Demystifying Medicine One Month at a Time

Tag: HIPAA

Medical Privacy

You may have heard about a data breach at Anthem Blue Cross.Russia-hack-624x351

It’s estimated that the hackers who were able to break into the company’s computers had access to 80 million files. That’s one out of every four Americans.

Just like prior breaches at Target, Home Depot, Sony (did you see that awful movie, ‘The Interview?’), etc., hackers are eager to demonstrate that they can break into ‘secure’ corporate networks. We all need to be ready for computer hacks, identity theft, etc. It’s part of living in a connected world where much of our personal data lives in ‘the cloud.’

The Anthem breach has an additional wrinkle to consider: Not only was personal information (demographic, SSN, income information, etc.) hacked, but private medical information was potentially vulnerable.

The federal law known as HIPAA is an added privacy protection for consumers (patients) about our medical data. Unfortunately, I now believe that it has outlived its usefulness.

HIPAA creates ‘above and beyond’ penalties as a form of deterrence for being careless with private health information. While well-intentioned, the law is an unfunded mandate that has added billions of dollars in unrecoverable costs to the health care system.

Ironically, it’s another federal law, the PPACA (‘Obamacare’) that in my view has rendered HIPAA less relevant. Obamacare forbids insurers from denying patients eligibility on the basis of ‘pre-existing conditions.’ It was exclusions for those conditions that made HIPAA so necessary — under such a system, people needed the right to keep their medical info private.

I think medical data should be private, but only inasmuch as financial and demographic information. Creating an added layer of bureaucracy and penalties has only clouded issues for all of us.

There are at least two possible goods that could come from revising (or repealing) HIPAA:

  1. Increasing transparency in general. This might help increase price transparency in health care, something sorely needed. Obstacles to us sharing our health information keep prices shrouded.
  2. We’d have many more opportunities to anonymously collect data in huge data bases and perform analyses that would lead to more knowledge generation. We still do many things in medicine based on tradition without knowledge of whether it’s helpful [see, as examples, this wiki-startup or this Harvard scientist-librarian with a really great idea].

We’ll all have our data stolen at some point. Making at least one aspect of that data less ‘valuable’ to crooks would diminish the appeal of stealing it and perhaps allay some of our anxieties over our medical privacy.

Health Care Privacy Primer

Health Care: Confidential?

What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.                         – oath of Hippocrates, circa 400 B.C.

As part of our initiation into the profession, doctors recite the Hippocratic oath (or often a modernized version). I like to remind myself that the ancient Greeks valued confidentiality as much as we seem to today.

Since 1996, the law known as HIPAA has become paramount in enforcing this Hippocratic ideal here in the U.S. Originally intended to prevent the loss of health insurance due to change of employers, HIPAA has instead become a buzzword for protecting the public from its own medical records.

The law’s implementation demonstrates both sides of the government regulation debate: it came down as an unfunded regulatory mandate, forcing health care providers (especially hospitals) to invest heavily in creating infrastructure that neither delivers care nor brings in revenue in order to achieve compliance with the law. On the other hand, an entire industry and thousands of jobs have been created to administer, police, interpret, and adjudicate the new rules.

Hospitals have offices devoted to banging the drum in the name of protecting patients’ information from prying eyes. You have to wonder: Does any of this work?

One famous paper, citing the fact that no fewer than 75 different people have access to a hospital chart on average, called confidentiality a “decrepit concept.”

With the profusion of electronic medical records, the remnant notion of confidentiality is further challenged. Earlier this month it was discovered that a prestigious West Coast hospital experienced a breach in which more than 20,000 patients had their names and diagnoses publicly viewable on a website for almost one year. Because of incidents like this, the government now tracks these types of breaches in a publicly searchable database.

Take a look and you’ll find that over the last two years alone, more than 11 million people have had private health information exposed.

HIPAA can be fun!

With stakes including huge financial penalties, bad publicity, and the threats of termination (employment, not existence) and/or prison, you can see why hospitals take this stuff seriously. The downside is that it’s become onerous to obtain your own medical records.

Hoops to jump through. Copying costs (really? how about emailing it to me?). Waiting periods (you need this now? Fat chance.).

A friend of mine, recently hospitalized, came to a follow up appointment with her primary care doctor. She informed the medical assistant that she’d like copies of her records from the associated hospitalization. Instant shut down mode: “You’ll have to speak with the doctor about that.”

Actually, um, no. HIPAA was never intended to prevent transmission of records to patients themselves, nor was it intended to block sharing of medical data among care providers. But too often that’s the message health professionals take away from their annual compliance, safety, and HIPAA lectures.

For the intrepid, I challenge you to figure out: What’s been the overall cost of HIPAA implementation? More importantly, has the law accomplished what it was drafted for? After all, it took the passage of Obama’s health care reform bill (PPACA) to ensure that people won’t lose health insurance despite changes in job status. Is HIPAA simply a smorgasbord of unintended consequences?

On the flipside of protecting private health information, what about the public’s right to know about the doctors that they go to? In an unrelated news story, the government yanked the public’s query access to something known as the National Practitioner Data Bank, a 1986 invention that keeps track of misconduct (either intentional or unintentional) by doctors. The Data Bank is used by all states and hospitals with regard to medical licensure and credentialing. Seems like the public has a compelling interest at stake here.

As in the real world, the medical world is locked in eternal an eternal struggle between privacy and transparency.

Soon the day will come when medical documentation shall be composed in plain language rather than jargon, and patients will not only have a right to that documentation, but will receive it at the “point of purhcase.” Eventually this will be a compelling market proposition; in the present, health care remains too local. People are willing to put up with whatever they can get nearby.

Comparison shopping has always been tough in medicine, where pricing is entirely convoluted and people don’t typically have “skin in the game.”

© 2020 GlassHospital

Theme by Anders NorenUp ↑