator and about other persons in the speaker's world, such as care attendants, friends, and family members. To maximize privacy for interlocutors, they may need to be included in the informed consent process or use encryption levels to prevent the viewing of the transcription.
Sarah W. Blackstone is president of Augmentative Communication, Inc. and a partner of the Rehabilitation Engineering Research Center on Communication Enhancement (AAC-RERC). Contact her by email at
sarahblack@augcominc.com
.
Arthur W. Williams, III, president of Arthur Williams & Associates, is ASHA's HIPAA consultant. Contact him through the Action Center at 800-498-2071, ext. 4364, or by email at
awilliams@asha.org
.