These days, when it seems we can’t open the news without finding out about another data breach (cue Facebook and dozens of online retailers), it’s a relief to know that personal medical data is fiercely guarded by law.
The right to privacy
Facebook data is one thing, but if someone has undergone a hernia procedure or had prostate issues, or even psychiatric consultations, they would not want that information accessible to just anyone. This is an indisputable entitlement to protect human dignity.
But from a medical business point of view, HIPAA can be challenging. Staff working in medical offices and hospitals are constantly tiptoeing around HIPAA stringencies and there’s a slew of minutiae connected to the law that are easy to inadvertently violate.
Ironically, HIPAA – a law that was technically designed in the best interest of patients – might actually be making caring for patients more difficult and cumbersome than necessary.
Dr. CliffsNotes: A brief history of the establishment of HIPAA
So how did we get here? Today, HIPAA is the poster child for privacy, but when President Bill Clinton signed it into law in 1996, it had little to do with privacy. It was designed to modernize the flow of health information electronically and to limit how health plans could use pre-existing condition exclusions. It was only in the year 2000 that the Privacy Rule, which set standards for – what became the now commonly used term “protected health information” (PHI) – was added. And not until 2003 that the Security Rule established nationwide standards for protecting the confidentiality, integrity, and availability of electronic PHI. Fast forward to 2009 when the notorious Breach Notification Rule came into effect, and finally the Omnibus Final Rule that became effective on March 26, 2013. These last two rules have had a drastic impact on the way medical practices and healthcare facilities operate.
Why HIPAA is necessary
With the advent of the internet, and particularly social media, data sharing has proliferated into everyday life. Along with this comes the increased potential of people’s private health information being shared. As of January 2017, there had been around 35 cases of healthcare employees sharing information/photos of patients in embarrassing situations on Snapchat, which is pretty gruesome. Given medical staff’s ability to access this information, there has to be a set of laws and guidelines in place to prevent hospital employees abusing their positions and their patients.
More than this, hackers’ ability to infiltrate data systems are a serious threat. As technology gets more sophisticated, so do hackers – as is evident by the countless data breaches in the past few years. So while it’s true that stringencies with HIPAA are only increasing, it’s simply in an effort to fend off these types of infringements.
Has HIPAA gone too far?
On the flip side, with HIPAA laws becoming more and more stringent, it makes it very difficult to access and share important patient information – even in a hospital setting. Yes, even in a hospital, (depending on the medical record system used), sometimes only limited patient information can be shared, and when it is shared, it’s often not completely updated – and this can lead to lapses in patient care.
For example, if care workers (nurses, PAs) don’t have access to the patient’s full medical record – including drug information or allergies – they might lack some crucial information necessary to tend to patients effectively. This could lead to wrong or inappropriate medications being administered, re-ordering of tests that may have been performed already, or making treatment decisions without a full picture of the patient’s history.
The HIPAA in the room?
On a day-to-day basis, hospital staff are just trying to do their job and are often hindered by not having access to the information they need. But truth be told, HIPAA is not the only reason.
According to a report in Reuters, as of 2015, fewer than a third of U.S. hospitals can find, send or receive electronic medical records for patients who received care in another institution. So it seems this issue is not exclusively due to HIPAA, but also the lack of interoperability between systems in healthcare across the US. “What this means is there is potentially a significant amount of waste and inefficiency in hospitals,” said lead study author Jay Holmgren of Harvard Business School in Boston. (Ya think!). Efficiency is certainly one issue, but the even larger issue is that staff may not be able to provide first-rate care due to a lack of information they need.
The fact that in 2018, medical records are not always available in a hospital setting and patients or their families have to tote paper copies of their records (which they have to pay for) from doctor to doctor and hope that nothing gets lost on the way, is almost a joke. Surely this is something that should be standard in a country where billions of dollars are spent on healthcare annually.
Dying of privacy? Striking a balance
When the right to privacy can outweigh the ability to provide excellent patient care or even the right to common sense, the question of how HIPAA laws are established needs to be raised. Everyone involved in caring for a patient should be able to access all the information they need to ensure that their care is exemplary.
As technology gains traction in healthcare, it’s no easy feat to strike the fine balance between compromised healthcare and the right to privacy. With our lives being increasingly lived in the open, perhaps it’s time to rethink just what levels of privacy we want, and need, to make sure the laws help rather than hinder treatment.