What Has HIPAA Done for the US?

Have you heard of HIPAA? It was the Congressional response to protect individual's privacy regarding health care enacted as part of the Health Insurance Portability and Accountability Act

It required the Secretary of Health and Human Services (HHS) to propose standards for the electronic transfer of information, protecting the privacy of individually identifiable health information by August 21, 1997. (Health State, US). By April 2004, all providers were expected to be in compliance with the regulation standards and standardized electronic code sets.

Theoretically

The HIPAA legislation should have created a centralized system of communications to allow data to flow freely electronically amongst providers and insurance companies ensuring patient privacy protection. Specifically, information related to AIDS, sexual diseases, lifestyle decisions and other potentially damaging information would have to be signed for and released by the patient to be allowed to be shared. In addition, patients would have to authorize the release of their records and patient information based upon occurrence, rather than in general.

I'm sure there were valid reasons for enacting this legislation. Someone must have had their records released against their wishes in order for this to become law or providers were scamming the system by duplicating and providing fraudulent records.

I understand the fear of having liability for releasing information that is not authorized. But in my opinion, this law is not practical given the current conditions of our health care system and it still hasn't dealt with the issue of stolen patient records or medicare fraud.

Instead of slapping a bandage on an escalating problem, why can't we come up with better solutions?

Practicality

You might have remembered that back in 2003 or 2004, it started. Every time you went to a doctor, you had to sign an acknowledgment that you were notified of your HIPAA rights. After the first time I was notified, that was enough but I guess the requirement is to notify and get your authorization every time. How many added sheets of paper and extra steps of processing did that require for each medical visit?

Just recently I learned doctor's offices do not share information. I had always listed my Primary Care Physician as my main doctor and assumed that my medical records were being forwarded to her so she would have a complete record of my care. It turns out that the term primary care physician means nothing. With HIPAA, doctor's offices are not allowed to share patient records with other doctors.

In practical terms, a) the patient must either keep a copy of all their own medical records so that they can provide history at a moment's notice, or b) the patient must run around and request individual permissions from each provider, or c) employees of medical offices must face the wrath of someone like me who has had many medical issues, many doctors visits and a poor memory of who did what procedure, and was really pissed off when I couldn't get copies of my medical file after I had switched doctors and needed certain records to compare my history before a pending biopsy.

In the business sector, when a company gets so large and dysfunctional that it can't operate anymore, it either goes out of business, gets bailed out by the government, or it gets bought out and forced to conform to a new set of standards.

Effectiveness

The HIPAA act was a great idea but in practical terms it seems to have just added more costs, more waiting, less efficiency and more confusion. The Centers for Medicare and Medicare Services have authority over code usage, employer identification numbers and national provider numbers. As of July 31^st, 2010, they had resolved 691 out of 724 complaints. In July 2009, the Office of Civil Rights (OCR) took over management of security and privacy complaints.

According to OCR they have had complaints affecting patient records. Business associate breaches accounted for about 20% of the complaints and affected about 1% of the patient information. Far more concerning was the theft and loss of computers and portable data drives. (Melamedia,Health Information Privacy/Security Alert) that affected almost a million people per occurrence and there were 6 of them.

To date, there has been little evidence suggesting that HIPAA complaints to OCR have prompted any criminal prosecutions by the Justice Department.

While I applaud efforts to streamline data and make it secure, the real solution seems to be out of grasp. How do we cut health care costs, streamline sharing of patient information and eliminate redundant and unnecessary administration.

Sources:

http://www.hipaa.org/

http://www.cms.gov/Enforcement/Downloads/EnforcementData0710.pdf

http://www.melamedia.com/HIPAA.Stats.home.html