HIPAA: Does Privacy Have to Be So Painful?
The New Physician
Now that federal health-care privacy legislation has been in force for a few years, it’s time to ask: Is it working? And is it worth it?
As with so many complex, overwhelming projects, it started out as a very simple idea. In 1996, the federal Health Insurance Portability and Accountability Act (HIPAA) was passed to ensure that when people lost their jobs for whatever reason, they wouldn’t lose their ability to get insurance coverage. Simple enough. However, at the same time, increased use of computerized medical records, the Internet and e-mail was creating concerns about the privacy of personal medical information. So HIPAA was crafted to include provisions for the secure transfer of electronic medical data as well.
As often happens in Washington, D.C., one thing led to another, and now HIPAA comprises more than 1,000 pages of legislation—the executive summary of the
Privacy Rule section alone stretches to 22 pages of very tedious reading. These dense, often confusing regulations essentially stipulate what patient information can be gathered and how that information can be used, stored and shared.
HIPAA regulations went into effect in 2003; four years later, health administrators are complaining about implementation costs, researchers are complaining about difficulty accessing medical data, medical students on rotation are complaining about redundant training, clinicians are complaining about their inability to get patient records from other physicians, and most patients still don’t have a clue what HIPAA is or how it is supposed to protect them.
Nevertheless, almost everyone seems to agree that it really is a good idea. Protecting patient privacy is worth a lot of trouble—as long as the benefits outweigh the problems.
WHO GETS THE BILL?
HIPAA is what is known in the legislative world as an “unfunded mandate,” meaning that the government makes you do it, but doesn’t offer to help pay for it. And the costs can be surprisingly high in a system that is in a state of constant flux in the way information is handled. Installing electronic records systems—which is still in the planning stages for many health-care institutions—is obviously expensive, but HIPAA compliance entails costs that don’t come readily to mind.
For example, all employees who have any patient contact whatsoever must be trained in protecting patient privacy, and this typically requires printed materials, videos or computer programs, and time. In hospitals and larger practices, highly specialized experts are hired specifically to ensure HIPAA compliance. In addition, there are forms to be printed and kept on file; new computer programs—with secure data-transfer protocols and systems for
storing password-protected data—to purchase, install and learn to use; and a considerable amount of worker time spent reorganizing files and creating new systems for securely managing patient records. No one knows exactly how much this is costing, but everyone agrees that it isn’t cheap. Estimates range from $3 million to $7 million per hospital just to meet basic compliance requirements.
“Eventually, [HIPAA compliance] should actually cut down cost, mostly thanks to electronic records and a more efficient system of collecting and sharing information,” says Brenda Hart, HIPAA compliance officer at Baylor College of Medicine, “but right now it’s very expensive.”
TRAIN AND RETRAIN
Since HIPAA is as much about behavioral practices as rules for record-keeping, training is crucial. But as with funding, there are federal regulations but no federal system for training.
Each health-care provider, from large multi-site medical centers to small physician-owned practices, must take care of its own training. This is prob-ably not much of a problem for employees who take one job and stay there for years, but it can be a true challenge for medical students, who at times rotate from one facility to another on a monthly basis.
Students often find themselves undergoing repeated training, says Dr. Dennis Boulware, associate dean of education at the University of Alabama School of Medicine in Birmingham. “VA [Veterans Affairs] hospitals are particularly reluctant to accept training [students gain] from other institutions,” he says.
The solution, Boulware suggests, is a competency-based assessment. “There [should] be a national, standardized test that everyone takes to demonstrate an understanding of HIPAA regulations.” Such a system would not only save money and time, but would also ensure that the quality of training is uniform from institution to institution, he explains.
Understanding and putting HIPAA into practice requires more than simply a day or two of training and passing a quiz, however. HIPAA is in no small measure a new way of life in day-to-day medicine. “HIPAA has changed the way hospital culture operates,” says Todd Theman, a third-year at Harvard Medical School. “We don’t talk about patients in elevators, or discuss cases over lunch. Everyone is very HIPAA-aware.”
Simple (or maybe not-so-simple) changes in routine, such as placing charts face-in on examining room doors, using white-noise machines to ensure conversations can’t be heard in the hall, and blacking out identifiers before taking case materials home to study are all part of the post-HIPAA lifestyle for physicians-in-training.
And yet, these familiar bricks-and-mortar settings, rather than the more ethereal computer networks, may be where most of the violations take place. “When I give talks about HIPAA, I have to remind people that laptops can be stolen; that a piece of paper that you put in the recycle bin might next be seen flying down the freeway off the back of a truck,” says Hart. “I tell people to think of a patient’s medical information as if it were your money. Don’t leave it lying around.”
And leaving things lying around is all too easy. Julia Skapik, an M.D./Ph.D. candidate at Johns Hopkins University, once brought a patient in an AIDS clinic into the exam room only to find that the labs of the previous patient were visible on the room’s computer screen. Skapik did not report the violation. “I wouldn’t even know who to report it to, and I wonder if anyone would take it seriously if I did,” she says.
Though employees—and medical students particularly—may be uncomfortable reporting violations, they probably shouldn’t be. “I do weekly HIPAA audits when I walk around the medical center to see how things are working,” says Hart. “When I see a violation, people usually say, ‘oh gosh, we need to address this.’ Their hearts are in it.” So she advises students to always report any violations they see.
“It would be great if you could go to your direct supervisor, but this is not always comfortable,” she notes. “Most institutions have a HIPAA hotline. If not, get in touch with the HIPAA compliance officer. These reports will be kept confidential and used to address the problem so that it won’t happen again.”
WHY ARE WE DOING THIS AGAIN?
In the midst of training, reorganizing and paying for it all, it’s easy to forget the reason for doing this in the first place. HIPAA is a lot of things, but the heart of the legislation is the privacy rule, and the privacy we are at such pains to protect is that of the patient. When it comes right down to it, no matter how carefully providers implement the regulations, no matter how well-trained and careful the staff, if HIPAA doesn’t work for the patient, it doesn’t work.
“Patients have to read papers and sign forms, but do they really understand what this is all about? Probably not,” says Skapik. The typical HIPAA form that patients sign, explaining how the provider can and cannot use and share information, is almost as tedious to read as the executive summary, if a great deal shorter. And most people aren’t feeling well when they read it. But even if they do read it closely and fully understand it, they still probably don’t fully appreciate its implications; the typical form doesn’t really explain that.
“I shadow a primary care physician every week,” says Theman. “Many of the patients see other providers, and we often end up repeating lab tests and other diagnostic procedures because we can’t get the information quickly from the other doctors. This increases the cost, the time and often exposure to X-rays and so on for the patient.”
Cinthia Elkins, an M.D./Ph.D. candidate at the University of Illinois College of Medicine at Urbana-Champaign, also sees this as the main flaw in HIPAA. “The problem I’ve seen is getting information between institutions and getting a patient’s history in a timely manner. For this, we need a national, computerized medical information system, such as the VA has, so you can get records from other sites with just a click of the button and without having to use unsecured and slow methods like faxing.”
Theman agrees. “The problem with HIPAA is that we got the cart before the horse. We have ended up with just the privacy part and no infrastructure for dealing with it. We need to stop thinking of privacy as an end in itself. There is an inherent conflict between smooth communication and protecting privacy. We can protect patients’ privacy, but we need to balance that with being able to provide efficient care,” he says.
But this might yet be possible. The next phase of HIPAA, moving to a unified and secure system of electronic medical records, is still on the drawing table, but the institutions that already use such systems find that they are working well. Elkins mentioned the
VA, and Theman says that Partners HealthCare System in Boston, which serves Brigham and Women’s and Massachusetts General hospitals, has an efficient electronic records system that protects patient privacy while allowing physicians to access medical records and case notes for any physician in the system easily and quickly. The problem for most institutions at the moment, says Hart, is that everybody is on a different computer system, making communicating among institutions difficult.
A nationalized system would solve this problem. However, some patients are very uncomfortable with the idea of electronic records even in a local doctor’s office, much less on a nationwide database. But as protections go hand-in-hand with improved communications, the bugs may still be worked out and the balance maintained between privacy and efficiency.
Despite the complaints, most health-care professionals agree that HIPAA is great in spirit, if occasionally awkward in practice. “HIPAA just legalizes and codifies what we should have been doing anyway,” says Boulware, “and I always felt we were doing a pretty good job. Protecting a patient’s privacy is just good medicine—and good manners.”
Avery Hurt is a freelance writer in Birmingham, Alabama.