Dear HIPAA: It’s Time to Decide Who You Want To Be


I’m sure you get a lot of hate mail, especially from folks in my profession, so when you got this letter from me you probably assumed it was more of the same. Let me reassure you: I am not one of those docs. I do think patient privacy is important, and actually found you quite useful when facing unwanted probing questions from family members. I believe the only way for patients to really open up to docs like me is to have a culture of respect for privacy, and you are a large part of that trust I can enjoy. Yeah, there was trust before you were around, but that was before the internet, and before people used words like “social media,” and “data mining.”

But there have been things done in your name that I’ve recently come in contact with that make me conclude that either A: you are very much misunderstood, or B: you have a really dark side.

The first situation has to do with my newfound infatuation with communication in health care. I believe that the tools afforded by the internet tubes could really change care for the better; in fact, I think they could allow systems of care that could totally disrupt our malignant sick-care, cash-care system. I’ve found ways to communicate that you would approve of and have shared them with my patients. They love it. They love to connect with me while they have problems instead of paying for a visit and waiting in the office for a few hours for my help. It’s been really fun to see their enthusiasm.

So what’s the problem? It’s the doctors. Even though this communication system would allow them to give better care, allow us to collaborate without hassle, and bring back some of that “doctor’s dining room” collegiality we’ve lost, these doctors are afraid to use it. No, they are terrified. Asking them for their email address is taken to be as brash as asking for their credit card number or their wife’s cell phone number. I can see it on their faces: they picture headlines about doctors being sued millions for stolen laptops with patient files on them. They hear the ravings at conferences warning against the use of email for patient communication and the perils of using social media. They see me as a temptress trying to lure them into the dangerous online neighborhood, full of federal agents waiting to pounce, lawyers eager to sue, and journalists anxious to put their photo on the front page of the paper. OK, well, maybe the electronic version of the paper, but I was using a figure of speech. Nobody reads the paper version any more.

The point is, my patients are getting worse care because of this fear. I can’t send a message to consultants explaining why I am sending them the patient, so they make a guess and order extra tests. I can’t put my thoughts together with a colleague on a mutual patient with a difficult problem. All I get are forms to be filled out and faxed (although who knows where that fax as been?) and faxed notes with bits of information hidden under layer upon layer of E/M coding bubble-wrap. It’s worthless. It’s not communication at all, and it hurts my patients.

The second circumstance is more personal. When I got the boo…left my practice last fall, I left behind 18 years worth of patient records. Those are records documenting my decisions, my though processes, and my care of my patients. Sure, they weren’t the prettiest notes around, but they represented a lot of thought and care. As I was heading out on my last day at the practice I was notified that, upon leaving, I would not have access to these records. It seems that, despite the fact that these are records I personally wrote about my own interaction with my patients, I would be violating you if I looked at them. This information is the property of the practice, and allowing someone who was no longer a member of that practice to view them would bring down swat teams of federal agents within seconds. This, at least, was the opinion of the practice’s legal counsel.

Having just gone through a divorce, I had no desire to argue with my ex’s lawyer, so I took it like a soldier. I figured I’d just get information sent to me when I needed it. In fact, I came upon another very secure solution to make this process easy and efficient. But alas, the ex wanted nothing to do with my newfangled way of doing things, instead resorting to the high-risk behavior of faxing records (who knows where those fax machines have been?). As fate would have it, our faxes didn’t get along well, causing them to inundate me with duplicate faxes, a veritable Torrent of TIF’s, a plethora of PDF’s. This has made it next to impossible to get records on my patients, making care of them much, much harder. These are not just any records, they are my records of my care for my patients!

Say it ain’t so, HIPAA!

Do you really keep doctors from their records? Do you really keep patients from good care? Or is this simply a culture of paranoia that has propagated on ignorant doctors by fear-mongering lawyers, lecturers, and office administrators happy for the chance to intimidate the consumate intimidators? Yes, flaunting medical records to anyone who throws you beads is a bad practice that will lead to regret in the morning, but preventing communication kills. I thought better of you. I thought you were there to protect people from careless talk, from snooping employers, and from front-office gossips.

So, I ask, is it you or is it those who wish to slander your name? Are you a tool to protect, or are you a gag in the mouth of good care?

I anxiously await your reply.

Dr. Rob

Rob Lamberts, MD, is a primary care physician practicing somewhere in the southeastern United States. He blogs regularly at More Musings (of a Distractible Kind),where this post first appeared. For some strange reason, he is often stopped by strangers on the street who mistake him for former Atlanta Braves star John Smoltz and ask “Hey, are you John Smoltz?” He is not John Smoltz. He is not a former major league baseball player. He is a primary care physician.

14 replies »

  1. Nicely put Art, everything is in place to do secure encrypted email with attached encrypted files from any point in the Healthcare system to any other point.

    We also do patient referrals, EHR to EHR connectivity, with the same technology.

    I did attempt to get the EHR system that my doctor uses to communicate via encrypted mail instead of a web portal, which I don’t find very useful, and in this case the provider clearly refused, not because there was any HIPAA concern, but due to a contract they had signed with the EHR provider that did the portal.

    Today I got an email message to check the provider portal for a message. Absurd. I don’t remember the login, or the password. If the provider simply encrypted it and mailed it to me, I would just read it. and be done. However, they won’t even try.

    No the point is not that HIPAA does not work, or that the technology is not already in place. People who use it find it is a valuable part of their workflow.

  2. Welcome to the Twilight Zone of health care information. I believe your former practice is simply denying you access to punish you for leaving because they can. State medical practice act generally define who owns the medical records for patients.
    In SC another practice can request a summary by mail or fax for free, but if a patient requests the file they are charged a photocopy fee of about a $1 per page. Just another hassle barrier for patients who have the audacity to exercise choice. I encourage folks to maintain their own health records and record as much information as they can requesting copies of test results directly from the physician and sitting patiently in the exam room until they are delivered. (Slow the flow and watch what happens to make the cranky patient go away…) This is why it is important to save those superbill receipts the girl at checkout gives you. It’s my record and I will share it with whom ever I choose.
    Yep it is sad that the fax machine is the symbol of high tech communications in health care. And heaven help you if the toner runs out.

  3. Dr. Rob – great article! The technology is here to allow you to do everything you are asking HIPAA to allow. The issue is that there is a fear that doctors and staff will violate HIPAA’s rules and bring HIPAA related fines and penalties.

    The real issue is education. Doctors and staff have to realize that there are affordable and secure technologies that can easily protect patient information and allow for secure communication. Email encryption is very inexpensive and allows for HIPAA compliant communication. HIPAA smiles upon encryption!

    HIPAA has to stop bringing fear to medical practices and instead bring education that it is possible to communicate via email and patient portals and that communication can be secure and HIPAA compliant.

    Thank you for a very well written article. Let us know how HIPAA responds!

  4. Dude. Welcome to Patient-Ville, which is where, most of the time, we patients are told that we can only get our records via fax.

    Since I personally am living in the 21st century, and do not have an actual fax -machine-, I use a virtual fax service for those rare times when I’m forced to deal with entities who insist on using 20th century tech. Via said virtual fax service, I’ve been inundated with patient-records faxes from a hospital in the midwest (I won’t name it and compound the issue). I’m a small business owner, not located in the midwest but the southeast, and am in no way involved in caring for hospital patients, although I do produce a podcast for the Society of Hospital Medicine.

    I’ve called the hospital on the other end of the fax blizzard innumerable times, and have been told that they’ve fixed the problem, so I won’t get any more TMI/HIPAA violation data dumps from them. That promise holds for about two months … and then the blizzard starts up again. Never the same patient twice. Highly entertaining.

    Meanwhile, I can’t get my own records easily from -any- of the providers I am, or have, received care from to date. HIPAA is always the flag that’s waved in my face when I ask for access to my data in a provider’s EMR.

    To quote Bill the Cat: pfthpht.

  5. Dr. Rob, Thanks for your fascinating in-the-trenches perspectives of HIPAA’s promise and wrath.

    Your letter to HIPAA assumes that there’s someone or something out there that could speak with one, unified voice on behalf of HIPAA.

    Unfortunately, I don’t think that assumption holds up.


  6. Rob,
    Under HIPAA, a provider is permitted (not required) to share PHI with another provider with whom the receiving provider has a care relationship. So, if the only impediment to obtaining records is the uncertainty about the security issues, solving the security issues will solve the problem. The strongest factor (IMHO) pressing most providers to solve the security problems are the various PHI sharing objectives in the MU program. So, maybe, most providers will have and use secure PHI sharing techniques over the next 2-4 years.

    If, however, the impediment today is the source provider’s unwillingness to share PHI with another of the patient’s providers then no provider-to-provider secure technique will cause the PHI to flow to the requesting provider. Providers, under HIPAA, are required to provide records (actually a set of PHI called the Designated Record Set) to patients who demand them- in almost all circumstances. The new Omnibus Rule also implements the HITECH requirement that patients get their PHI in e-form (with various constraints and fuzzy areas). Of course, the MU program also has objectives requiring providers to share PHI with patients. Many people believe (I suspect that you are one) that giving patients access to their records is instrumental in involving patients in their care and thus improving outcomes. Given these advantages, you might consider working with your patients to have them obtain their records (when feasible in e-form) and both provide them to you and make the process itself part of improving outcomes.

  7. It is one more thing. It is one more thing for everybody else too. The combination of email and mobile phones with email and text messages is creating an expectation of on demand instant availability to any and all third parties. Personally, I am one of the worst offenders. If I send you an email at say 8pm, I know you’re not asleep, I know you always have your cell phone on you, I know it makes a dinging sound when an email arrives and I know you look to see what it is. So if you don’t respond in say half an hour or so, I must assume that you dd not deem my “communication” to be important enough to break away from your TV or whatever, and this makes me angry. It’s even worse with text messages. Even during business hours, I find email to be disruptive to productivity. I know there are methods to control that, but I haven’t found one that works for me.

    We are all carrying our work in our pocket at all times now. I doubt that this is good for us, and I am not implying that just because we are all compulsive enough to do this, physicians should too. Perhaps with proper boundaries though, like the customer service/support accounts at most companies now, it can be useful in medicine too, particularly if your charts are already electronic.

  8. I don’t think it’s so much skittishness that causes docs to avoid electronic communications, as the fact that it’s just ONE MORE THING (or two or three) to do. It doesn’t replace US mail, faxes, phones calls; it’s just added to them, and introduces more possible sources of mistakes.

  9. If their attorney is worth anything, and I am going to presume he/she is, then it most likely was a smoke screen. If you asked for access to your old EMR, then perhaps they don’t have a way to limit your access to just patients that left the old practice and are now your patients.

    On a more general note, there is indeed a lot of skittishness when it comes to electronic communications. Folks don’t trust this “new” medium just yet, and to be honest, I am not sure I can blame them. There isn’t good understanding of how privacy is protected when the information needs to travel through several IT intermediaries. Fax is a point-to-point solution and this is probably why it is trusted. It also doesn’t help when all these intermediaries get breached once a day and twice on Sunday, and the incessant rhetoric about “liberating” data and using it for “research” doesn’t help either.
    I think the eCW solution is simple and elegant and should alleviate those concerns, but this whole thing is new and we have to put ourselves in the shoes of people who are not technologically inclined and are by nature more conservative than most. It will come. We need to be patient and make sure our ducks are truly in a row.

  10. I think you’re right, Margalit, that this can become a moot point when patients are able to aggregate their information in machine-readable and human-readable format via Blue Button technology. That will allow the patient’s record to be the best source of all their medical information, and hopefully that will allow patients to contribute to that record as well. With security protected, patients can share with other physicians they choose; family members if that would help them; their nurse or social worker who lives next door who volunteers to help with care coordination; a school nurse taking care of a child, including dispensing medications, during the school day. And how about home care nurses and pharmacists? Would communication from them also be useful? Apps will send back objective measurements as well as symptomatic information that can help physicians care for their patients in a more timely way. I don’t think that capability is too far off, but whether it’s accepted by providers is yet to be determined. I for one am hopeful.

  11. Secure emails with patients and secure messages to colleagues are an integral part of my daily work flow as a practicing oncologist. They make sense for everyone (save time, save money, make us feel like we are delivering efficient, modern care) and are HIPAA compliant. I encourage all providers who don’t have access to these modern solutions to push for it, and all patients to demand it. At Kaiser Permanente we made the investment that allows for this technology within our EMR, and many others are doing this as well. It is an investment, but it’s a win-win. @HJamesHamrick

  12. I gave my practice a secure solution to this problem but the opted for the (far less secure) faxing option. I also am asking other docs to use a HIPAA compliant communication tool, not their email. They are not happy to use it, but skittish and wary. All of this comes from the fear of HIPAA, in my opinion.

    The practice DID cite HIPAA as the reason to keep me away from records, not business. I was willing to negotiate access to them for both business reasons and so I could even potentially help them with any questions they had on my more complex patients, but they told me it was “utterly impossible” due to HIPAA. Was that a smoke-screen? I honestly think they are that sophisticated. I really think they felt this was a HIPAA requirement.

  13. Not that I am in any way presuming to speak for HIPAA, but I am not sure that either one of your problems are a direct result of it.

    First of all, since we all love to look at “other industries” for guidance, try to imagine an attorney leaving a practice and asking the old firm for access to all “his” clients records, or an accountant who left to open his own firm, asking for the same. This is business 101 and has nothing to do with HIPAA. On the contrary, HIPAA is actually helping your clients by requiring the previous firm to release those records, and now due to MU, they must be released in electronic format. So that’s better than lawyers and accountants.

    As to email, I would certainly hope that other doctors don’t provide a gmail account for you to send medical records to. Neither you, nor the other doctor are free to feed medical records to the Google search engine without patient consent, so that’s as it should be I think. If both you and the other physician can arrange to have secure email accounts (lots of them out there, some are free, such as your EMR’s fairly new platform dedicated to this activity), then by all means, happy communicating. And that’s all HIPAA says, other than protecting folks from Insurers, of course.