AMA (JAMA) July 17, 2018
How HIPAA Harms Care, and How to Stop It
Donald M. Berwick, MD, MPP1 [1]; Martha E. Gaines, JD, LLM2 [2]
JAMA. 2018;320(3):229-230. doi:10.1001/jama.2018.8829
“Knock, knock.”
“Who’s there?”
“HIPAA.”
“HIPAA, who?”
“I’m sorry, but I cannot disclose that.”
Clinicians and patients alike will laugh at this, but behind the laughter are anger and frustration. The Health Insurance Portability and Accountability Act (HIPAA), a law created to protect patients, has borne with it serious obstacles to effective care. How did this happen? What went wrong on the road to protecting privacy?
Passed in 1996, HIPAA was not originally a privacy law at all. Its primary intent was to assure “portability”: continuity of health insurance coverage as individuals changed jobs. In fact, the privacy part of the law was very brief. Congress had been debating a Patients’ Bill of Rights for some time, which was to include privacy rights as well as the right to sue insurers for wrongful denial of coverage; but Congress failed to pass such legislation. This prompted the Department of Health and Human Services (HHS) to create the privacy regulations governing transfer of records (paper or electronic) containing personal health information (PHI), designed to ensure patient safety and prevent insurance companies from using that information to manipulate coverage.
The regulations that compose the HIPAA Privacy Rule are complex and voluminous. (The 2013 update alone, regarding electronic medical records and e-health, is 563 pages long.1 [3]) However, these regulations coalesce around one simple rule: clinicians and health care organizations may not disclose PHI without patient permission unless that information is being used for treatment, payment, or health care operations. For these purposes, patient permission is assumed. In addition, organizations must release records to patients who ask for them and to HHS for enforcement purposes.
The law levies significant penalties for wrongful release of PHI and for the failure to timely release to the patient or HHS, but it has no penalties for unreasonably delayed or wrongful refusal to release information to other clinicians for treatment purposes. This imbalance has led to a knee-jerk bias against releasing information, as well as to a culture of complex paperwork to double and triple document the purpose before releasing information. Compounded by increased enforcement activity and higher fines over the last several years, the organizational policies intended to protect patients’ privacy may too often compromise their health care.2 [4],3 [5]
In too many cases, these policies do not reflect HIPAA requirements. Rather they are grounded in “HIPAA myths”: misapplications based on misunderstandings about what the law requires. The policies needlessly cast a confusing shadow over nearly every aspect of clinical care, health care information management, patient and family services, and even building design.4 [6],5 [7]
The myths abound. Every day, patients seeking second opinions or transferring to new clinicians experience treatment delays when wrongly conceived procedural hurdles prevent their physicians from talking to previous clinicians and obtaining timely access to test results and treatment histories. Family members seeking information about a loved one involved in a motor vehicle crash are wrongly told that HIPAA prevents even a confirmation of whether their family member is at that facility.
Both the need for privacy and the toxicity of HIPAA myths have increased with the spread of electronic medical records. Privacy practices prior to electronic medical records were dismal. Many physicians remember disorderly piles of medical records spread across desktops in hospital nurses’ stations, abusive husbands easily locating their terrified wives in the emergency department, and curious employees reading about their neighbors’ illnesses. That certainly was not private enough. Compounding those original problems is the new threat of having medical records stored in the cloud, with the possibility that those records could be hacked. Stricter standards seem logical to make clear who has viewed a patient’s record so that improper access can be addressed.
Privacy of PHI is crucial, but ill-conceived policies and behaviors that have emerged based on misinterpretations about HIPAA are not the way to get there. The test of the wisdom of a policy is not whether it protects privacy absolutely (that would be easy: just forgo communication altogether), and absolute privacy is not what HIPAA requires. Rather, a well-designed policy strikes the best balance between protecting patients’ privacy and enhancing their health, ensuring that the records necessary to their care can be provided where they are needed promptly and without needless expense.
When a clinician or clerk feels compelled to say, “I wish I could tell you but HIPAA won’t let me,” that is usually an indication of a misguided organizational policy or insufficient employee training. Some legitimate differences of opinion can, of course, arise about how HIPAA regulations resolve some ethical or legal issues. But most pain caused to clinicians and patients through the overzealous pursuit of privacy comes from misinterpretations of the regulations, and not from their actual substance.
Common misguided administrative provisions are many. They include restrictions on the exchange of clinical information between treating clinicians, rules against posting patients’ names in clinical areas to facilitate finding or identifying the patient, and rules against family members or loved ones reviewing medical records and clinical information even with the patient’s permission. At best, confronting or circumventing such unnecessary policies takes precious time and energy, already in short supply for clinicians and patients. At worst, such policies and restrictions can force wasteful and sometimes harmful repetition of diagnostic tests, and even cause potentially devastating delays to needed care.6 [8]
For patients, families, and clinicians, health care is complex and precarious enough to warrant removal of every unnecessary bureaucratic barrier to coordination and the mission-critical exchange of information. The widespread confusion about what HIPAA requires is harmful. The proper, but daunting, goal is to ensure accurate, uniform, sensible, and understandable policies and procedures for the efficient transfer of information and the appropriate protection of patient privacy. Getting that right will require leadership and real effort at the highest levels. At the moment, the balance is wrong
Please go to https://jamanetwork.com/journals/jama/article-abstract/2686002 [9] to read the entire article and two additional related articles on HIPAA.
Feedback . . . [10]
Subscribe MedicalTuesday . . . [11]
Subscribe HealthPlanUSA . . . [12]
VOM Is an Insider’s View of What Doctors are Thinking, Saying and Writing about