HIPAA a law gone too far?

The Health Insurance Portability and Accountability Act (HIPAA) was promoted for the working class employee as an improvement in being able to keep themselves insured as they changed employers. Hence the Health Insurance Portability in the title.

However the big impact of the law has come from just one word in the
title, and the last word to boot. Accountability is where all the big changes caused by the law have come from. It also affects far more than insurance and could in circumstances endanger your health.

The accountability portion of
HIPAA has become <i>personal information
confidentiality</i> instead.
There is a lot to <a href=””http://aspe.hhs.gov/admnsimp/index.shtml””>HIPAA</a>
but for this article it can easily be summarized that anything that
allows access to or contains your personal information, such as Social
Security number or your employer’s copy of your sick leave request, has
to be secured so that <b>no one</b>
that you have not explicitly authorized <b>and</b>
that is required to have that information can get to it.

The good part is that “”required to”” is
different than “”requires.”” A superior, even the top dog of the company,
can not say they require access to your health information and receive it. The HR
person that handles absenteeism is “”required to”” have access so as to
determine between sick leave and other forms of time off.

The bad part is the “explicitly authorized.” Although your employer and insurance carrier have crafted authorization into some form of document you have already signed, your health care professionals can not craft an adequate clause beyond cooperating with those two. At a conference I attended in March of 2005, one of the statistics that was disclosed is that there have been close
to 1,6000 claims against health care services for violations of the confidentiality of HIPAA, unauthorized release of personal information, and over 800 have been found as valid. Those 800 findings have averaged a fine of $250,000 each. No health care provider, individual doctor practice or large hospital, can afford to pay a quarter million dollar fine. Therefore all health care providers are being encouraged to not only take the required actions to prevent anyone from breaking in to their records but also take extraordinary actions to prevent
giving out information. The recommendation that I heard was that when a
provider, say your personal physician, receives a request for your records they reject any documents provided by the requester and instead send back their own forms that

1) specifies your physician’s HIPAA policy

2) requires the requester to acknowledge and follow the policy by signing and returning

3) a form for the patient to fill out, sign and return to request/authorize the sharing of their records. The recommendation further suggested that when your physician received the returned forms that they confirm their legitimacy by calling the patient or making some other form of live personal contact.

The rub comes where (when) you need health care from more than one provider in an emergency situation. Think of the time delay while the emergency room staff gets a copy of your primary physician’s forms, get you to fill them out (what if you are incapacitated), return them, they are verified, and your physician tries to make that live personal contact (again what if your are incapacitated) to confirm them.

Right now the patient is in absolute control even though they sign away some of that control with each HIPAA disclosure form. Whether they know what is really in their best interest as far as distribution of their records or not, they implicitly via law restrict it and have to explicitly allow it.

It would be much better if health care services could develop a web of trust. A physician could determine that the hospital(s) they work with are trustworthy, after all they work with them, and that when their is a requirement for them
to have access to the patient records, such as an ER visit, they are easily distributed within proper need to know channels. And the hospital of course would trust the physicians, they have given them certain hospital privileges as well. Then you would have hospitals that trust other hospitals and implicitly their physicians.

There are examples of “web of trust” working today. A method of signing and/or encrypting documents known as PGP can employee the web of trust. PGP works with public and private keys. The public keys are freely distributed. The web of trust comes into play when person A gets person C’s public key but is not sure directly if it really is person C’s. If person B has used a process that basically says they trust the public key that is for person C. Then if person A trusts the key for person B they can rely on that web of trust to also trust person C’s key.

Finally, if the web of trust can be developed and the subject of the records are given control over how and when they are distributed, not each individual receiver, an organization can be formed for the caring of the records. The subject
of the records absolutely should have control over how and when their records are distributed. They should be able to say that only in case of an emergency should their records be released to an emergency facility, They should be able to block distribution to pharmaceutical companies and even researchers whether in detail or as part of a summary. They should also be able to rest assured that in case of an emergency where they may be unconscious those trying to save them have rapid access to critical information that could make the difference between life and death. A universal organization can operate 24/7 and have the resources to insure that operation with staffing, duplicate equipment, and backups of the records. What percentage of physicians (the holders of the biggest share of the records) can provide around the clock access to their records storage let alone rapid access for a hospital that may be on the other side of the continent where you are on vacation and got into a car crash?

In fair disclosure, if you haven’t looked at my personal page you should know that I work in computers and that my customers are covered by HIPAA to various degrees and thus I am affected by HIPAA.