« On Gaza: Say it, Mr. Johndroe. Say it. | Wordie's Blog | MoveOn Public Option Candlelight Vigils to be Held Nationwide Wed. 9/2 »
We Need to Fix The Health Insurance Portability and Accountability Act (HIPAA) BEFORE We Develop a National Electronic Medical Records Database UPDATED!
We need to move carefully in establishing a national electronic medical records database, since there really are serious problems as it stands now with healthcare records privacy. The fairly recent Privacy Rule (2006) established under The Health Insurance Portability and Accountability Act (HIPAA, 1996), was touted as a measure that would protect patient records, but turned out to be no more than another GWB/Orwellian type measure - it sounds good, but then one discovers it has an effect that was the opposite of what it ostensibly was supposed to achieve.
In fact, not long after the HIPAA Privacy Rule went into effect, a coalition of medical providers sued HHS because of the more egregious but little-known provisions of HIPAA that, despite all the promises, actually provided less control by consumers over their personal medical data. Unfortunately, the decision was against the coalition, so the questionable rules remain.
Further, although HIPAA did establish some apparently stronger guidelines for records confidentiality, it gives patients no right to file a private lawsuit in order to challenge those who violate the confidentiality rules. Only the Secretary of HHS can sue. So in the years since HIPAA privacy was passed, there have been hardly any lawsuits for confidentiality breaches under HIPAA. Here's a recent article from a Healthcare IT website about the almost non-existant HIPAA enforcement.
So HIPAA appears to be a case legislative of bait and switch: a tedious process (all those forms that we have to fill out) deceives us into thinking that the records are protected, but in reality, many HIPAA protections are illusory, and the lack of enforcement by HHS means it's a law without teeth.
Patient confidentiality is a very serious issue. A study sometime before the HIPAA Privacy Rule was put into place found that around 3 out of 4 (that's 75%!) of medical consumers felt there had been breaches of their medical records. And even after the passage of HIPAA, studies revealed significant concern among medical consumers over records privacy. How much worse would this be if there were a centralized database? Who would have access to such a database? What specific information would it contain? What protections would be put in place to prevent unauthorized access? Would the consumer have access to their personal information, or only medical and governmental personnel? What procedures would there be for correcting errors in the record? Obviously, those with conditions that are subject to substantial social stigma, such as mental illness or HIV/AIDS have a much higher level of concern about how these questions may ultimately be answered, but anyone who visits a doctor has the right to expect effective safeguards of their privacy. So it's reasonable to raise serious questions about the new proposed database, especially in light of the many failures to protect patient info, even after HIPAA was passed. And the questions above are just a start; there are so many questions that need to be asked and answered before we, as citizens, sign off on something like this.
The idea of electronic records may be a very good one, when looked at primarily in terms of efficiency. We do need to find ways to reduce our ridiculously large medical expenditures. But there are potentially very serious problems with records privacy that need to be resolved first.
UPDATE: 2-13-09, 3:51pm PST
I am very happy to report that in researching this issue further, I happened upon additional new information that says the Congress included stronger medical records protection as part of the stimulus. And it looks like the medical records privacy issues made it through the conference committee, so we're almost there. Apparently, Congress wrote in a provision that establishes that advocacy groups will be participating in the regulatory process, a very good sign. (Initially Congress, in writing HIPAA, apparently intended for there to be strong privacy protections for medical records, but it was in the writing of the rules by HHS that things became watered down and dicey.)
Here's an excerpt from an article I found, written just today, on what's in the stimulus bill regarding medical records privacy protections:
I'm going to be keeping my fingers crossed...
In fact, not long after the HIPAA Privacy Rule went into effect, a coalition of medical providers sued HHS because of the more egregious but little-known provisions of HIPAA that, despite all the promises, actually provided less control by consumers over their personal medical data. Unfortunately, the decision was against the coalition, so the questionable rules remain.
Further, although HIPAA did establish some apparently stronger guidelines for records confidentiality, it gives patients no right to file a private lawsuit in order to challenge those who violate the confidentiality rules. Only the Secretary of HHS can sue. So in the years since HIPAA privacy was passed, there have been hardly any lawsuits for confidentiality breaches under HIPAA. Here's a recent article from a Healthcare IT website about the almost non-existant HIPAA enforcement.
So HIPAA appears to be a case legislative of bait and switch: a tedious process (all those forms that we have to fill out) deceives us into thinking that the records are protected, but in reality, many HIPAA protections are illusory, and the lack of enforcement by HHS means it's a law without teeth.
Patient confidentiality is a very serious issue. A study sometime before the HIPAA Privacy Rule was put into place found that around 3 out of 4 (that's 75%!) of medical consumers felt there had been breaches of their medical records. And even after the passage of HIPAA, studies revealed significant concern among medical consumers over records privacy. How much worse would this be if there were a centralized database? Who would have access to such a database? What specific information would it contain? What protections would be put in place to prevent unauthorized access? Would the consumer have access to their personal information, or only medical and governmental personnel? What procedures would there be for correcting errors in the record? Obviously, those with conditions that are subject to substantial social stigma, such as mental illness or HIV/AIDS have a much higher level of concern about how these questions may ultimately be answered, but anyone who visits a doctor has the right to expect effective safeguards of their privacy. So it's reasonable to raise serious questions about the new proposed database, especially in light of the many failures to protect patient info, even after HIPAA was passed. And the questions above are just a start; there are so many questions that need to be asked and answered before we, as citizens, sign off on something like this.
The idea of electronic records may be a very good one, when looked at primarily in terms of efficiency. We do need to find ways to reduce our ridiculously large medical expenditures. But there are potentially very serious problems with records privacy that need to be resolved first.
UPDATE: 2-13-09, 3:51pm PST
I am very happy to report that in researching this issue further, I happened upon additional new information that says the Congress included stronger medical records protection as part of the stimulus. And it looks like the medical records privacy issues made it through the conference committee, so we're almost there. Apparently, Congress wrote in a provision that establishes that advocacy groups will be participating in the regulatory process, a very good sign. (Initially Congress, in writing HIPAA, apparently intended for there to be strong privacy protections for medical records, but it was in the writing of the rules by HHS that things became watered down and dicey.)
Here's an excerpt from an article I found, written just today, on what's in the stimulus bill regarding medical records privacy protections:
Economic stimulus legislation awaiting final approval by Congress, then expected to be signed into law by President Barack Obama, includes more stringent medical records privacy requirements along with $19 billion in funding for health information technology (IT).http://www.thompson.com/public/newsbrief.jsp?cat=HEALTHCARE&id=2058
The American Recovery and Reinvestment Act (H.R. 1) would provide grants and payment incentives for physicians, hospitals, nursing homes and other health care entities to adopt and make meaningful use of technology designed to create and manage electronic health records (EHRs).
The legislation also includes provisions intended to shore up public confidence in the use of EHRs and personal health records (PHRs) by beefing up enforcement of and expanding the scope of businesses covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules.
HIPAA consultant John Parmigiani said Feb. 12 that he expects the health IT provisions in the economic recovery bill to have a "significant impact" on health care privacy and security.
Because it speaks to privacy and security breach notifications, increased enforcement, audit trails, encryption and "a definite concern for driving the attainment of an EHR while protecting patient information," he said, the legislation "emphasizes the critical ingredient in fostering widespread implementation, acceptance and use of e-health -- trust -- among patients, providers and payers to effectively and efficiently deliver health care and share health care information."
I'm going to be keeping my fingers crossed...
Advertisement
Absolutely right. I'm a psychologist, and I'm very concerned about this. People may not know this, but therapists are required to write a narrative account (called a session note or progress note) that details what went on in the session, and these notes are part of the patient's chart, and can be examined by regulators, auditing agencies, health insurers, and other professionals collaborating in treatment. These notes should NOT be part of an electronic record that all health providers and insurers can access. In fact, my feeling is that session notes should be private property of the therapist, and instead of a narrative, a checkbox form or something less personal should go into the formal chart.
February 12, 2009 7:20 PM | Reply | Permalink
Thanks for your reply, Tom, and for your insight into the matter. Psychological session notes are just one area where release of information could have serious impact upon the individual, not to mention the chilling effect on the patient who becomes aware of how many people can access such information.
HIV/AIDS is another obvious area of concern. Since HIPAA can override state law in many cases, do those states who have instituted strong protections for consumer's HIV status information lose the ability to protect that information? Will people avoid getting tested as a result of fears of potential exposure of their private information?
And the information will be exposed. Human beings are curious animals, and if the information is there, sitting readily available on some server someplace, someone will decide to access it.
February 12, 2009 7:31 PM | Reply | Permalink
While the issue of privacy is of great concern, my experience is that doctors in an institution that uses electronic record keeping are far more responsive than those that don't.
February 12, 2009 7:47 PM | Reply | Permalink
That may be, Kali, but what about all the others who potentially have access to those records. It's not just your doctor who can access them under HIPAA, you know.
February 12, 2009 8:00 PM | Reply | Permalink
I understand the problem. But when time is crucial as it is with cancer treatment, and a doctor at a hospital that might be hundreds of miles from a patient's home has immediate access on computer to latest tests, MRI's, etc., and the patient and/or family hasn't had time or the means to drive around and gather such things, the result might save a life.
February 13, 2009 12:22 PM | Reply | Permalink
Kali: Oh sure! That's why, in my view, we shouldn't reject the idea of electronic records because of the problems with HIPAA. But we need to fix the problems with HIPAA first, before such a database is put into use. And really before it's developed as well, so that the system is developed with appropriate privacy protections in place from the beginning.
February 13, 2009 2:38 PM | Reply | Permalink
With something so complicated what can regular people do to have an effect? This maze of complications somehow keeps health insurance always beyond reach. It's frustrating and I end up so furious with all government officials. Something more radical has to happen.
February 13, 2009 5:06 PM | Reply | Permalink
Oh, I agree, it's very frustrating. I suppose a first step is always to write your representatives: http://www.congress.org although I've also heard that a personal phone call carries a little more weight. There are several organizations working on medical privacy issues. Here's some info from a couple of them:
The Privacy Rights Clearinghouse works on issues relating to privacy in general, including medical records privacy: http://www.privacyrights.org/index.htm
Also, for anyone in healthcare management who happens to read this and wants to get involved, AHIMA (American Health Information Management Association) is planning a Health Information Privacy and Security Week, April 12–18, 2009. They have a lot of information and tools on their website:
http://www.ahima.org/hipsweek/
Here's part of what they say:
(They sound like a good organization.)But, read the update to my original post for what sounds like some really good news...
February 13, 2009 6:59 PM | Reply | Permalink
Making the system more efficient, responsive and (hopefully) safer is fine and should be done. With the appropriate cautions of course.
However...this will not make it any less costly. The Insurance companies, hospitals, doctors, medical lads and pharmaceuticals will simply pocket any savings themselves. They will not pass one red cent on to the consumers. Remember, in this country medicine is a business. First, last and always.
C
February 12, 2009 7:49 PM | Reply | Permalink
I sense that you support universal healthcare. Me too, although the records privacy issue isn't the only reason. I suppose that lacking universal care though, there could conceivably be measures established so that doctors and others would be required to pass along any savings to the consumer.
February 12, 2009 8:04 PM | Reply | Permalink
There is another concern the electronic medical records would be used as a sort of 'mailing list' for drug companies, as in "We see that your records indicate you use X medication for your condition. How about using our Y medication instead? Ask your physician."
I understand the usefulness and economy of readily available health records, but I have serious issues with the types of people who would have access to them, such as marketers. Who is going to decide who gets to see what?
February 12, 2009 7:55 PM | Reply | Permalink
Exactly! And physicians are ALLOWED to sell information to pharmaceutical companies under HIPAA (as I understand it). This is from a HIPAA FAQ, available here: http://www.dmaresponsibility.org/HIPPA/#III1
So, apparently, personal information may be shared as long as a promotional gift is included!!! Jeez.
February 12, 2009 8:11 PM | Reply | Permalink
I get this shit from my prescription plan. It goes right in the g-can. #@!&^ State of Fl...any way.
C
February 12, 2009 8:31 PM | Reply | Permalink
I worked briefly for a mail order pharmacy that called doctors and convinced them to change x to y without the patient's knowledge or permission. We did it automatically unless the patient read the fine print carefully and checked a box stating they do not want us to perform this cost saving "service."
That's right. You have to check a box if you do not want your pharmacy to call the doctor behind your back and get your expensive prescriptions changed to cheaper ones.
As a pharmacist in the customer service call center, part of my job was to defend this corrupt and dishonest practice to the hundreds of angry callers who'd found a surprise prescription in their mailbox. I only lasted 3 months.
February 13, 2009 1:09 PM | Reply | Permalink
I probably should add that this was originally written as a reply in Coonsey's post, "Age a factor in getting medical care - In Stimulus Bill?"
For some reason, my comment just wouldn't post, although my first comment in the blog posted, and although I was able later to post comments in other blogs. Weird, eh?
February 12, 2009 7:57 PM | Reply | Permalink
The Good, the Bad & the Ugly.
People do not think about issues behind issues.
The good: A man is in an automobile accident. He has been a victim of severe head trauma. His pulse is weak.(Here add whatever symptoms you wish) Because of a microchip embedded in his DL, the ER records nurse pulls up all his medical records, finds treatment for adult onset diabetes without insulin, a previous head trauma......
The bad: A man is arrested for suspicion of engaging in the the traffic of illegal substances,
a copy taps into the medical records matrix, and uses all information found to convict the man of distributing drugs
The ugly: Fifty five drug companies send a man advertisements via email and fax because they have information that he has been treated for some particular disease.
Watch Law and Order sometime, closely like I have since I do not have a life and I have a legal background. Medical records, psychological records, old juvenile records...these end up coming into play in our legal system every single day. The public does not know this. And confidentiality does not mean what it meant fifty years ago.
This is an important post and there is no easy answer.
February 12, 2009 8:43 PM | Reply | Permalink
You're completely correct, dick, that there are positive uses for a national medical records database as well as the potentially negative ones I've focused on here. That's why I don't reject the idea of a national database outright. Still, the privacy issues must be resolved first.
But I personally think your negative scenario was something of a softball. What about this: a woman tests a second time to correct her first false positive test for HIV, but only the first test is recorded in the database. Although her potential new employer never tells her, this was the reason she was turned down for that better paying job she applied for. (Or, even worse, the reason she lost the job she has now.)
February 12, 2009 9:01 PM | Reply | Permalink
Oh yes Wordie. Absolutely. I was simply attempting short categories. There could be thousand page tomes on this subject because in the end everything is anecdotal. This is scary stuff!!!!!
February 12, 2009 9:05 PM | Reply | Permalink
Yeah, there are really endless potential nightmare scenarios. Right now, the rules are so ambigous. What exactly does "healthcare operations" mean, anyhow? Did you know that your information can be shared without your prior authorization if it's for "healthcare operations?"
Here's what the earlier website says are "healthcare operations":
But if one really thinks about those, there's room for quite a bit of interpretation. And besides, since the law has no teeth anyway, one can easily imagine information being available to that weird neighbor who just happens to be a physician's assistant. And there would be hardly a thing you could do about it.
February 12, 2009 9:25 PM | Reply | Permalink
This is an excellent commentary.
I agree with you completely -- people are much too vulnerable without the HIPAA reform coming first.
February 13, 2009 1:32 AM | Reply | Permalink
Thanks, cheesenstein.
Yet there appears to be little awareness among the general public that there's still a problem. They seem to have gotten the wool pulled over their eyes by GWB's so called HIPAA Privacy Rule. I'm not certain anyone is really paying attention. If we go to a national database without fixing this first, the privacy problems will be multiplied a thousand times, and we'll have far less of an opportunity to fix them.
February 13, 2009 12:11 PM | Reply | Permalink
If you think medical records ought to be confidential, it makes sense. Since I don't, I can't get excited.
February 13, 2009 10:49 AM | Reply | Permalink
El Presidente said:
That seems an odd comment, coming from someone who apparently cares enough about privacy not to use his/her own name to post. Perhaps you'd like to explain your thoughts...
February 13, 2009 12:13 PM | Reply | Permalink
Cute.
I guess my point is that medical records are "relevant". (For instance) two employees of equal value, one of whom costs twice as much for health care, are not equal commodities. In any context but health care, intentionally concealing a fact like that would be fraud.
Why is medical condition different?
February 13, 2009 12:34 PM | Reply | Permalink
The argument you're really making appears to be for universal healthcare. I agree. :)
As of yet, we are still a civilized nation (OK, so we're still working on it) that says that we want people with problems such as you describe to be able to work. Even people who have serious disabilities are encouraged to work through the ADA. Universal healthcare would go far in achieving those societal aims, which so far are only dreams.
I mean, really, when you think of it, it's really fairly strange that we tied healthcare to employment in the first place, isnt' it? From what I understand, it wasn't done that way because of any real plan, but came about haphazardly as the result of what was an employees' job market in the years immediately after WWII. Employers at the time decided to sweeten their job offers with what at that time was an inexpensive benefit: health insurance.
February 13, 2009 2:52 PM | Reply | Permalink
Well, I'm no universal-health-care advocate, but I agree that the current employer-funded system is poorly chosen and poorly designed. I just think the alternative ought to be individual purchases of insurance (or health care), not dumping it on the government.
Privacy is a right with the potential to create serious distortions (it already does), so it ought to be limited to things that are, well, private.
Health care information generally isn't, and ought not to be anyway. It's shared with massive numbers of people already, and has to be, most of them strangers.
Keeping this information secret helps people only by helping them to trick and defraud others.
February 13, 2009 3:20 PM | Reply | Permalink
So you're arguing against privacy as a legitimate right? Am I understanding you correctly? And you're saying that healthcare information should not be private? Why ever not? What's your reasoning? What "distortions" are you talking about, anyway? Most Americans would disagree with you, and see release of private health information as the serious violation that it truly is (according to polls, such as the one I cited earlier in the thread).
I'm not sure know what you mean about tricking and defrauding either - have you moved to a new issue: benefits entitlement? That's something that affects only a small percentage of the population overall anyway. Surely people can reasonably be required to release whatever information is legitimately needed to assess elegibility for any sort of benefit, but it should be their choice, and they should know how the material is being used. But one wouldn't expect information relase to create an endless open door, which is what confusion about the requirements of HIPAA essentially creates. Is that what you're talking about?
February 13, 2009 3:35 PM | Reply | Permalink
Still puzzled by this comment:
What does that mean? If, as I surmised in my earlier post, you're confusing the issues of medical records privacy and the need to assess elegibility for benefits, you're making a wrongheaded assumption, imho. First, you're assuming the worst of a entire group of people (I sense the ghost of Reagan's imaginary cadillac-driving welfare recipient here) and then suggesting that the solution should be the erosion of privacy rights for everyone, just to expose what is certainly a very small number of people.
But why should medical records be available to anyone who happens to have a suspicion that someone is "tricking and defrauding"? It's my observation that the tendency to see trickery and fraud far more frequently lies in the mind of the suspicious person than it exists in reality. And the proposition that the solution for what you imagine as widespread fraud and abuse is increased exposure of everyone's information sounds amazingly like the excuses GWB gave for his illegal wiretapping.
You really, once again, seem to be making my case for me: there must be better privacy protections put in place to protect us all from the sort of person whose mere suspicions might lead them to inappropriately invade the privacy of others.
February 13, 2009 4:49 PM | Reply | Permalink
As always, we need transparency in a government that should be working for "we, the people". A benefit to having this centralized database is that we can, and we must, have an electronic record of everyone who accesses our PHI [Personal health Info].
As the devil's advocate, and someone actually confused why this is not already in place, why don't we have private PHI warehouses? What if there were companies who held this info for individuals and were under contract to protect the info. Going the HIPAA route protected the providers, and it is important that we not tank a provider whose staff fails to protect info when that provider went to med school and not Brinks Security Training. A brilliant surgeon is rarely involved in the office day-to-day stuff, but we know he wil be the target of a lawsuit if his patient's info gets out, and the patient has legal recourse.
Answering my own question about the PHI vendors, or thinking out loud. If these things are held by a private company, how many years before we settle the lawsuit against PHI vendor who breeches that contract? How can we ensure the PHI vendor is safely guarded from hackers, or even that they have sufficient electronic back-up for this info in the event of a hazard that destroys a facility?
February 13, 2009 12:49 PM | Reply | Permalink
Interesting ideas there, Gregor. Ostensibly, the HIPAA Privacy Rule said that a PHI was the property of the patient, not the physician, so even though that doesn't seem to be the mindset of the typical medical provider as yet, your proposal makes a lot of sense. My understanding is that there are already some very good medical organizations that require anyone accessing a patients record do so through their own employee's computer account - they have to sign in and provide a password - so a record is created each time there's access, but your idea takes things a big step further.
The health organizations like the one I mentioned above are taking good steps to protect the patient's privacy, and there are some of those. But there are probably just as many or more organizations with decision makers who will interpret the very vague language in the HIPAA Privacy Rule according to their own preconceived ideas. Those who believe that doctors own the data, and who have for years worked within a system in which anyone who works in the hospital is seen as having legitimate access to any patient information, are probably going to interpret HIPAA as only allowing more of the same.
I worked for many years in a profession where I regularly interpreted regulations, and noticed that different jurisdictions would often interpret the same regulations in sometimes radically different ways. I realized it had to do with the mindset of the decision makers in the organization; each would interpret based on his/her preconcieved notions of what should be, rather than on the actual language of the reg. I guess that's a long way of saying that we all have our mental filters.
While I agree that there's an seeming problem because financial liability for privacy violations is held by the physician, while it is probably much more frequently the case that the security risk comes from someone much further down the food chain, if the ultimate decision makers (the doctors) don't make the expectations clear, nothing will ever change. That financial risk theoretically provides incentive to make sure there are very good privacy protections in place and that employees are following them (although right now the risk isn't much, because HHS hasn't been enforcing HIPAA). Of course, in larger organizations, where the average doctor is an employee, of say a hospital, many doctors may be unwilling to confront the issue because of a fear of rocking the boat. A well-trained, professional office manager is probably the key here. Your ideas about a PHI data warehouse would just avoid all that anyway.
February 13, 2009 3:22 PM | Reply | Permalink
If you are uninsured and does not have insurance, you should check out the website http://UninsuredAmerica.blogspot.com - John Mayer, California
April 18, 2009 1:35 AM | Reply | Permalink
If you are uninsured and does not have insurance, you should check out the website http://UninsuredAmerica.blogspot.com - John Mayer, California
April 18, 2009 4:12 AM | Reply | Permalink