[Med-privacy] Gov. Health IT article
Peter Marshall
pwm@comcast.net
Thu, 15 Jun 2006 12:49:49 -0700
HIPAA: Best if used by=85
The federal law intended to protect the privacy of patient records has=20=
long outlived its usefulness, but what=92s the remedy?
=A0
=A0
By Heather B. Hayes
Published June 12, 2006
When Congress passed the Health Insurance Portability and=20
Accountability Act (HIPAA) in 1996, lawmakers had more on their minds=20
than just helping workers hang onto their health insurance coverage=20
when they changed jobs. Privacy of electronic medical records was also=20=
a key concern, and the law was intended to set a foundation for how to=20=
handle the rapidly evolving technologies of storing and sharing=20
digital health information.
Ten years later, as the push for electronic health record sharing=20
gathers force, it has become clear that HIPAA is not up to the task of=20=
protecting the health privacy of U.S. citizens in the Digital Age. The=20=
law is confusing, inconsistent and unable to prevent even some of the=20=
most egregious privacy violations. Most importantly, critics say,=20
HIPAA does not give patients any say over who sees their information=20
and for what purpose.
=93Privacy is the 2,000-pound gorilla sitting in the room that is being=20=
ignored by a lot of policy-makers =97 not all of them but a lot,=94 =
said=20
Joy Pritts, director of Georgetown University=92s Center for Medical=20=
Rights and Privacy. =93They just seem to want to push ahead with the=20
technology and ignore the fact that a lot of this information will be=20=
flowing around unprotected unless they allow for some significant=20
protections in the law.=94
For this reason, there is now a mobilization under way to put privacy=20=
back in the spotlight and come up with a remedy for HIPAA=92s flaws. =
But=20
the issue is messy, and everyone has an opinion on the right way to=20
proceed. Several bills in Congress attempt to create health=20
information networks while also addressing privacy concerns, and=20
several challenges to HIPAA=92s privacy rules have been filed in both=20=
state and federal courts.
A simple solution is not likely. =93It=92s easy to say that you should=20=
extend HIPAA to cover health information no matter who has it, but =20
it=92s rather na=EFve to say that that=92s an easy thing for Congress =
to=20
do,=94 said Dr. William Braithwaite, senior vice president and chief=20
medical officer for the e-Health Initiative. Such efforts =93always =
fail=20
because Congress starts getting into fights about things that are=20
indirectly related to privacy like states=92 rights, abortion =
rights=85and=20
it=92s very difficult for a federal law to be passed that covers all=20
those things adequately.=94
Rapidly overwhelmed
HIPAA=92s current problems date back to its origins. Even after its =20=
most basic administrative requirements found their way onto the books, =20=
the law=92s privacy guidance remained problematic, and even after =
giving=20
themselves a three-year deadline, lawmakers still could not pass a =20
comprehensive privacy rule. At that point, they directed the secretary=20=
of the Department of Health and Human Services to finalize=20
regulations.
HIPAA was based on the Code of Fair Information Practices created by a=20=
task force at the agency then known as the Department of Health,=20
Education and Welfare. The code later formed the basis of the Privacy=20=
Act of 1974. HIPAA was narrowly construed to cover personal health=20
information that would be put into electronic form for administrative=20=
transactions. It also pertained only to certain =93covered=94 entities:=20=
health plans, health care clearinghouses and health providers. And it=20=
was conceived to be a =93floor=94 for privacy, working in conjunction =
with=20
typically stronger, more detailed state laws.
But the rapidly expanded technological innovation of the electronic=20
age has already overwhelmed the law. =93Today we=92re talking about=20
exchanging personal health information in a much broader way,=94=20
Braithwaite said. =93And the problem is the purpose of HIPAA never had=20=
anything to do with general privacy protection for all medical=20
information about all Americans.=94
Under HIPAA, clinical researchers, regional health information=20
organizations (RHIOs), companies that create personal health=20
information databases and banks that administer health savings=20
accounts are not covered. Initially, records and billing companies=20
working as contractors to covered entities were also not covered,=20
though the law was later extended to include those partners through a=20=
=93business associate=94 clause. That, too, ended up being a =
bureaucratic=20
nightmare, Braithwaite said, because issues of misuse of information=20
had to be resolved using contract law and court proceedings.
Another major flaw in HIPAA was revealed in 2005 after HHS referred=20
several hundred privacy cases to the Justice Department, which=20
responded with the opinion that HIPAA=92s criminal statute does not=20
apply to individuals =97 even those responsible for reprehensible acts.=20=
By that standard, employees of covered entities who choose to sell=20
personal medical information or even hackers who break into databases=20=
and steal health records are not in violation of the law.
Even before that opinion, HHS=92 ability to punish violators of HIPAA =20=
rules was suspect. In the three years since Congress approved HHS=92 =20
final recommendations on privacy, the department has received about =20
18,000 complaints of HIPAA violations. To date, only two have been =20
prosecuted. =93Basically, with the way things are right now, you have =
the=20
right to whine to a federal agency,=94 said Dr. Deborah Peel, a Texas=20
psychiatrist and chairwoman of the Patient Privacy Rights Foundation. =20=
=93It=92s not exactly the most useful way to enforce problems.=94
And in fact, it could have potentially destructive consequences for=20
health information privacy. =93The level of interest and attention and =20=
fear-driven compliance have gone down significantly in the last year,=94=20=
Braithwaite said. =93If there=92s a complaint to HHS, people are now=20
recognizing that all they have to do is respond and say, =91Okay, we=92ll=
=20
fix that,=92 and the problem goes away.=94
Lack of control
Privacy advocates say the most egregious gap in HIPAA coverage came in=20=
2003 when HHS stripped a patient=92s right to consent out of the =20
privacy rule. Now, under HIPAA, covered entities can use personal=20
health information without a patient=92s permission for a host of=20
reasons, including treatment, payment and various business operations.
Patients frequently sign HIPAA paperwork believing that they are=20
giving their permission to let a physician use their records, Peel=20
said, when in fact the paperwork is merely a disclosure form. Much=20
like their credit information, patients don=92t have a right to say who=20=
sees their health information and why. However, they do have the right=20=
to request an accounting of information disclosures that have been=20
made without authorization and to inspect their personal health=20
information held by hospitals, health plans and providers.
Peel said HIPAA=92s biggest danger is its tendency to confuse. Patients =
=20
believe they have some right of control over their health information. =20=
=93Even President Bush seems to believe it, because he keeps reassuring=20=
the American public that they do,=94 she said. =93When people finally=20=
realize that they=92ve got intruders mucking around in their medical=20
records, I think it=92s going to cause a tremendous backlash.=94
Health care providers are just as confused, said Jeff Fusile, a=20
partner with PricewaterhouseCoopers and head of its HIPAA practice.=20
=93Many doctors have erred on the side of =91share nothing=92 because =
they=20
believe that =91share nothing=92 is what the rule actually states,=94 =
he=20
said, noting that this occurs even when information sharing is clearly=20=
in the best interest of a patient=92s medical treatment. =93Even the=20
higher-level administrators find that it=92s a lot easier to say, =91Just=
=20
don=92t do it,=92 than it is to say, =91Here are the 37 exceptions.=92=94=
Braithwaite notes that many providers understand the law but use HIPAA=20=
as an excuse not to share. =93The real roadblock is trust,=94 he said. =20=
=93Institutions don=92t want to share for a variety of reasons, =
including=20
fear that another institution is going to steal their patients or fear=20=
that they are opening up their information-handling practices to =20
potential liability. So they talk to a HIPAA lawyer who tells them to =20=
take defensive, protective position rather than figuring out=20
appropriate ways to share information for the benefit of the patient=20
and the cost-effectiveness and safety of the patient.=94
Physicians also note that the two-tiered privacy system and the need=20
to know and comply with differing state privacy laws makes it difficult=20=
to follow HIPAA=92s information-sharing mandates across state lines. =20=
=93When the state is just next door, you figure it out, but it is still=20=
a nuisance and a barrier to interoperability and administrative =20
simplification, which, after all, was a key reason behind the HIPAA =20
regulations in the first instance,=94 said Dr. Don Detmer, president =
and=20
chief executive officer of the American Medical Informatics =20
Association.
No easy solution
Many experts say HIPAA is not working in its current form, but no one=20=
is really interested in re-fighting the battle that took place during=20=
the creation of the original law. Instead, legislators are looking for=20=
alternative ways to tackle the issue.
Most bills pending in Congress would attach a privacy requirement to=20
the creation of health information networks. Rep. Patrick Kennedy=20
(D-R.I.), considered a champion of the privacy movement, is trying to=20=
restore patient control over health records. He sees technology as a=20
major part of the overall remedy and has thrown his name behind two=20
bills. The 21st Century Health Information Act, which he introduced=20
last year with co-sponsor Rep. Tim Murphy (R-Pa.), proposes creating a=20=
national health information network but addresses privacy by providing=20=
an opt-out clause for patients. Kennedy is also sponsoring a more=20
comprehensive bill that tackles privacy concerns head-on. The=20
Electronic Health Information Privacy Act, expected to be introduced=20
this year, closes HIPAA=92s most obvious gaps, including restoring the=20=
right of patient consent, strengthening enforcement, and providing=20
audit trails and other technology remedies that improve patients=92=20
ability to control their information.
=93We need workable rules, but the rules should be designed to reflect=20=
the wishes of the individual,=94 said Michael Zamore, a policy adviser=20=
to Kennedy. =93It=92s their health information, and they should be the=20=
decision-maker on who sees their records and for what purposes.=94
Peel commended Kennedy for bringing awareness and publicity to the=20
issue. But she doesn=92t believe that a stand-alone privacy bill can=20
survive the intense pressure of the large hospital corporations and=20
data aggregators that want to preserve the current system. =93We think=20=
that the best way to get the fix is to have the fix be part of a=20
health information technology or personal health records bill because=20=
then it=92s got to be a cooperative effort, because then it=92s a deal=20=
where both sides get what they want,=94 she said.
A second proposal making its way through Congress would solve the=20
privacy issue by eliminating the patchwork of existing state laws and =20=
consolidating them into a single federal privacy law. The Senate=20
version of the bill, the Wired for Health Care Quality Act, has=20
already passed, and the House version, the Health IT Promotion Act, is=20=
pending.
Detmer believes that the approach of looking at the strongest state=20
privacy laws and =93harmonizing=94 them =93looks much more feasible =
than =20
action at the federal level,=94 adding that it would allow a national =20=
standard =93so one day person-specific health information can be sent =20=
across state lines with impunity.=94
Privacy advocates and many in the health care community, not=20
surprisingly, are fighting the measure. Pritts notes that state laws=20
are much stronger than HIPAA by design, and they address sensitive=20
issues such as the confidentiality of mental health records. Creating=20=
a single federal law would =93effectively lower privacy standards=20
nationwide,=94 she said.
Other bills pending in Congress do little to further privacy=20
protections and instead simply require strict compliance with HIPAA in=20=
its current form. =93I think we=92ve proven through HIPAA that a =
mandate=20
at the federal level isn=92t the best answer,=94 Fusile said, =93so I =
don=92t=20
think the answer now is to again mandate something and define it as=20
being consistent with HIPAA.=94
Privacy advocates say that any effective bill must allow patient=20
control and consent over the use of their records and ensure that=20
solid technology is in place to track consent and incorporate audit=20
trails to know who=92s handled the information and for what purposes.=20=
Enforcement clauses must also follow the information so that anyone=20
downstream in the treatment, payment or administrative process who=20
mishandles the information is subject to the same penalties as a=20
provider or other covered entity, privacy experts say.
Any plan for exchange networks that goes forward without such strong=20
privacy measures would be disastrous, Peel said, because it would end=20
up leaving everyone involved distrustful =97 of the health care system=20=
and any technology initiative intended to improve the=20
cost-effectiveness, safety and quality of health care.
=93The patient=92s right to privacy is the key patient=92s right,=94 =
Peel=20
said. =93The only reason we even have personal health records today is=20=
because of the Hippocratic oath and the trust that patients have that=20=
their doctors are going to keep their private information confidential.=20=
Any technology utilized needs to have ironclad privacy protections in=20=
place so that trust is enhanced. Otherwise, it will undermine it to=20
the detriment of the patient and the entire health care system.=94
Hayes is a freelance writer based in Stuarts Draft, Va. She can be =20
reached at hbhayes@cfw.com.