Editorial: Addressing the HIPAA debacle, Part 2

July 1, 2003

 

EDITORIAL

Addressing the HIPAA debacle, Part 2

Whether you're in private practice or on the faculty of an academic medical center, the new Health Insurance Portability and Accountability Act (HIPAA) should raise concerns because the regulations have the potential to decrease the efficiency of health care. You may find paradoxically that while most of your patients will be apathetic about the regulations, some may seek to abuse the Act's provisions. Regardless of how our patients respond to HIPAA, just implementing it could prove a real administrative headache, particularly for a small practice. Academic medical centers could find that their research and fund-raising activities are adversely impacted. Most distressing are HIPAA's contributions to the "criminalization" of medical practice and the increasing disillusionment of ob/gyns with their chosen profession.

I've already had a taste of HIPAA's potential negative effects. I know of a number of private offices, laboratories, and imaging units that have refused to provide Protected Health Information (PHI) needed for immediate care of patients because the patients had not authorized the release. Although their reticence was well intentioned, it had the potential to compromise timely health-care delivery. At the least, it was frustrating, and it's also just plain wrong. As I noted in Part I of this editorial last month, PHI can be used without specific patient preauthorization for TPO (Treatment, Payment and Health care Operations). For example, it's entirely appropriate for a referring physician's office to give me a patient's maternal serum screening results so that I can better counsel her about her fetus' risk of Down syndrome during a second-trimester "genetic" ultrasound. HIPAA also allows for access to PHI that clarifies why a patient is being referred for a given service (such as a consultation or ultrasound) and for billing and quality assurance, respectively. In any of these situations, delayed transmittal of information could result in a decline in health-care efficiency, physician reimbursement, and continuous quality improvement efforts.

The second area of concern is implementation of the "Notice" requirement. So far, my patients have greeted it with apathy. In a nonscientific sampling, I asked several of my patients if they had read our privacy notice carefully while waiting in the reception area, and none had. I handed another group of patients the notice after they entered my office, provided a detailed description of HIPAA and the reason for the notice, and asked them to take time to read it over carefully before signing. At best, these patients skimmed the 2-page form and they all signed it without uttering a word. But don't be lulled into a false sense of security by this seeming disinterest because HIPAA could open an enormous can of worms for your practice and mine. The Act gives patients the right to obtain their medical records and ask for amendments to them. While many such "amendments" no doubt will be factual corrections, it's possible that a patient will ask for a change that renders the record inaccurate or contradicts clear evidence for a given diagnosis. Taking that thinking to the extreme—and perhaps I'm being paranoid—a patient could even ask for a change that supports planned litigation.

A clinician has the right to deny amendments requested by a patient, but the patient also has a right to a formal appeal. Imagine the time that process could add to an already heavy clinical load, not to mention the growing billing, regulatory, and other administrative paper work. I may be an alarmist because I see patients from throughout the New York City metropolitan area—a setting not noted for a relaxed, trusting, nonlitigious approach to life—but I do believe this HIPAA provision opens the door to significant mischief.

HIPAA's patient rights' regulations also call for an accounting of certain disclosures you make. You will now have to list all the individuals and entities outside your health-care organization who have seen your patients' PHI for purposes other than TPO and your reasons for giving them this access. Even though you may not have needed patient authorization for a disclosure, you must provide patients with an accounting of PHI provided to government agencies (such as state health authorities, courts, law enforcement agencies, the FDA, and workers' compensation boards), researchers, employers, and business associates (except for TPO). Think of the impact of this provision on a busy practice with an overworked staff and no computerized patient record.

Another potential adverse impact of the Act is the burden it adds to the performance of clinical research. It will now be necessary to obtain a written authorization from every research subject before you use PHI to create or disclose individually identifiable data in your research. The form must include:

  • a detailed description of what PHI will be used or made available for use;

  • who will use/have disclosed the information and any potential for re-disclosure to others not subject to the Privacy Rule;

  • the purpose and duration of the use/disclosure;

  • a statement that the authorization may be revoked.

  • notice that you may or may not condition treatment or payment on the individual's signature;

  • the individual's signature and date.

In certain circumstances—such as impracticality of authorization and a guarantee that PHI will not be reused or disclosed except as required by law—Human Investigation Committees or Institutional Review Boards may approve a request for waiver of the authorization to permit use and disclosure of PHI. A waiver also is possible for authorized oversight of research or when the PHI is limited to the "minimum necessary" standard and there is a minimal privacy risk. On the plus side, HIPAA permits use of PHI for research without authorization if the data have been "de-identified" such that the information is not individually identifiable.

Even when a form is not required, however, the researcher has to provide the caregiver supplying the PHI a copy of the waiver and the caregiver must keep it on file for 6 years. Worse yet, the caregiver must provide the patient with an accounting of the disclosure of this information for research purposes. All in all, HIPAA will provide yet another barrier to the clinical research so badly needed by our field to implement evidence-based care.

Equally concerning to faculty practices based in academic medical centers is the potential adverse impact of HIPAA regulations on fund-raising. Research-oriented academic departments of ob/gyn increasingly have come to rely on philanthropy to maintain their very expensive and often uncompensated research infrastructure. Under the new provisions, physicians will have to obtain authorization from patients before disclosing PHI to development officers. Because I am painfully aware of the reluctance of academic physicians to participate in fund-raising under the most simple and pressure-free of circumstances, I can only imagine the adverse impact of this aspect of HIPAA.

Yet another concern for small practices is the HIPAA regulation specifying your obligation to implement contracts with business associates with whom you share PHI, to hold them accountable for protecting PHI, to proscribe their further use of PHI, and to destroy all PHI within a reasonable amount of time after severing the relationship. Business associates will now have to report any breaches to you, and you are obligated to address such breaches. "Boilerplate" contracts are available from the American College of Obstetricians and Gynecologists and most small practices have a limited number of billing associates (such as billing vendors, accountants, and management service companies), but these provisions create the potential for serious administrative or even legal issues if conflicts arise between you and your business associates over what constitutes a violation.

My last, and potentially most serious, concern with HIPAA is the penalty clause. HIPAA provisions specify a 10-year jail sentence and a $250,000 fine for knowingly disclosing PHI with harmful intent or for profit. Even inadvertent violations can result in fines of up to $100 for each violation, up to an annual limit of $25,000 for identical violations. While the penalties cannot be imposed if the disclosure stems from "reasonable actions" and is corrected within 30 days, the net result is the increasing criminalization of medical practice. From prosecution for Medicare billing errors to alleged clinical negligence, the sight of increasing numbers of physicians going to jail for what could be inadvertent errors creates an environment of fear among physicians and suspicion among patients.

Taken together with declining reimbursements, spiraling professional liability insurance premiums and claims, and ever-burgeoning government and managed-care red tape, HIPAA will add to ob/gyns' growing disillusionment with practice. Some of my friends have accused me of reflexively opposing all forms of governmental regulation of health care, but I firmly believe that the best guarantors of high-quality, compassionate, cost-effective care are physicians who are passionate about their craft and trusted by their patients. I seriously doubt HIPAA will favorably contribute to either of these conditions.

Charles J. Lockwood, MD

Charles J. Lockwood, MD, Editor in Chief, is Anita O'Keefe Young Professor and Chair, Department of Obstetrics and Gynecology, Yale University School of Medicine, New Haven, Conn.

 



Charles Lockwood. Editorial: Addressing the HIPAA debacle, Part 2.

Contemporary Ob/Gyn

Jul. 1, 2003;48:12-15.