While there has been much focus lately on the ways in which ObamaCare is chilling the growth of private business, we should not overlook the continuing deleterious effects of the one surviving relic of HillaryCare, the Health Insurance Portability and Accountability Act (HIPAA). Quietly, September 23 came and went as the compliance effective date for a new rule, expanding the reach of HIPAA, and likely driving many smaller players out of the health care industry.
Spearheaded by then First Lady Clinton, HIPAA was established in 1996 to improve privacy of personal health information, referred to as protected health information, or PHI. It requires health care providers, known as “covered entities,” and their vendors, contractors, and agents with access to PHI, known as “business associates,” to comply with certain privacy standards under its “Privacy Rule,” and with certain security standards under its “Security Rule,” in order to protect sensitive health information that is held or transferred in electronic form.
Over the past decade, equipped with the noble aim of protecting our privacy, HIPAA has successfully demonstrated the power of the law of unintended consequences. Improved protection of PHI has been marginal. However, HIPAA has impeded communication among physicians, reduced physician time devoted to patient care, and deterred medical research. And all at an enormous cost of compliance. While estimates vary widely, the cost of compliance for many providers has been in the millions.
Now, rather than take heed, the government has decided to double down through expansion. Under the Health Information and Technology for Economic and Clinical Health Act (HITECH), a corollary of HIPAA, promulgated to create incentives to facilitate the development of healthcare information technology, the government has sought to update the requirements of HIPAA in light of the changing dynamics of technology and health practices, increasing the safeguards and obligations of health care providers and their business associates.
Continue reading “Another Law Raising the Cost of Health Care”
Filed Under: OP-ED, THCB
Tagged: HHS, HIPAA, HIPAA Omnibus Rule, HIT, HITECH Act, Josh Tenzer, Patient privacy
Nov 21, 2013
Thanks to the flood of new data expected to enter the health field from all angles–patient sensors, public health requirements in Meaningful Use, records on providers released by the US government, previously suppressed clinical research to be published by pharmaceutical companies–the health field faces a fork in the road, one direction headed toward chaos and the other toward order.
The road toward chaos is forged by the providers’ and insurers’ appetites for categorizing us, marketing to us, and controlling our use of the health care system, abetted by lax regulation. The alternative road is toward a healthy data order where privacy is protected, records contain more reliable information, and research is supported or even initiated by cooperating patients.
This was my main take-away from a day of meetings and a panel held recently by Patient Privacy Rights, a non-profit for whom I have volunteered during the past three years. The organization itself has evolved greatly during that time, tempering much of the negativity in which it began and producing a stream of productive proposals for improving the collection and reuse of health data. One recent contribution consists of measuring and grading how closely technology systems, websites, and applications meet patients’ expectations to control and understand personal health data flows.
With sponsorship by Microsoft at their Innovation and Policy Center in Washington, DC, PPR offered a public panel on privacy–which was attended by 25 guests, a very good turnout for something publicized very modestly–to capitalize on current public discussions about government data collection, and (without taking a stand on what the NSA does) to alert people to the many “little NSAs” trying to get their hands on our personal health data.
It was a privilege and an eye-opener to be part of Friday’s panel, which was moderated by noted privacy expert Daniel Weitzner and included Dr. Deborah Peel (founder of PPR), Dr. Adrian Gropper (CTO of PPR), Latanya Sweeney of Harvard and MIT, journalist Sydney Brownstone of Fast Company, and me. Although this article incorporates much that I heard from the participants, it consists largely of my own opinions and observations.
Continue reading “Chaos and Order: An Update From Patient Privacy Rights”
Filed Under: Uncategorized
Tagged: Adrian Gropper, Andy Oram, Big Data, HIEs, HIPAA, Hospitals, Meaningful Consent, Patient privacy, Patient Privacy Rights
Oct 16, 2013
Henrietta Lacks did not give researchers permission to take her cancer cells and study them. After she died in 1951, her family was not asked permission as her immortalized cells were used in countless laboratories. This month, the National Institutes of Health finally took a step in righting that wrong, announcing that the Lacks family would help decide who can access Henrietta’s DNA.
Today, getting a patient’s permission, often in writing, is standard in experimental medical research. Well, not always. Currently, there are at least nine ongoing studies involving 62 U.S. cities and towns with a combined population of more than 45 million that do not involve getting permission. They take place during emergencies, such as when ambulances arrive at an accident where patients are too injured to give permission.
For example, imagine this scenario based on a recent study sponsored by the University of Washington. You are involved in a car accident. Paramedics find you bleeding severely. They give you fluids to keep your blood pressure up, but they intentionally give you a bag of fluid that is smaller than the standard. Then they monitor your medical outcome and compare it with patients who received the larger amount of fluids. During the emergency, neither you nor your family know about the study.
Research on medical emergencies is vital in determining how to care for people with life-threatening injuries because we often do not have proof that standard methods are the best. People involved should be told that is how their records are being used.
In 1996, the Department of Health and Human Services and the Food and Drug Administration passed regulations allowing research about emergency treatment to occur without permission. For a study to qualify, patients need to have a life-threatening condition, current standards of care must be unproven or performing poorly, and obtaining permission must not be feasible (such as an unconscious patient or a patient whose condition does not allow time for informed consent).
Continue reading “When Opting Out Is Not an Option”
Filed Under: OP-ED
Tagged: Clinical Trials, Henrietta Lacks, Katherine Chretien, medical research, NIH, Patient privacy, Patients
Aug 31, 2013
Secrecy breeds suspicion. The role of secrecy in health care is practically non-existent so when we see examples of secrecy, as in the operational details of the Federal Data Services Hub, we get the recent outcry from a range of politicians and journalists waving privacy flags. For Patient Privacy Rights, this is a teachable moment relative to both advocates and detractors of the Affordable Care Act.
There’s a clear parallel between the recent concerns around NSA communications surveillance and health care surveillance under the ACA. Some surveillance is justified, to combat terrorism and fraud respectively, but unwarranted secrecy breeds suspicion and may not help our civil society.
“The Hub” is described by the government as:
“For all marketplaces, CMS [the Centers for Medicare and Medicaid Services] is also building a tool called the Data Services Hub to help with verifying applicant information used to determine eligibility for enrollment in qualified health plans and insurance affordability programs. The hub will provide one connection to the common federal data sources (including but not limited to SSA, IRS, DHS) needed to verify consumer application information for income, citizenship, immigration status, access to minimum essential coverage, etc.
CMS has completed the technical design, and reference architecture for this work, is establishing a cross-agency security framework as well as the protocols for connectivity, and has begun testing the hub. The hub will not store consumer information, but will securely transmit data between state and federal systems to verify consumer application information. Protecting the privacy of individuals remains the highest priority of CMS.”
Here’s where the secrecy comes in: I tried to find out some specific information about the Hub. Technical or policy details that would enable one to apply Fair Information Practice Principles? Some open evidence of privacy by design? Some evidence of participation by privacy experts? I got nothing. Where’s Mr. Snowden when we need him?
Continue reading “The Federal Health Data Services Hub Hubbub”
Filed Under: Tech, THCB
Tagged: Adrian Gropper, data breaches, Federal Data Services Hub, HHS, NSA, Patient privacy, Privacy, The Affordable Care Act
Aug 15, 2013
At my infectious-diseases clinic in Southeast Washington, I work with some of the city’s most indigent patients. Some don’t have jobs, a home, a car or enough to eat. But recently, I saw a patient whose problem made these issues seem trivial.
Dealing with fatigue, a cough and a fever for several months, this woman in her 40s had been evaluated by four internists. They had tested her for a variety of conditions but not HIV. Each had recommended rest, two prescribed antibiotics, and one suggested an over-the-counter cough medicine. Experiencing no physical relief from these suggestions, the woman had decided to “lay down and die.”
However, after her longtime partner insisted she get medical help, she agreed to go to a hospital emergency room. After a rapid test, which she initially refused because she said she was not at risk for HIV, she learned that she was HIV-positive.
After that ER visit, she brought her partner, whom she credits with saving her life, to my clinic to be tested; she was concerned that she had transmitted the virus to him. He tested positive. About a week later, when he accompanied her to an appointment with me, I asked if he had been seen by a doctor to discuss treatment. He said no and indicated that he wanted to establish care in the clinic.
When I asked if he had ever been on HIV drugs, he gazed at the medication chart and pointed out his previous regimen, a cocktail that contained indinavir. Because I and many other doctors stopped prescribing this medication a decade ago, I knew he had been keeping his condition from her for years. He stopped talking and avoided my gaze. It was clear he knew that I had learned his secret. I had many questions for him; but this visit was for her.
It was not the right moment to dredge up this history and ask how he could keep his diagnosis hidden while watching his partner struggle with her health. I chose not to ask about his dishonesty, their relationship and whether they had used condoms to protect her from getting HIV. At this point, I needed to help her understand that, even though she felt weak and sick, the medications would soon make her feel better. And that, with the right treatment, she could still live a long life.
While talking with my patient about her treatment, my mind kept wandering back to her partner’s secret. Was it my role to admonish him in front of her, or would that make things worse? What would they say to each other when they got home? I wanted to discuss these questions, but did I have a right to insert my judgment into this situation? At a private visit with me two weeks later, she let me know that this was the moment she realized he’d been keeping his diagnosis from her for years.
As a physician, I am not allowed to reveal any medical information about my patients or their circumstances without their written permission. This confidentiality is sacred. But in this case, that constraint felt inappropriate and irresponsible.
Continue reading “Should Doctors Keep Patients’ HIV Status a Secret?”
Filed Under: Physicians, THCB, The Insider's Guide To Health Care
Tagged: CDC, confidentiality, doctor/ patient relationship, HIPAA, HIV/AIDS, infectious diseases, Lisa Fitzpatrick, Patient privacy, Patients, Physicians
Aug 11, 2013
As my head reels at the implications of the IRS scandal mushrooming in Washington, the IRS’s recently disclosed ability to access e-mails without warrant, the intricacy of the NSA PRISM wiretap techniques that includes their ability to acquire tech firms’ digital data, and even the Justice Department’s ability to secretly acquire telephone toll records from the Associated Press, I wonder (as a doctor) what all this means for the privacy protections afforded by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in our new era of mandated electronic medical records. Are such privacy protections credible at all?
It doesn’t seem so.
Now it seems everyone’s health data is just as vulnerable to federal review as their Google search data. This is not a small issue. We have already seen that discovering “leaks” of personal health information has produced some very handsome rewards for the feds, so it is not beyond reason to think that HIPAA might also be a funding tool for our government health care administration disguised as a beneficent effort to protect the health care data of our populace.
But even more concerning is the role the IRS scandal has for America’s health care system. After all, the Affordable Care Act is ultimately funded by the IRS by administering some 47 tax provisions. These include the right to levy a penalty against businesses and individuals who don’t provide or acquire insurance and determining how to distribute annual subsidies to 18 million people who make less than $45,000 a year and thus qualify for subsidies in buying health coverage. In addition, the agency will collect taxes on medical devices and a surtax on people making more than $200,000 a year, as well as conducting compliance audits of tax-exempt hospitals.
Continue reading “The IRS Scandal: Implications for HIPAA and the Affordable Care Act”
Filed Under: OP-ED, THCB
Tagged: Data, Dr. Wes, HIPAA, IRS, NSA, Patient privacy, Patients
Jun 11, 2013
There aren’t many who would quibble with an argument that those with severe mental illness—specifically, individuals “who have been involuntarily committed to a mental institution, found incompetent to stand trial or not guilty by reason of insanity. or otherwise have been [legally judged] to have a severe mental condition that results in the individuals presenting a danger to themselves or others“—should not be able to purchase firearms. Right? Right.
Making that law isn’t actually the trouble (expanding background checks is, of course, a different story). It’s already law, and has been on the books for awhile. The trouble is enforcing it.
The federal government maintains the National Instant Criminal Background Check System (NICS), a database of people who are federally prohibited from purchasing guns, including felons, people convicted of domestic violence, and individuals who meet the extreme mental illness criteria above. Except:
Federal law does not require State agencies to report to the NICS the identities of individuals who are prohibited by Federal law from purchasing firearms, and not all states report complete information to the NICS.
To recap: We have federal criteria that prohibits certain individuals from buying firearms. The feds maintain a database of known individuals for background checks (which take 30 seconds, per the regulation). But states aren’t required to offer the names of “prohibitors” to the database.
Continue reading “What Does HIPAA Have to Do With Gun Control? Maybe More Than You Think.”
Filed Under: Uncategorized
Tagged: Adrianna McIntyre, Gun Control, HIPAA, Mental Health, National Instant Criminal Background Check System (NICS), Patient privacy
Apr 25, 2013
I am affiliated with the institution where Dzhokhar Tsarnaev is currently hospitalized. I am friends with people who have treated him. I’m trying to stay away from those people; I would be unable to help asking them about him. They might be unable to help talking about him. There has been a flurry of emails and red-letter warnings cautioning people here not to talk about Mr. Tsarnaev or look him up on the EMR (Electronic Medical Record) system. Despite this there have been leaks of information and photos from various sources. It is virtually impossible to keep people from asking about him and talking about him. Curiosity is human nature. When human nature comes up against morals and laws, human nature will win a good percentage of the time. The question is: given what he has done, does this 19-year-old still have his right to privacy?
The answer, of course, is yes. The American Medical Association includes patient confidentiality in it’s ethical guidelines:
“…the purpose of a physicians ethical duty to maintain patient confidentiality is to allow the patient to feel free to make a full and frank disclosure of information…with the knowledge that the physician will protect the confidential nature of the information disclosed.”
Threre are legal guidelines as well, most notably with the Health Insurance Portability and Accountability Act, or HIPAA. This law was originally passed in 1996 to improve the efficiency and effectiveness of the health care system, allow people to switch jobs without losing their health insurance, and impose some rules on electronic medical information. Congress incorporated into HIPAA provisions that mandate the adoption of the Federal privacy protections for health information. The “simplified” administrative document for the privacy and security portions of HIPAA is 80 pages long. Basically your health information cannot be shared with ANYONE. Of course, there are exceptions to HIPAA. Continue reading ““Did You Take Care of Tsarnaev?””
Filed Under: Physicians
Tagged: BIDMC, Boston bombing, EHR, Ethics, HIPAA, Patient privacy, Shirie Leng
Apr 23, 2013
I’m sure you get a lot of hate mail, especially from folks in my profession, so when you got this letter from me you probably assumed it was more of the same. Let me reassure you: I am not one of those docs. I do think patient privacy is important, and actually found you quite useful when facing unwanted probing questions from family members. I believe the only way for patients to really open up to docs like me is to have a culture of respect for privacy, and you are a large part of that trust I can enjoy. Yeah, there was trust before you were around, but that was before the internet, and before people used words like “social media,” and “data mining.”
But there have been things done in your name that I’ve recently come in contact with that make me conclude that either A: you are very much misunderstood, or B: you have a really dark side.
Continue reading “Dear HIPAA: It’s Time to Decide Who You Want To Be”
Filed Under: THCB, The Business of Health Care
Tagged: E-mail, HIPAA, patient health records, Patient privacy, patient-doctor communication, Physicians, practice management, Rob Lamberts, Social Media
Mar 26, 2013
Today I got pretty depressed. I saw a link that 13 tech companies were funding a seminar put on by Deb Peel’s Patients Privacy Rights.org (and no I’m not helping with a link) It’s a big pity that sensible companies have been pressured into funding that organization and worse that somehow despite the gibberish Peel has spoken in so many places she’s accepted as being the main face of consumer concerns about privacy. Of course I’ve had my say about her in the past. However I was a little heartened by this Milt Freudenheim NY Times article which after decrying the “epidemic” of personal health information violations had both David Brailer and Wes Rishel basically saying, 1) yes there will be breaches, 2) no, that’s not a reason not to go electronic and c) we need a system that bans the illegitimate use of the data–rather than punishes the accidental breach. And no Deb Peel in sight. Well done NYT.
Filed Under: Matthew Holt, micro
Tagged: Patient privacy
May 31, 2011