“To see what is in front of one’s nose needs a constant struggle…” George Orwell
Do you know what the “P” in HIPAA stands for?
If you said “privacy” you are quite wrong. HIPAA stands for Health Insurance Portability and Accountability Act and was originally intended to guarantee health insurance when someone changed jobs. But the word “portability” is a far cry from “privacy.”
Since April 14, 2003, patients have been required to sign these forms, creating the durable illusion that our medical records are private. We sign HIPAA forms when we see our dentists, doctors, and upon receipt of a host of other health-related services. Yet your personal health information is anything but private — and the more legislation Congress passes the more public this information becomes.
As a patient, my concerns with privacy are personal. As a physician, I see privacy as an indelible maxim and moral responsibility from which I can never be absolved. Hours before receiving my Medical School diploma, I stood with my entire graduating class and willingly took The Oath of Hippocrates. Sixteen years later, the gravity of my last act as a student continues to govern my actions within a profession long thought noble. I include the second paragraph from my Oath here:
“I will hold in confidence all that my patient confides in me. I will maintain the honor and the noble traditions of the medical profession.”
Here’s a brief history of how HIPAA came to be and why this law may make your information more public than private. The original HIPAA bill was passed in 1996 and instead of defining patients’ rights to privacy tasked the Department of Health and Human Services (HHS) to “develop regulations that specified patients’ rights to health privacy.” In 2001 HHS ruled that a patient’s consent was necessary before disclosing any information. However, HHS eliminated this individual right to consent in 2002, with another ruling that gave “regulatory permission for covered entities to use and disclose protected health information”– without the individuals consent.
Flash forward a few years, and the “covered entities” named in the 2002 HHS ruling translates into a long list of those with regulatory permission to review people’s presumably “private” medical records: employers, life and health insurance companies, billing firms, pharmaceutical companies, data miners, creditors, banks, and off-shore transcription services based in Pakistan and India. Roughly 35% of Fortune 500 companies admit to looking at employee’s health records before making hiring and promotion decisions.
Here is an interesting finding from Health and Human Services (HHS) made upon administering the original HIPAA Rules which stands in contrast to the reality of today: “in short, the entire health care system is built upon the willingness of individuals to share the most intimate details of their lives with their health care providers” (65 Fed. Reg. 82,467). I agree and believe that few are naïve enough to expect candid disclosures from any patient if what they say could be read by so many. In the same document, (65 Fed. Reg. 82,474) we read “experience shows that we can have high quality health care without health IT, but we cannot have high quality health care without privacy. Thus, privacy standards are consistent with the objective of reducing the administrative costs of providing and paying for health care”.
The cost of lost privacy goes far beyond lost jobs or promotions. The HHS estimated that 586,000 Americans did not seek earlier cancer treatment due to privacy concerns resulting in $1.6 billion in lost wages because of continued illness from lack of treatment (65 Fed. Reg. at 82,777). The HHS went on to note that similar privacy concerns delay the treatment of HIV and sexually transmitted diseases (STDs) which leads to death, expensive fertility problems, fetal blindness, and other reproductive complications.
Furthermore, combining HIPAA with the Government Mandated Electronic Health Records (EHR) law, included in the economic stimulus bill passed in February, all but eliminates medical privacy. Perhaps this is what Congressman Kennedy was thinking of last week when he promised us that patients would be able to opt out of listing STDs and abortions in the EHR law; however privacy concerns are felt by all patients with every disease and not just the potentially embarrassing ones.
According to the EHR law, doctors who submit their bills to Medicare and Medicaid will be reimbursed at a higher rate if they also simultaneously report their patient’s health information using an electronic health record in a “meaningful way.” While Big Brother decides what’s ‘meaningful’, the private insurance company’s trend to follow Medicare (e.g. DRGs- Diagnostic Related Groups and Procedural costs) will likely be extrapolated to all patients.
This EHR law, coupled with HIPAA and the technological advances in record management, will result in more information for the data miners to give to the Comparative Effectiveness Research Committees- also mandated in the Economic Stimulus Bill- so they can then advise doctors on better practice management. Other touted advantages would include fewer mistakes through better communication and lower costs for patients. But these advantages will be negated if we don’t find a way to protect the private information of individuals.
In our practice, DocTalker Family Medicine, we use an electronic health record but will not report any health information to anyone that hasn’t been scrubbed of all personal information first, unless we are specifically instructed to do so by our patients. The government isn’t doing a good job of protecting personal information now and to trust them with our patients’ privacy would go against the Hippocratic Oath as we interpret it.
Until next week, I remain yours in primary care,
Steve Simmons, MD