HIPAA Debated on Geek Forum

The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA) is a concern of some "geeks" who participate in the online, technology-oriented forums of ZD Net, a component of the CNET Networks media company.

On August 21, 2007, Dana Blankenhorn, a commentator, introduced the topic on a ZD Net forum in his posting "Today’s Debate: HIPAA, end it or mend it?".

He focused on the provisions of HIPAA that favor paper record keeping by smaller, "exempt" health care providers. He postulated that this exemption acts as a disincentive for the uniform, effective exchange of personal medical information in the form of an "electronic health record".

His concerns derive from the "Privacy Rule" under HIPAA, which was most recently revised on April 3, 2003.

The "HIPAA Home Page" maintained by the U.S. Department of Health & Human Services, Office for Civil Rights, has provided background about the Standards for Privacy of Individually Identifiable Health Information (2 pages, PDF, 45 KB), and also has provided a Summary of the HIPAA Privacy Rule (25 pages, PDF, 372 KB).

The Privacy Rule standards address the use and disclosure of individuals’ health information — called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used.

Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing.

Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed. * * *

Significantly, the HHS website also highlights its recent oversight efforts. See: "HIPAA Privacy Compliance & Enforcement" (04/20/07).

This is what the ZD Net commentator wrote to commence discussion online regarding HIPAA:

HIPAA has become an all-purpose excuse against automating medicine.

In practice HIPAA protects no one. The first thing every patient must do on arriving at any doctor’s office today is sign away their rights under the law. No one wants to be sued over a paperwork issue.

HIPAA has also destroyed the competitiveness of small practices. Because it had a loophole making small practices immune from its controls, hundreds of thousands of doctors have simply refused to switch from paper records.

Conservatives will say “I told you so” and call for scrapping HIPAA. That’s an ideological argument, however, which assumes the flaws in the law can’t be fixed and lawlessness is preferable.

I believe the flaws can be fixed, if we start with a new privacy policy which states, simply, that your medical data belongs to you. Your data is yours, and your right to that data can’t be transferred or limited by contract.

Instead each time a doctor or hospital you’ve given data to wants to share it, you must be notified. This can and should be done electronically. Those who’ve resisted EHR because of HIPAA will now have an incentive to convert.

Beyond this we need audit trails. And standards covering the handling, the format, and the transmittal of EHR data. If anything should provide safe harbor it should be standards whose compliance we can track. * * *

In response to his question, "Should we mend HIPAA, end HIPAA, or leave things are they are?", thirty-nine replies were lodged (up to September 5, 2007). Some of the responses are long & detailed; some are mere quips.

Here are excerpts taken from the posted responses that struck me as most interesting:

• "The HIPAA rule as it was written has always been absurd, especially in dentistry. The loophole you mention is one we can never dare close. It is called a business decision based on common sense and exercised in freedom." --Comment by Darrell (a dentist)

• "HIPAA didn't happen overnight and EHR is not likely to approach any level of standardization for years. Sorry to dampen the EHR evangelical spirits but it's pretty complicated and messy." --Comment by Dana

• "HIPAA does not restrict use of medical information for treatment purposes. It restricts disclosure of medical information. The two are different, even if many healthcare professionals can't understand the difference. * * * Unfortunately, fear of HIPAA has caused a communications breakdown to an absurd extent." --Comment by rbjbr

• "Electronic Medical Records; this is a can of worms. There are many folks who, with good reason, do not want electronic medical records. Just look and see all the credit card information that is stolen or misused. There are those like myself who welcome the day that this is standardized." --Comment by Bob (the most detailed & informative response of the lot)

• "Much of the complexity and confusion results from HHS being unwilling to impose sensible requirements, particularly on hospitals, because of the threat that "it would cost too much." Consequently, the rules are a convoluted mess, almost impossible to understand or implement consistently. As a form of self-defense, providers had almost no choice but to require the patients to release most of their rights or risk litigation for accidental disclosures or violation of obscure, conflicting, and inconsistent rules." --Comment by Roger

• "[T]he problem with HIPAA . . . is it didn't go far enough. Many of the largest companies (in particular, the Blues) have refused to fully move to the standard format, citing technicalities and less than genuine interpretations of the legal definitions. Getting the industry all on the same data format was supposed to be one of the primary methods of costs savings, but we need to strip out the loop holes." --Comment by Stormculture

• "An overwhelming percentage of the sub-specialities of the AMA have or are mandating private practice offices go paperless. The American Family Practice Association is an excellent example. The concern over going completely paperless stems from your government Mr. Blankenhorn. When 22,000 Veterans Administration patients private and personal healthcare information walked out the door on a laptop; health administrators and physician became wary for obvious reasons." --Comment by rbigcat

• "Has anyone ever read a HIPAA privacy statement, and understood it without a law degree? To claim that an unintelligible 6-page form is in fact adequate notice and therefore you can do what you want is just nonsense." --Comment by Dana Blankenhorn

• "HIPAA has caused a great leap forward in causing providers, payers and others to put in at least a minimal floor for security, and in standardizing formats. Ten years ago most medical records were basically available to anyone who asked, without any effort made to check the validity of the request. While many providers are now doing things which make actually providing healthcare more difficult, many of those are not actually required by HIPAA, but are an attempt to limit potential liability for cheap by not investing the time, effort and expense to really learn what HIPAA says you need to do. It is much easier to refuse to give out any data than to figure out what you should or should not be releasing." --Comment by Gardoglee

• "[My six-point suggestion list] is a starter list, but it meant to deal with the major problems involved with HIPAA -- the interference by the US government and the delicate balance between a caregiver's need to know and a patient's privacy." --Comment by BlarmanZ

Such debate will continue regarding the efficient & effective rendering of health care by providers, which can be improved by technology, while also respecting the patient's personal privacy rights, which can be violated so speedily by the same technology.

These considerations persist in the situation of a health care agent (designated under a health care directive) or a health care representative (authorized under a state statute), who must make medical decisions on the basis of "substituted judgment" for a patient who has become unable to do so personally.