HIPAA apparently lacks teeth — but does it really matter?
HIPAA apparently lacks teeth — but does it really matter?
An alarmist article in the Washington Post on June 5 indicates that the Department of Health and Human Services' Office of Civil Rights — the organization responsible for enforcing HIPAA hasn't levied fines. Comparisons are made to other laws regulating businesses which are heavily enforced, with massive fines resulting from violations. There are a few flaws with this comparison, but I'll address those in a little while.
Of the 19,420 grievances lodged so far, the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records.
Emphasis mine. HIPAA is incredibly inconvenient a lot of the time. While you might be tempted to say "So what. Deal with it." — consider this very common scenario:
Your elderly grandmother is disabled and you are her primary caretaker. You do her taxes, you get her prescriptions, you cart her to and from doctors' appointments, and you handle all of her finances. You need a copy of her patient profile from last year so you can do her taxes and file for housing assistance. You go to the pharmacy and they deny you this information. They know who you are, they know your grandmother. They know you take care of your grandmother, but they can't give you that information because you don't have power of attorney, and you're not authorized to access her medical records. Talk about a mess.
This happens all the time in the Real World, and this is one of the problem with HIPAA. In theory, HIPAA is a great idea, and I don't debate that such a law was needed in this "Information Age." But it creates just as many problems as it solves. Doctors sharing information with other doctors, pharmacists, and other providers is now much more complicated, and can be problematic in an emergency situation — an unconscious patient cannot sign a release form.* Now on with the article:
The government has "closed" more than 73 percent of the cases — more than 14,000 — either ruling that there was no violation, or allowing health plans, hospitals, doctors' offices or other entities simply to promise to fix whatever they had done wrong, escaping any penalty.
To this I say, "hurrah!" Most HIPAA violations occur because people don't know the law. I, for one, do not know all the aspects of it. I might have violated some HIPAA statutes, and I wouldn't know it. This is certainly true for those not educated as well — pharmacy techs, medical assistants, etc. who may wear a white coat or dress in scrubs but are little different than any other unskilled laborer. It's simply not possible to not allow these people to have access to private health information (PHI); they need it to do their jobs. Education, then, is the best deterrent.
Levying a huge fine on a person or organization (depending on the severity and if there was any malicious intent behind the disclosure) isn't going to stop accidents. It's just going to drive up medical costs, because the cost of that fine is going to be passed directly on to the consumers. That is, the patients.
What is needed is some way to check up on those who have had HIPAA violations in the past, and to punish repeat offenders. Giving a health organization a chance to clean up their act before dropping hefty fines on them is different than giving an accountant who is willfully cooking the books a second chance. It is an accountants job to know the law — that's one of the two reasons his position exists. It is not an unskilled medical laborer's job to be an expert in matters of law. Doctors, pharmacists, and others should be versed in HIPAA, but expecting all personnel to be intimately familiar with it is unreasonable. Again, education of these people will be a far more effective deterrent to violations than levying fines.
They say the administration's decision not to enforce the law more aggressively has not safeguarded sensitive medical records and has made providers and insurers complacent about complying.
Lack of enforcement on the agency's part doesn't mean that patients cannot file civil suits if they wish.
"The law was put in place to give people some confidence that when they talk to their doctor or file a claim with their insurance company, that information isn't going to be used against them," said Janlori Goldman, a health-care privacy expert at Columbia University. "They have done almost nothing to enforce the law or make sure people are taking it seriously. I think we're dangerously close to having a law that is essentially meaningless."
I think we're dangerously close to a statement that's meaningless. A patient who has a doctor who will use their information in malicious ways has bigger problems than HIPAA violations. I can't speak for insurers — they may be more cavalier with PHI, but I doubt it. The potential risk doesn't outweigh any short-term benefit they may gain by forcing someone out of a given plan. Juries love to side with patients against large corporations. It just feels good.
There is a difference between accidental disclosure and intentional disclosure, and the HHS knows this, as the article indicates. Flagrant violators with intent to profit from the illegal disclosure of private information have been prosecuted criminally:
His office has referred at least 309 possible criminal violations to the Justice Department. Officials there would not comment on the status of those cases other than to say they would have been sent to offices of U.S. attorneys or the FBI for investigation. Two cases have resulted in criminal charges: A Seattle man was sentenced to 16 months in prison in 2004 for stealing credit card information from a cancer patient, and a Texas woman was convicted in March of selling an FBI agent's medical records.
Will the light-handed enforcement of HIPAA lead to lackadaisical adherence to the law?
But privacy advocates say the lack of civil fines has sent a clear message that health organizations have little to fear if they violate HIPAA.
"It's not being enforced very vigorously," said William R. Braithwaite of the eHealth Initiative and Foundation, an independent, nonprofit research and advocacy organization based in Washington. "No one is afraid of being fined or getting bad publicity. . . . As long as they respond, they essentially get amnesty."
But there's nothing wrong with this if the entity involved in the violation responds. The whole point of the fine is that it is the stick that will ensure compliance. If the entity complies when the HHS gets involved, everyone wins. If there's a fine involved, then the health care agency loses — at the expense of their own patients, even though the end result is the same (HIPAA compliance).
There does need to be a way to track and punish repeat offenders. Those organizations who have violated HIPAA in the past should be put on notice that repeat violations will not be tolerated. The result of measures like this would result in an organization that is more scrupulous in keeping their noses clean out of fear of further violations than oversight by an outside agency like the HHS. In-house housekeeping is far more effective than Big Brother watching. A strange parallel here is the issue of censorship in China. By and large the population polices itself far better than the government itself could — fear of random investigation means people censor themselves. The same principle would be true if violators were subject to random periodic inspections.
Goldman and other privacy advocates point to numerous reports of health information being made public without patients' consent — the recent theft of millions of veterans' records that included some medical information, a California health plan that left personal information about patients posted on a public Web site for years, and a Florida hospice that sold software containing personal patient information to other hospices.
Again, this doesn't really prove anything. If the disclosures were accidental, a fine serves no purpose, and the problem goes away, permanently, because if it doesn't, the organization knows it's in some serious hot water.
In the meantime, Goldman said, surveys continue to show that for fear that their medical information will be used against them, people avoid seeking treatment when they are sick, pay for care out of pocket, or withhold important details about their health from their doctors.
"The law came about because there was a real problem with people having their privacy violated — they lost jobs, they were embarrassed, they were stigmatized. People are afraid. The law was put in place so people wouldn't have to choose between their privacy and getting a job or going to the doctor," said Goldman, who also heads the Health Privacy Project, a Washington-based advocacy group. "That's still a huge problem."
HIPAA was never going to change public perception. People will be paranoid so long as they have to share intimate details with another human being who could be put in a position to judge them for their inadequacies. There is a strange interpersonal dynamic between a patient and a doctor — one has power of the other, and there will always be the potential for fear and abuse when such a dynamic exists. No amount of legislation will ever change this; it is simply the nature of medicine.
On top of this, HIPAA exists to fix a problem that never really existed. Again, legislation will never change a person's perceptions.
* An unlikely example, but you get the idea.
[tags]Medicine, pharmacy, HIPAA, PHI, private health information, privacy, law enforcement, information, law, medical privacy[/tags]
1 Comment »
RSS feed for comments on this post.
| TrackBack URI
You can also bookmark
this on del.icio.us or check the cosmos
I really need some help. I was violated. please call 901-490-1199.
Comment by Georgette Brooks — February 7, 2008 @ 8:47 pm