HIPAA is like the Transportation Safety Administration’s requirements that everyone take off their shoes and only carry a quart of liquids and creams: it apparently makes us feel safe and protected, but really just it’s all a big pony show that wastes everyone’s time.
The idea of HIPAA’s privacy rules is this: health information is private. It’s nobody’s beeswax besides yours, your doctor’s, and whoever’s agreed to pay for your care (insure you). And I agree. It is nobody’s beeswax. But it’s so bogusly enforced that it just creates headaches. As I’ve said before, I could easily walk into any hospital in the United States, and dressed appropriately, start reading anyone’s paper chart. Guaranteed. So, see, your health information isn’t private. It should be, but it isn’t.
HIPAA also prevents information from being shared between physician and patient easily electronically. HIPAA lists 18 items that must be protected and cannot be included unless the information is transmitted securely. (Note to bloggers: this is why I change everything about my patients if I write about them: saying anything more specific than what state you’re in is Protected Health Information!) Patients clearly want the ability to electronically talk to their physicians; my generation of physicians would certainly want this as well. Quick question, or side effects of a medication becoming a problem? Want a list of your medications? Want lab results emailed to you? Want your physician to email you an appointment reminder? No no no no no. Instead, we have systems where your doctor sends a message to you in a system with ANOTHER username and ANOTHER password, and it’s a big headache. Even if it’s not that bad of a system, you don’t have access to the messages on your own computer. It’s not like an email that you can just go back and find the message.
What’s even more ridiculous is that HIPAA doesn’t apply to anyone that’s not providing health care or paying for it. So neither Google nor Microsoft even have to comply with any of these requirements, so they’re more free to make information exchange happen than your own physicians!
Make HIPAA opt-outable easily. Maybe this is already common thing, but I haven’t really seen it anywhere. A simple form: I hereby authorize Dr. Walker to unsecurely email me with my: ___ Medications ___ Lab Results ___ Diagnoses to firstname.lastname@example.org, and waive my right to HIPAA security protections.
Also: pay doctors for email consults. When in doubt, the physician should always bring the patient in, but it’s a waste of both the physician’s time and the patient’s for questions like, “I feel better, do I need to finish my antibiotics?”
Be consistent with privacy rules. Either require all hospitals to go electronic so that data is behind a password (although one could certainly argue that it’s even easier to steal more data more quickly electronically) or don’t be so damn ridiculous about privacy standards. Also in exchange, provide a more standard protocol to streamline the reporting of stolen identities and stolen health records.