Expert Gives Accounting Of HIPAA's Impact—So Far

The movement toward electronic medical records and the privacy and security requirements around electronic medical records embodied in the Health Insurance Portability and Accountability Act (HIPAA) are a revolution in the making for American medicine.

It is one that carries serious implications for confidentiality of medical and psychiatric records, said Richard K. Harding, M.D., in the lecture“ The Psychiatrist's Duty to Protect Medical Privacy and Community Health” at APA's Institute on Psychiatric Services last month in Atlanta.

It also comes with a hefty price tag: the average hospital has already spent between $500,000 and $3 million to meet HIPAA requirements, said Harding.

Meanwhile, imminent technological advances associated with the move toward electronic medical records are likely to rush medicine into a brave new world. Prominent among these is a microchip that would be placed into a patient's triceps upon admission to the hospital, allowing the patient to be efficiently tracked throughout the hospital stay. The chip is expected to increase efficiency of record keeping and cut down on medical errors.

“It's coming,” Harding said. “The changes are dramatic and about to explode.”

Yet any number of uncertainties about how these changes will interface with medical ethics—and about how the privacy and security requirements in HIPAA will play out against countervailing forces claiming a right to information—remain to be clarified. Many of these uncertainties are destined for litigation, Harding said.

Some of them pit HIPAA requirements and the physician's traditional ethical responsibility to protect confidentiality against efforts to prevent terrorism. Harding emphasized that the U.S.A. Patriot Act allows federal agents to enter a physician's office without a warrant and demand the release of “tangible things” to protect against terrorism; moreover, the provision also comes with a gag order—a prohibition against telling anyone that the action has been taken.

“This is a potential abridgement of the First and Fourth amendments,” Harding said. “That is the kind of thing that is going on that brings HIPAA up against very powerful forces. And it is something that we have to be constantly vigilant about.”

Harding is a professor and chair of the department of neuropsychiatry and behavioral science at the University of South Carolina School of Medicine in Columbia, S.C. He served as president of APA for the 2001-02 term and is now a member of the APA Corresponding Committee on Confidentiality. He has been a member of the National Committee on Vital and Health Statistics of the Department of Health and Human Services (HHS) since 1998.

Harding placed the movement for electronic medical records against the backdrop of rising health care costs, diminishing access, and the still-persistent demand among Americans for the latest technological and pharmacological innovations and freedom of choice of physicians.

Within this environment efficiency has become everyone's fall-back answer for how to control costs—and what efficiency has come to mean, aside from eliminating fraud and abuse, is electronic medical records. In fact, a staple of the health care plans of both candidates in the U.S. presidential contest was electronic medical records, Harding noted.

He added that an indication of the momentum behind electronic medical records is the fact that National Health Information Technology Coordinator David Brailer, M.D., Ph.D., was named the most powerful person in health care today in a survey of health care leaders by the magazine Modern Healthcare.

Brailer was appointed to the position earlier this year by HHS Secretary Tommy Thompson. The position was created at HHS by President George W. Bush to coordinate the nation's health information technology efforts.

Yet Harding reminded session participants that HIPAA, passed in 1996, originally had nothing to do with privacy or security of medical records, but was intended to provide for portability of health insurance between job changes.

Without any hearing or debate on the floor, said Harding, “something was tacked onto the bill” late in the process. “That something was called `administrative simplification.'”

Administrative simplification meant three far-from-simple things: a national health information infrastructure, federal privacy protections, and a unique national patient identifier. The latter was to be a biologic marker or alphanumeric identifier—not a person's Social Security number—that would serve as a personal identifier within the national health information infrastructure.

The identifier was one item that, while not eliminated, was put in abeyance by an amendment supported by APA that prohibited the federal government from providing funding for the unique identifier, Harding said.

HIPAA was groundbreaking, providing the first federal standards for privacy, confidentiality, and security of individually identifiable health information. Health plans, physicians and other providers, and health clearinghouses—those entities, for instance, that format and process physicians' CPT codes for insurance companies—must comply with the standards.

As of April 2003 physicians were required by the law to notify patients of their privacy rights under the law and how their information will be used, to document procedures for protecting and securing health information and train employees in the procedures, to designate a privacy officer, and to secure patient records.

But Harding stressed that the privacy and security requirements in HIPAA are preempted by state laws that may be much stricter. “HIPAA is a floor,” he said. “You may be doing what HIPAA says, but there may be state laws that say you have to do better. HIPAA isn't the ultimate, but the base on which all of us are encouraged to practice.”

A number of questions about the law await resolution, most likely in the courts. Among them: Who is responsible for breaches of privacy and security of information by business associates who have access to patient information? How much information are patients' relatives entitled to? How much and what kind of information can be divulged to public health agencies or to schools seeking immunization records?

In the case of the latter, Harding said it has happened that children have had to receive all new vaccinations after they move with a family to new location because a physician in the former location refuses to release vaccination records on the grounds that a school is not a covered entity under the law.

He described a scenario in which a family moved from Chicago to Atlanta with three school-age children. From the new location, the parents called the physician in Chicago and requested that he send vaccination records for the children to the new school in Atlanta. The physician refused to do so without written authorization, signed by the parents; the parents asked whether they could fax the authorization, but the physician insisted that they return to Chicago to provide a “live” signature.

“Some lawyer convinced that doctor that if he gives away that information, he will go to jail and get fined a quarter-million dollars,” Harding said. “Now many doctors refuse to divulge any health information without authorization.”

In the meantime, Harding advised that the surest path to securing information was to formalize policies and distribute those policies to employees. Files should be locked and access should be limited. Workstation guidelines should be developed, as should a system for tracking who has access to patient information. And policies should be developed around terminated, possibly disgruntled, employees who may have had access to patient information, Harding said.

Updated information on HIPAA is posted at the HHS Web site at<www.hhs.gov/ocr/hipaa/>.▪