HIPAA

The removal of names from the doors in your hospital.

Does HIPAA **REALLY** require that?

That’s one of the biggest gripes I have with HIPAA, is people make up rules that don’t exist.

I’m a privacy officer at a large institution, and my biggest HIPAA gripes are the made up rules that don’t exist in the legislation or the regulation. I can’t tell you how many vendors call me to tell me all about what HIPAA requires. I’ll ask for the citation, and they start sputtering. My favorite was the three hour firewall.

I know of one hospital that seriously considered removing names from the bassinetts at the NICU. It was pointed out that no matter what the race, pretty much all neonates look the same, and the rule was quickly abandoned.

The privacy rule simply says that:

A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.

A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.

I’ll agree that the privacy rule is onerous and burdensome, especially in a decentralized institution like the one I work for. But a lot of the confusion comes from HIPAA myths that simply aren’t in the regulations.

Hey, this HIPAA gripe is actually targeted toward you, somewhat directly. (Not that it is your fault, but it’s possible -though unlikely- you could cut some of this red tape).

We got an e-mail a few months ago that we had to complete an online training and test by 03/31/05. I know that federal regulations say that the institution has to comply with this testing for all it’s employees by 04/20. So I did the test earlier this month, 3 weeks before the deadline I was given. I thought all was cool.

Then, I get a letter from the Huntsville campus saying that it is not enough that I took the test and my score is recorded online, I need to print out my score and turn it into the office. Well, I’m in Birmingham this month, so I figured that I just needed to turn it into student affairs down here.

Nobody here knew what I was talking about. Birmingham students don’t have to print it out. Then I realized that maybe the paper copies were for Huntsville Hospital. (I’ll ignore the fact that I graduate in a month, I finished my last clinical rotation on Sunday, and I finished my last Huntsville rotaton in December. I want to comply.)

Well, I dropped a paper copy in the mail yesterday. It probably won’t get there by the deadline of 5pm tomorrow. So I figured I’d make some PDFs of the score and e-mail them to Huntsville, so they can print them out up there.

Resources spent by me to get this paper copy of my computer test to a Clinic/Hospital where I no longer work: approximately 3 hours and 37 cents. Amount of additional privacy afforded to patients: zero.

There is more to the privacy rule component. At the time there were also some new real cases:

1) An activist stole and publicized details regarding names and addresses of AIDS patients in an effort to embarass and ostracize them.

2) A hospital sold medical records to a drug company so that drug advertizing could be better targeted.

3) A hospital sold medical records to potential employers who wanted to investigate job candidates.

All of these cases were obviously unethical behavior. It came as a surprise to prosecutors, lawyers and legislators that they were also entirely legal. The tradition of medical privacy was embedded in the law with a doctor’s priveledge, but there was no legal protection against willing disclosure. All three cases were entirely legal and the patients were completely unprotected by the law.

So the charter was given to HIPAA to embody the current ethical practices into a legally enforceable form.

As usual, regulation is inefficient, implementations are poor, empire building and myths are rampant, etc. That there is no real change is actually intentional. The goal was not to change the norms of ethical behavior. It was to give a legal basis for enforcing the existing ethical behavior.

A strong part of this motivations was that the transition from paper to electronic records would also immensely increase the potential access to patient records by more people. In the paper records world it was difficult to exploit the records for unethical purposes, and the records were available primarily to people with strong ethical training. In the electronic world it is easy to exploit the records and many people who have access are from professions that lack strong ethical training.

As a parent who has had a concern severe enough to contact my public county officials, it has been more than disturbing to be told that under NO circumstances are the public servants allowed to advocate with a hospital due to HIPAA. In fact I was told their calling the hospital may well get them sued, so their attorneys have advised them not to. I was advised to contact the media (it was immediately taken care of that way)
This is a 4yr old child with facial damage from an accident and who needed surgery. The surgeon had secluded the surgery 5 times and canceled it due to operating room overbooking.
Due To HIPAA we were forced to have media attention shined on us, giving up all privacy of all kinds! It could have been taken care of quietly and privately by having the straight jacket of HIPAA striped away.

Brenda,
You bet others are in the same situation!  I tried today to talk to my daughter's psychiatrist – not to GET information but to give her some information – and was told "I'm sorry.  You're not on the HIPPA list".  That's right.  When my daughter becomes manic and delusional, she takes me off the list, along with anyone else who doesn't agree that "She's fine."  How can you ask a mentally ill patient how they are doing, when, in their opinion, everyone else has the problems – not her.  However, she is sleeping with friends, or in her car or the hospital waiting room, because she won't go home to her husband.  She talks (yells) incessantly, spends money like it is going out of style, and blames everyone else for not being educated about how to handle her.  How can she ever get help, if she won't let her family talk to her doctors? 
I'm sorry this is so incoherent, but this has been going on and getting worse and worse for the past 6 weeks.  But, as usual, a law with good intentions has some really bad results.  I, too, hate HIPPA.