HIPAA In Today's Cyberspace

By Jennifer Schraag

Knock, knock.

Who's there?

HIPAA.

HIPAA who?

I can't tell you.

The above is a silly little joke found on a message board for physician interns. This same message board thread scrolled to become a flared discussion on the Health Insurance Portability and Accountability Act  (HIPAA) of 1996 and other privacy matters. One poster — screen name, “docB” — wrote the following: “Everyone knows I'm no big fan of the government or regulations. I think EMTALA (Emergency Medical Treatment and Active Labor Act) was written by Satan. But HIPAA as written is not so terrible; it has just evolved to be wretched.”

The foresight to HIPAA was to protect patients from being "blacklisted" from insurance companies, docB went on to point out. But now, insurance seekers have to sign over those disclosures at the front end anyway.

HIPAA as we know it today has turned most healthcare organizations timid, at best, about sharing patient information. And in an already challenging setting such as the night shift at an urgent care center, these reservations of sharing patient information can be a tall challenge to overcome.

David C. Kibbe, MD, MBA, senior advisor for the AmericanAcademy of Family Physicians and chair of the ASTM International E31Technical Committee on Healthcare Informatics, points out that there are three components to HIPAA: the Privacy Rule, the Transactions Rule, and the Security Rule. “They deal with different issues, and unfortunately, often get lumped together as if there was one, over-riding ‘HIPAA issue,’” he notes.

“There isn’t. You need to know what portion of HIPAA (is) under consideration. The HIPAA Privacy Rule, for example, not only requires that patients have access to their own records upon request, but allows healthcare providers and others — including health plans — to exchange health information for the purposes of care delivery and payment, without getting a patient’s consent. Many people are surprised to learn how permissive the HIPAA Privacy Rule is.”

He continues, “I would have to say from my own experience that the biggest HIPAA concern is the confusion people have about HIPAA. Many people who should know, don’t know how HIPAA might impact what they do, or how they should act, and so they become paralyzed. Quite often, I see people withholding healthcare information ‘because of HIPAA,’ when in fact HIPAA is permissive of that particular exchange of health information.”

Conversations about the national push for the electronic medical/health records (EMRs/EHRs) nearly always turn to HIPAA securities.

The big push behind the Nationwide Health Information Network (NHIN) is today’s reality. This health information technology (IT) agenda, pushed by the Bush Administration, has both its proponents and its naysayers. Large reservoirs of cash are building to back the initiative, and the bottom line is that this will become reality. NHIN's mission is to set forth and provide "a secure, nationwide, interoperable health information infrastructure that will connect providers, consumers, and others involved in supporting health and healthcare," according to its visionaries.

The Administration envisions this full-scale, national interoperable health IT system, and every American's EMR, be fully implemented by 2014. This vision comes with a second expectation that interoperable health IT will both improve individual patient care and help to streamline public health initiatives. Some examples of this expectation include early detection of infectious disease outbreaks, improved tracking of chronic disease management and the evaluation of healthcare based on value; as enabled by transparency.¹

Security is usually the topic of loudest outcry, as aforementioned, and as with any new initiative, the "bugs must be worked out." According to the 19th annual HIMSS Leadership Survey, one quarter of the survey's participating healthcare organizations suffered a security breach in 2007. Survey results go on to point out that the top three technology areas identified as those in most need of improvement were identity management (45 percent), RFID technology (43 percent) and security technologies (42 percent). “These investments are on top of already strong use of security technologies such as firewalls (in place at 98 percent of respondent’s facilities), user access controls (83 percent) and audit logs of each access to patient health records (81 percent),” the report reads.

To tackle this aspect in healthcare IT, as well as to ensure the technology used is appropriate and worthy, the Certification Commission for Healthcare Information Technology (CCHIT) was formed. This health IT certification commission has established a public-private process to develop specific criteria for health IT systems. CCHIT "rigorously" evaluates systems to establish that they meet the following criteria:

Functionality: ensuing that the systems can support the activities and perform the functions for which they are intended

Security: ensuring that systems can protect and maintain the confidentiality of data entrusted to them

Interoperability: ensuring that system can connect to, and exchange information with, other systems

(For a list of ambulatory EHR products that have achieved CCHIT certification by passing the 2007 criteria, visit http://www.cchit.org/choose/ambulatory/2007/index.asp.)

Security of such a widespread, multi-pronged program can run the gamut with threats coming from every imaginable angle; internal, external or otherwise.

Some IT initiatives are geared toward eliminating the security threat called “tailgating.”² Tailgating occurs when someone logs into an application and then walks away without logging off, allowing an unauthorized user to gain access.

But what good does any security measure do when unethical staff members do — repeatedly — what they are not supposed to do? A perfect example is that of UCLAMedicalCenter. UCLA in March was in the throes of disciplining over 13 employees, including physicians, after they deliberately accessed Britney Spears' confidential medical files — even after they were directly told not to do so. At the time, Spears was staying in the hospital's psychiatric unit. And this wasn't the first time this duet has clashed. When Spears' first child was born there, UCLA employees invaded her privacy then too.

Fast forward a mere month later and April brings more UCLAMedicalCenter employee shenanigans — this time leaking Farrah Fawcett's fight with cancer to the National Enquirer.

As stringent as HIPAA appears to be, to date and according to the Health Privacy Project, not one civil monetary penalty has been issued in response to a breach in HIPAA practices.

“At its worst, HIPAA is used as an excuse to prevent the public from access to their own medical information,” says Kibbe, who also is principal of the Kibbe Group LLC, and author of numerous peer-reviewed articles and several book chapters on e-health, computer security, and HIPAA as well as co-author of the “Field Guide to HIPAA Implementation,” an American Medical Association publication.

“That is a very big concern and can cause harm,” he asserts.

To offset this problem, online-housed EHRs have evolved. For instance, Google's recent announcement of Google Health, and Microsoft's older version, Health Vault, both offer what is now termed a "personal health record" or PHR. PHRs offer individuals an online space to house their personal medical information. For some, especially those with a chronic illness, this enables a repository of all run-ins with medical professionals.

Quest Diagnostics recently took this a step further with its new offering of online patient access to their individual lab results — something particularly interesting for urgent care patients as it could help to streamline appropriate follow-up, in some cases.

On the governmental side, work with respect to security and privacy is never done. From pending legislation to surprise audits, government offices are hot on the trail of change when it comes to the electronic age of HIPPA.

One such example is that of the Trust Act which was introduced to the House by Rep. Ed Markey (D-Mass.) on Feb. 14. The Trust Act is written to “provide individuals with access to health information of which they are a subject, to ensure personal privacy, security, and confidentiality with respect to health-related information in promoting the development of a nationwide interoperable health information infrastructure, to impose criminal and civil penalties for unauthorized use of personal health information, to provide for the strong enforcement of these rights, to protect States’ rights, and for other purposes.”

Further notice has been taken in response to the vast security breeches that have been occurring. Surprise HIPAA audits, the first of which took place at PiedmontHospital in Atlanta in June 2007, are conducted by the Department of Health and Human Services' (HHS) Office of the Inspector General (OIG). The results of these audits are publicly reported on the Centers for Medicare & Medicaid Services (CMS) Web site (accessible at www.cms.hhs.gov/Enforcement/03_HIPAAEnforcementStatistics.asp).

Security and HIPAA go hand-in-hand, as one is vastly needed to protect the other. Now is a good time to begin ensuring your center is guarded and ready for whatever tomorrow may bring.

“In a setting such as urgent care, I think the providers should help patients whenever they want to exercise their rights — guaranteed under HIPAA — to access and take with them their own health records," Kibbe adds. "I think urgent care providers should also have a very explicit policy for protecting the health data they have stored for their patients, and they should execute a strong security policy with strong security practices.

“HIPAA is not perfect, but it's not all that complicated, either. There's really no excuse for not reading the instructions.”

To learn more about IT-based solutions for urgent care centers, join us for the 5th annual today's surgicenter conference in Las Vegas, Sept. 18-20.

References

1. HHS. Health Information Technology. http://www.hhs.gov/healthit/

2. Lowes, Robert. HIPAA: Replace your password with your face. Medical Economics. March 28, 2008. http://medicaleconomics.modernmedicine.com/memag/Health+Information+Technology:+Electronic+Health+Records+(EHRs)+%2F+Electronic+Medical+Records+(EMRs)/HIPAA-Replace-your-password-with-your-face/ArticleStandard/Article/detail/505449?contextCategoryId=44149.

Pull Out Quote:

"..to link all health records through an interoperable system that protects privacy as it connects patients, providers and payers, resulting in fewer medical mistakes, less hassle, lower costs and better health."

— HHS Secretary Mike Leavitt

Pull Out Box:

For a full list of government HIPAA-related resources and links, visit www.hhs.gov/ocr/hipaa/links.html.

SIDEBAR:

Myths and Facts about the HIPAA Privacy Rule

Myth: One doctor's office cannot send medical records of a patient to another doctor's office without that patient's consent.

FACT: No consent is necessary for one doctor's office to transfer a patient's medical records to another doctor's office for treatment purposes. The Privacy Regulation specifically states that a covered entity “is permitted to use or disclose protected health information” for “treatment, payment, or healthcare operations,” without patient consent.

Myth: The HIPAA Privacy Regulation prohibits or discourages doctor/patient emails.

FACT: The Privacy Rule allows providers to use alternative means of communication, such as email, with appropriate safeguards.

Myth: A (healthcare provider) is prohibited from sharing information with the patient's family without the patient's express consent.

FACT: Under the Privacy Rule, a healthcare provider may “disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual,” the medical information directly relevant to such person's involvement with the patient's care or payment related to the patient's care.

Myth: The Privacy Regulation mandates new disclosures of patient information.

FACT: As HHS states, disclosure is mandated in only two situations: to the individual patient upon request, or to the Secretary of the Department of Health and Human Services for use in oversight investigations. Disclosure is permitted, not mandated, for other uses under certain limits and standards, such as to carry out treatment, payment, or healthcare operations, or under other applicable laws.

Myth: Patients can sue health care providers for not complying with the HIPAA Privacy Regulation.

FACT: The HIPAA Privacy Regulation does not give people the right to sue. HHS may impose civil penalties, criminal sanctions and corresponding prison terms may be enforced by the Department of Justice.

Myth: If a patient refuses to sign an acknowledgment stating that she received the healthcare provider's notice of privacy practices, the healthcare provider can, or must, refuse to provide services.

FACT: The HIPAA Privacy Rule grants the patient a ‘right to notice’ of privacy practices for protected health information, and requires that providers make a “good faith effort” to get patients to acknowledge they have received the notice. The law does not grant healthcare providers the right to refuse to treat people who do not sign the acknowledgement, nor does it subject the provider to liability if a good faith effort was made.

Share this article: Email, Slashdot, Digg, Del.icio.us, Yahoo!MyWeb, Windows Live Favorites, Furl
Add this article feed to: RSS, My Yahoo, Newsgator, Bloglines

Read Comments [0]