| HIPAA: Bad Law or Bad Press?
http://hffo.cuna.org/story.html?doc_id=528&sub_id=12433
by Eve B. Scheffenacker
On April 14, 2003, the privacy rule of the
Health Insurance Portability and Accountability Act (HIPAA) took effect.
This rule launched a far-reaching effort that has changed the way
health-care providers, administrators, and plans operate. Its purpose is
to require any organization that handles personal health information to
design its policies and procedures to protect the security of patient
data.
Health-care organizations have spent years
and as much as $17 billion dollars preparing to comply with HIPAA. The
only evidence of that effort that most of us see is the variety of
unintelligible privacy notices we've signed since April 14. But for people
whose relatives or friends have been hospitalized or under other medical
care, HIPAA has created new and frustrating obstacles to taking part in
care giving or even paying a visit. These and other glitches have made the
news and the e-mail circuit around the country. Thus, this so-called step
forward for health-care consumers quickly has gained a bad rep.
How bad is it, really? Can you believe
everything--or only--what you read or hear? Does HIPAA protect our
health-care information from everyone except the people who treat us and
the ones who bill us?
HIPAA's good intentions
The privacy rule was written to increase
patients' control over their health information and its use. Under HIPAA,
health-care providers and other "covered entities" (health plans and
clearinghouses that encode medical data) must get your consent before
sharing your health information for any reason besides treatment, payment,
and health-care processes. To ensure this privacy, HIPAA requires covered
entities to close any procedural loopholes that might give someone
unauthorized access to your health data. It also requires all covered
entities to use standard procedures for keeping records and filing claims.
Finally, HIPAA gives you the right to see your medical records and to add
your own comments or corrections to them. (Many, but not all, states
allowed this before HIPAA.)
"Overall, this rule is a good thing and an
important first step," says Carole Doeppers, a consumer privacy consultant
in Madison, Wis. "The health-care community is far more aware of privacy
issues than ever before. It is also far more vigilant about protecting its
patients' information."
Good intentions gone astray?
Since before HIPAA was effective, however,
editorials and news reports have labeled it as a bad thing. Instead of
protecting people, the media claims, HIPAA is shutting many of them
out--often from information that they or the public needs. News articles
include personal stories to make this point, sometimes drawing flawed
conclusions to make their claims more dramatic.
For example, reporters no longer can get the
names and other information about hospital patients, such as victims of a
major accident. Under HIPAA, a reporter must ask for a patient by name.
The hospital will provide a general statement about the patient's
condition, but only if the patient is in its directory, and the patient
may opt out. Editorials say this obstructs the public's right to know. And
one article claimed: "If HIPAA had been in effect on Sept. 11, hospitals
wouldn't have been able to post victims' names." Not true. HIPAA
does not prevent hospitals from releasing relevant information about
patients to law enforcement and public health officials, and in cases of
public emergency. Also, HIPAA doesn't restrict how reporters can use
information they get about the patient. It just forces them to go to a
source that's closer to the patient.
Stories abound about hospitals' refusal to
share information with members of a patient's family. For example, Linda
Napiwocki, Middleton, Wis., is her stepmother's agent for health care.
When her stepmother, who lives in Arizona, had emergency surgery,
Napiwocki had to consult with the hospital staff about her stepmother's
treatment. "At the hospital, the nurses wouldn't talk to me about my
stepmother. They said it was against the law [HIPAA], and that they'd be
fined thousands of dollars if they did."
This kind of story horrifies anyone who's
involved in caring for a relative. The truth is that a provider can
share information with a relative, agent for health care, or even close
friend that the patient names. The information must be relevant to that
person's involvement with the patient's care. Also, though the fines are
steep, the risk is minimal. You won't find HIPAA police lurking in
hospital halls waiting for a nurse to leak a patient's data. And no one
can sue a health-care provider for breaking the law. Health and Human
Services will investigate a provider only if it gets a complaint of a
major violation.
Here are some other HIPAA misrepresentations
in the press and rumor mills:
- One relates to the
simple act of picking up a prescription at a pharmacy. Contrary to what
you might have heard, you can pick up someone else's
prescription, even if that person isn't a relative. No ID necessary.
- Reports say that
covered organizations will recover their costs for HIPAA compliance by
charging clients more. In reality, HIPAA forbids providers from passing
those costs through to consumers. So relax. You have only the normal
double-digit health-care inflation to worry about!
It is true that clergy may run up against
HIPAA when they try to visit members of their congregation in the
hospital. This is because patients now have to choose not to be listed in
the hospital directory. So if a patient objects to being listed, the
hospital can't tell anyone that he or she is there--not even the minister.
The problem here stems not so much from HIPAA as from hospitals' failure
to explain the patients' options.
Is this all HIPAA's fault?
You can blame HIPAA for its monumental
complexity. Two years ago, it was difficult, if not impossible, to predict
every interaction and situation that the privacy rule would touch. Leaders
of covered organizations still say they don't fully understand how HIPAA
will "play out." They have based some of their new procedures and policies
on educated guesses. And, as in the case of clergy visits, they sometimes
lacked foresight.
As for the employees on the front line, their
training hasn't always been perfect. So you may meet nurses and other care
providers who think they'll be sued if they talk to the "wrong" person.
Think of the first six to 12 months of life
with HIPAA as the first few weeks after a restaurant opens. Almost all
health-care employees have new routines, techniques, and rules to follow.
Be patient with their learning curve. Procedures still may be somewhat
fluid, changing as they come up against the reality of explaining things
to patients, sharing information, and delivering care. While the dust
settles, ask a lot of questions and inform yourself.
|
