The removal of names from the doors in your hospital.

Does HIPAA **REALLY** require that?

That’s one of the biggest gripes I have with HIPAA, is people make up rules that don’t exist.

I’m a privacy officer at a large institution, and my biggest HIPAA gripes are the made up rules that don’t exist in the legislation or the regulation. I can’t tell you how many vendors call me to tell me all about what HIPAA requires. I’ll ask for the citation, and they start sputtering. My favorite was the three hour firewall.

I know of one hospital that seriously considered removing names from the bassinetts at the NICU. It was pointed out that no matter what the race, pretty much all neonates look the same, and the rule was quickly abandoned.

The privacy rule simply says that:

A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.

A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.

I’ll agree that the privacy rule is onerous and burdensome, especially in a decentralized institution like the one I work for. But a lot of the confusion comes from HIPAA myths that simply aren’t in the regulations.

Hey, this HIPAA gripe is actually targeted toward you, somewhat directly. (Not that it is your fault, but it’s possible -though unlikely- you could cut some of this red tape).

We got an e-mail a few months ago that we had to complete an online training and test by 03/31/05. I know that federal regulations say that the institution has to comply with this testing for all it’s employees by 04/20. So I did the test earlier this month, 3 weeks before the deadline I was given. I thought all was cool.

Then, I get a letter from the Huntsville campus saying that it is not enough that I took the test and my score is recorded online, I need to print out my score and turn it into the office. Well, I’m in Birmingham this month, so I figured that I just needed to turn it into student affairs down here.

Nobody here knew what I was talking about. Birmingham students don’t have to print it out. Then I realized that maybe the paper copies were for Huntsville Hospital. (I’ll ignore the fact that I graduate in a month, I finished my last clinical rotation on Sunday, and I finished my last Huntsville rotaton in December. I want to comply.)

Well, I dropped a paper copy in the mail yesterday. It probably won’t get there by the deadline of 5pm tomorrow. So I figured I’d make some PDFs of the score and e-mail them to Huntsville, so they can print them out up there.

Resources spent by me to get this paper copy of my computer test to a Clinic/Hospital where I no longer work: approximately 3 hours and 37 cents. Amount of additional privacy afforded to patients: zero.

There is more to the privacy rule component. At the time there were also some new real cases:

1) An activist stole and publicized details regarding names and addresses of AIDS patients in an effort to embarass and ostracize them.

2) A hospital sold medical records to a drug company so that drug advertizing could be better targeted.

3) A hospital sold medical records to potential employers who wanted to investigate job candidates.

All of these cases were obviously unethical behavior. It came as a surprise to prosecutors, lawyers and legislators that they were also entirely legal. The tradition of medical privacy was embedded in the law with a doctor’s priveledge, but there was no legal protection against willing disclosure. All three cases were entirely legal and the patients were completely unprotected by the law.

So the charter was given to HIPAA to embody the current ethical practices into a legally enforceable form.

As usual, regulation is inefficient, implementations are poor, empire building and myths are rampant, etc. That there is no real change is actually intentional. The goal was not to change the norms of ethical behavior. It was to give a legal basis for enforcing the existing ethical behavior.

A strong part of this motivations was that the transition from paper to electronic records would also immensely increase the potential access to patient records by more people. In the paper records world it was difficult to exploit the records for unethical purposes, and the records were available primarily to people with strong ethical training. In the electronic world it is easy to exploit the records and many people who have access are from professions that lack strong ethical training.

Well, the ONE thing that DOES exist under HIPAA is the pain in my wrist, caused by the staggering number of different forms to deal with who gets the information and who gets contacted.

Simply put–Why was there not ONE STANDARD FORM to list the person(s), doctor(s), and for billing–instead of each doctor/practice/etc. having their own?

I have to help out with my mom’s paperwork at each doctor’s office and hospital visit (ER and otherwise), and each place has its own form for HIPAA permission to see the data and results–AND it has to be done every year!!

What should happen is that there should be ONE standard form for HIPAA, and it should have the following:
1–Who is your primary doctor (where applicable)
2–Who can the doctor share info with (family members, billing for insurance, primary and other doctors)
3–Where and how can I be contacted (home or work, by phone/e-mail/answering machine/etc.)
4–Messages to call the doctor back, or remind patients of appointments, should be exempt from HIPAA requirements of privacy–in other words, reminders of appointment times, or doctors needing to leave a “call-me” message, should not automatically be considered priviledged information [i.e. test results] under HIPAA if patient gives the OK
5–The permission given should be good for FIVE or more years instead of one; the patient can be asked if there are any changes or can make needed changes themselves when they visit each doctor
(this can be revoked by the patient at any time).

I hate HIPPA because it has made obtaining medical care for my mentally ill son a nightmare.Hes 21 leagaly and 5 years old mentally.I am really upset that he lowest class of society will now suffer even more under the guise of a law to protect their employment,insurability and the like.He will never be able to work anywhere and at best he will recieve state medicaid for health care.Any one else in this situation?

HIPAA is a disaster for medicine.  I liked the honor system much better, and I thinked it worked just as well.  What patients don't know is that if they have an uncommon disorder, that HIPAA hurts their care.  Medicine is a team effort in such cases and requires everyone involved and even outside clinicians and medical students at teaching hospitals.   Putting the horse-blinders on a medical professional is ridculous.  It hurts patient care, it hurts medical education, it hurts harmless minimal risk research and surveys, and it hurts quality control.  Damn Shalala and her sister.  Medicine grew naturally out of curiosity about the human body and condition…consider Vesalius.  Robbing medical students of that experience is a travesty.  I knew a patient from Italy who advertized his name and entire history on the web, and he got the best medicine from a top university because he did.  Americans are way too paranoid… and for what?.  I believe patient's privacy to there individual caretaker if the patient wishes it, but there should be strong disclaimers that the more privacy, that there are risks too for our entire medical system and also the individual patient.  Note some doctors might like this policy if they give bad care!  We need carefully orchestrated transparency, but not this mess.