Health Care’s Broke: HIPAA
HIPAA is like the Transportation Safety Administration’s requirements that everyone take off their shoes and only carry a quart of liquids and creams: it apparently makes us feel safe and protected, but really just it’s all a big pony show that wastes everyone’s time.
The idea of HIPAA’s privacy rules is this: health information is private. It’s nobody’s beeswax besides yours, your doctor’s, and whoever’s agreed to pay for your care (insure you). And I agree. It is nobody’s beeswax. But it’s so bogusly enforced that it just creates headaches. As I’ve said before, I could easily walk into any hospital in the United States, and dressed appropriately, start reading anyone’s paper chart. Guaranteed. So, see, your health information isn’t private. It should be, but it isn’t.
HIPAA also prevents information from being shared between physician and patient easily electronically. HIPAA lists 18 items that must be protected and cannot be included unless the information is transmitted securely. (Note to bloggers: this is why I change everything about my patients if I write about them: saying anything more specific than what state you’re in is Protected Health Information!) Patients clearly want the ability to electronically talk to their physicians; my generation of physicians would certainly want this as well. Quick question, or side effects of a medication becoming a problem? Want a list of your medications? Want lab results emailed to you? Want your physician to email you an appointment reminder? No no no no no. Instead, we have systems where your doctor sends a message to you in a system with ANOTHER username and ANOTHER password, and it’s a big headache. Even if it’s not that bad of a system, you don’t have access to the messages on your own computer. It’s not like an email that you can just go back and find the message.
What’s even more ridiculous is that HIPAA doesn’t apply to anyone that’s not providing health care or paying for it. So neither Google nor Microsoft even have to comply with any of these requirements, so they’re more free to make information exchange happen than your own physicians!
Make HIPAA opt-outable easily. Maybe this is already common thing, but I haven’t really seen it anywhere. A simple form: I hereby authorize Dr. Walker to unsecurely email me with my: ___ Medications ___ Lab Results ___ Diagnoses to blah@blah.com, and waive my right to HIPAA security protections.
Also: pay doctors for email consults. When in doubt, the physician should always bring the patient in, but it’s a waste of both the physician’s time and the patient’s for questions like, “I feel better, do I need to finish my antibiotics?”
Be consistent with privacy rules. Either require all hospitals to go electronic so that data is behind a password (although one could certainly argue that it’s even easier to steal more data more quickly electronically) or don’t be so damn ridiculous about privacy standards. Also in exchange, provide a more standard protocol to streamline the reporting of stolen identities and stolen health records.
I could not agree more with your post. I think the policies and regulations from both the Joint Commission and HIPPA serve to stop innovative solutions to health care costs and have held our care back 20 years. As we move to the technology age and drag our aging practitioner workforce with us, it will be important to revise all of the standards we are currently looking at. As the new generation of net goers gets older and enters our hospital system will HIPPA concerns be applicable. If a teenager is willing to share the intimate details of his weekend on MySpace, whats the big deal with sharing the fact that he had pneumonia once!
I agree that HIPAA is not the right solution, but I disagree that patients should be allowing their information to go unencrypted over the internet.
When I get a bill for a credit card or service, it’s rare that the actual financial information is sitting there in my inbox. Instead I get a link to the credit card website or phone service website for me to log in and securely view my charges and balances, read and send messages to the company. Yes it’s a little trouble, but it’s not nearly as bad as having information you want kept secure sent through unsecured email.
Under HIPAA, if you are a doc who practices in, say, Boston, or Chicago, or Smallville, you can’t present an interesting case at a conference, because everyone who knows that you practice in Smallville will know that your patient interaction occurred in Smallville. Smallville is a smaller geographic subdivision than the state it’s in, so, for the purposes or HIPAA, you will have identified your patient.
The only way to get rid of stupid laws and regulations is to make sure that they are strictly enforced.
I’m not the one to start.
“Also: pay doctors for email consults”
AHA! I see that our pie-in-the-sky host is just starting to think about real world issues. I hate to break it to you, but the Federal Government (Medicare) is actively seeking ways to CUT reimbursement for docs, so ANYTHING that is not currently covered has a snowball’s chance of getting funding. At best they are “budget-neutral,” which is fed-speak for robbing Peter to pay Paul. They will pay you for email (or phone conversations – which have a code, just no payment) only when they deduct that amount from your office visit code. (Or, they might make it easier on PCP’s by just further reducing the reimbursment on surgery codes for those big bad surgeons – although that beaten horse may soon be dead).
Don’t get me wrong, I completely agree. I spend about 1 hour a day on average answering no reimbursement, but full liability phone calls. Scary, but the lawyers might have got this one right… “billable hours” for email/phone would be nice, but probably just a pipe dream for now.
I guess it’s up to me to point out that HIPAA was foisted on us not by “big pharma” or “big insurance” but by those boneheads in D.C. It is precisely the kind of bureaucratic boondoggle that we can expect MUCH more of if we are ever foolish enough to go with single-payer health care (or even the watered down versions offered by Clinton and Obama).
Neither Clinton’s plan nor Obama’s has anything to do with single-payer. You lose more credibility with each false attack, Catron.
Patients who don’t know anything about HIPAA would be adverse to signing an opt-out form. “You mean that you’re going to give away my private information?!?” they ask skeptically. Even if you tell them that it’s only to make things easier so they can give it to other health providers involved in their care… you’ve lost the battle already. You brought up an issue they were ignorant about and made them feel insecure about their privacy rights.
“Neither Clinton’s plan nor Obama’s has anything to do with single-payer.”
Both plans create incentives for people to drop private coverage and go with some variety of government plan, as you would know if you had bothered to read them instead of just learning the talking points.
It is telling that you used this straw man to avoid my main point: that HIPAA is the product of the very kind of government involvement in health care that you advocate.
And since we’re on the subject of you failure to do your homework, you might be interested in knowing that HIPAA is just priviacy law. It is a three-tiered regulatory morass that includes a draconian data reporting requirement which makes the Patriot Act look tame by comparison.
So, I don’t think I’m the one with the creibility problem, Graham.
I should never type when I’m irritated. That last paragraph should read as follows:
And since we’re on the subject of your failure to do your homework, you might be interested in knowing that HIPAA is not just a privacy law. It is a three-tiered regulatory morass that includes a draconian data reporting requirement which makes the Patriot Act look tame by comparison.
So, I don’t think I’m the one with the crebility problem, Graham.
Saying that the plans are similar to single-payer because they may encourage single-payer is like saying that bats are practically birds because they both fly.
I’m well aware of the fact that HIPAA does more than just privacy, but it’s the privacy the problem that I’m most familiar with and the most frustrated with as a clinician.
If many patients just want to do what there doc tells them or prescribes, why not write an order on the chart suggesting the opt-out of HIPPA! If patients can’t rememeber what medicine to take for their hypertension whats the big deal with them not knowing about HIPPA!
Just trying to poke the lion!
Solution for multi-user system locking and accountability
To get around the issue of shared accounts we have begun using a product called “Unlock Administrator” http://www.e-motional.com/ULAdmin.htm Once the system is logged into using a generic username and password it is locked in the standard Windows fashion and the system is set to lock when the screensaver is activated as well.
This program allows you to select which users are able to unlock the system using their own Windows domain credentials. A log of when the system is locked and when and by whom it is unlocked is kept in a protected file as well as a Windows Event. Users don’t have read or write access to this file. This way we have complete knowledge of who used the account and when. Everyone uses their own password and no password needs to be shared.
Hope someone else finds this useful as well.