The movement toward electronic medical records and the privacy and security
requirements around electronic medical records embodied in the Health
Insurance Portability and Accountability Act (HIPAA) are a revolution in the
making for American medicine.
It is one that carries serious implications for confidentiality of medical
and psychiatric records, said Richard K. Harding, M.D., in the lecture"
The Psychiatrist's Duty to Protect Medical Privacy and Community
Health" at APA's Institute on Psychiatric Services last month in
It also comes with a hefty price tag: the average hospital has already
spent between $500,000 and $3 million to meet HIPAA requirements, said
Meanwhile, imminent technological advances associated with the move toward
electronic medical records are likely to rush medicine into a brave new world.
Prominent among these is a microchip that would be placed into a patient's
triceps upon admission to the hospital, allowing the patient to be efficiently
tracked throughout the hospital stay. The chip is expected to increase
efficiency of record keeping and cut down on medical errors.
"It's coming," Harding said. "The changes are dramatic
and about to explode."
Yet any number of uncertainties about how these changes will interface with
medical ethics—and about how the privacy and security requirements in
HIPAA will play out against countervailing forces claiming a right to
information—remain to be clarified. Many of these uncertainties are
destined for litigation, Harding said.
Some of them pit HIPAA requirements and the physician's traditional ethical
responsibility to protect confidentiality against efforts to prevent
terrorism. Harding emphasized that the U.S.A. Patriot Act allows federal
agents to enter a physician's office without a warrant and demand the release
of "tangible things" to protect against terrorism; moreover, the
provision also comes with a gag order—a prohibition against telling
anyone that the action has been taken.
"This is a potential abridgement of the First and Fourth
amendments," Harding said. "That is the kind of thing that is
going on that brings HIPAA up against very powerful forces. And it is
something that we have to be constantly vigilant about."
Harding is a professor and chair of the department of neuropsychiatry and
behavioral science at the University of South Carolina School of Medicine in
Columbia, S.C. He served as president of APA for the 2001-02 term and is now a
member of the APA Corresponding Committee on Confidentiality. He has been a
member of the National Committee on Vital and Health Statistics of the
Department of Health and Human Services (HHS) since 1998.
Harding placed the movement for electronic medical records against the
backdrop of rising health care costs, diminishing access, and the
still-persistent demand among Americans for the latest technological and
pharmacological innovations and freedom of choice of physicians.
Within this environment efficiency has become everyone's fall-back answer
for how to control costs—and what efficiency has come to mean, aside
from eliminating fraud and abuse, is electronic medical records. In fact, a
staple of the health care plans of both candidates in the U.S. presidential
contest was electronic medical records, Harding noted.
He added that an indication of the momentum behind electronic medical
records is the fact that National Health Information Technology Coordinator
David Brailer, M.D., Ph.D., was named the most powerful person in health care
today in a survey of health care leaders by the magazine Modern
Brailer was appointed to the position earlier this year by HHS Secretary
Tommy Thompson. The position was created at HHS by President George W. Bush to
coordinate the nation's health information technology efforts.
Yet Harding reminded session participants that HIPAA, passed in 1996,
originally had nothing to do with privacy or security of medical records, but
was intended to provide for portability of health insurance between job
Without any hearing or debate on the floor, said Harding, "something
was tacked onto the bill" late in the process. "That something was
called `administrative simplification.'"
Administrative simplification meant three far-from-simple things: a
national health information infrastructure, federal privacy protections, and a
unique national patient identifier. The latter was to be a biologic marker or
alphanumeric identifier—not a person's Social Security number—that
would serve as a personal identifier within the national health information
The identifier was one item that, while not eliminated, was put in abeyance
by an amendment supported by APA that prohibited the federal government from
providing funding for the unique identifier, Harding said.
HIPAA was groundbreaking, providing the first federal standards for
privacy, confidentiality, and security of individually identifiable health
information. Health plans, physicians and other providers, and health
clearinghouses—those entities, for instance, that format and process
physicians' CPT codes for insurance companies—must comply with
As of April 2003 physicians were required by the law to notify patients of
their privacy rights under the law and how their information will be used, to
document procedures for protecting and securing health information and train
employees in the procedures, to designate a privacy officer, and to secure
But Harding stressed that the privacy and security requirements in HIPAA
are preempted by state laws that may be much stricter. "HIPAA is a
floor," he said. "You may be doing what HIPAA says, but there may
be state laws that say you have to do better. HIPAA isn't the ultimate, but
the base on which all of us are encouraged to practice."
A number of questions about the law await resolution, most likely in the
courts. Among them: Who is responsible for breaches of privacy and security of
information by business associates who have access to patient information? How
much information are patients' relatives entitled to? How much and what kind
of information can be divulged to public health agencies or to schools seeking
In the case of the latter, Harding said it has happened that children have
had to receive all new vaccinations after they move with a family to new
location because a physician in the former location refuses to release
vaccination records on the grounds that a school is not a covered entity under
He described a scenario in which a family moved from Chicago to Atlanta
with three school-age children. From the new location, the parents called the
physician in Chicago and requested that he send vaccination records for the
children to the new school in Atlanta. The physician refused to do so without
written authorization, signed by the parents; the parents asked whether they
could fax the authorization, but the physician insisted that they return to
Chicago to provide a "live" signature.
"Some lawyer convinced that doctor that if he gives away that
information, he will go to jail and get fined a quarter-million
dollars," Harding said. "Now many doctors refuse to divulge any
health information without authorization."
In the meantime, Harding advised that the surest path to securing
information was to formalize policies and distribute those policies to
employees. Files should be locked and access should be limited. Workstation
guidelines should be developed, as should a system for tracking who has access
to patient information. And policies should be developed around terminated,
possibly disgruntled, employees who may have had access to patient
information, Harding said.
Updated information on HIPAA is posted at the HHS Web site at<www.hhs.gov/ocr/hipaa/>.▪