What HIPAA Has Wrought
New and Old Complaints against the Privacy Rule
America pays more per person for healthcare than any other high-income country, but we have worse health outcomes, including lower life expectancy. This sad fact is indisputable; the question is why the apparent paradox is the case and what we can do about it. On that score, there is a lot of disagreement and head scratching.
One thing that might help us is to use the massive amounts of health data we have and try to understand on whom we are spending all that money and why they are not doing better. Now that we have electronic health records (EHRs), the kind of big data that scientists need to identify which people are most at risk for poor health outcomes and for generating very high healthcare costs exists. It is easy to scrub those datasets of people’s names and other identifying information –that is, to anonymize them–and then transmit them to experts in population health. By doing this, we might be able to develop ways of helping the sickest among us without breaking the bank.
Unfortunately, there are serious obstacles to obtaining and using large datasets that can be taken from EHRs and other sources. One of them is something called HIPAA. If you have any role in healthcare you’ve heard about HIPAA. Throughout the halls of hospitals, clinics, and physicians’ offices the word “hipaa” strikes fear and terror. Accusing a healthcare provider of a “hipaa” violation is terrifying. Because of this abject fear, clinicians often refuse to do something with the breathless explanation that “hipaa won’t allow it.” Law firms make a fortune telling hospital administrators the trouble they can get into by crossing “hipaa” and an industry has grown up designed to keep healthcare organizations on “hipaa’s” right side.
So who is “hipaa” and why is he/she so scary? Of course, it’s not a person, but a 1996 federal law, the Health Insurance Portability and Accountability Act (HIPAA, often mis-abbreviated for some reason as HIPPA, perhaps because that makes it sound like a large and dangerous animal, the hippopotamus).
When the HIPAA law was signed by President Clinton 25 years ago it had two main aims, to protect insurance coverage for workers who lose or change jobs and “to reduce the administrative burdens and cost of healthcare by standardizing the electronic transmission of administrative and financial transactions”. It had five subsections, one of which (Title II) introduced some seemingly innocuous privacy rules that were supposed to govern how an individual’s personal health information (PHI) should be securely transmitted by healthcare organizations to health insurance companies and other payers and administrative organizations. The “privacy rule,” as it has been known since a 2003 addition to the law, was intended to ensure among other things that insurance companies are not allowed to get information that might jeopardize eligibility for health, life, or disability insurance without first getting consent from the applicant.
The HIPAA law requires that everyone have access to their medical records and must consent in writing to having the information transmitted to third parties like insurance companies. That of course is a very reasonable protection. There is widespread agreement that we should all have a say in who gets to see our medical records.
An Obstacle to Using Big Data
HIPAA has, however, had the unforeseen negative consequence of creating impediments to scientific progress that are becoming apparent as healthcare technology advances. Recently, in an op-ed piece in the New York Times, Luke Miner, a data scientist, detailed his own experience trying to develop an artificial intelligence app that would tell people “whether their symptoms were severe enough to warrant a trip to the doctor”. He notes that artificial intelligence requires “a lot of data” and that despite months of effort trying to get anonymized data to build his app, privacy laws blocked his way and he abandoned the project. “The scarcity of healthcare data imposes a significant cost on society,” Miner wrote. Artificial intelligence “has the potential to advance medicine across a broad range of subfields…Much of the progress in these areas, and many others, is at the very least slowed by the lack of data.” HIPAA, Miner insists, looms as a major barrier to that progress: “one of the main effects of the law has been to make it much harder for doctors and hospitals to share data with researchers.”
People want to use apps and mobile devices that can collect physiological data and alert them and their doctors if something is wrong, but HIPAA rules make developing them difficult. (image: Shutterstock)
Miner’s concerns echo long-standing assertions by medical scientists that HIPAA inhibits the free flow of data necessary for the kind of research we need to understand where all the money is going in American healthcare. Basically, this requires taking large amounts of population health data and calculating who is generating the highest healthcare costs. The next step is to determine the characteristics of these people: do they lack financial resources to obtain medical care, for example, or are their medical problems more severe than average? With that information, we should be able to develop strategies to direct help to people at risk for both poor medical outcomes and high healthcare costs. By helping them before they require expensive services, like hospitalization and emergency department visits, we can both improve the health of people at risk and lower overall healthcare spending.
Obviously, scientists cannot get written consent from thousands (sometimes millions) of individuals in order to use their data for projects like this. But even though the large datasets used in this type of research do not have anyone’s identifying information on them, HIPAA rules often stand in the way. And if scientists cannot get the data they need, progress in solving America’s healthcare problems will be harder to accomplish.
HIPAA also stands in the way of developing technologies that will help people determine for themselves if they need medical help before their conditions deteriorate. Two researchers advised in an article in the Journal of the American Medical Association that “The Department of Health and Human Services may need to reevaluate and adapt its regulations to keep up with the advent of new mobile technologies and take a more progressive and innovation-friendly approach to privacy and security”. People want to use apps and mobile devices that collect physiological data, like heart rate and electrocardiogram tracings, that can tell them if something is wrong and even transmit their data immediately to their doctors. To develop these devices, we will need to access huge amounts of PHI. Currently, HIPAA stands in the way.
In addition to creating roadblocks to research, the HIPAA laws have produced some very curious behavior on the part of healthcare professionals that can also get in the way of optimal healthcare. Over the years there have been numerous additions and clarifications to the original HIPAA legislation and it is now over 500 pages long, laced with technical jargon. Unable to understand much of it themselves, the situation is ripe for doctors and nurses to succumb to all kinds of rumors about what HIPAA says. it thus came to be believed by many healthcare providers that they were forbidden to tell anyone anything about their patients’ health conditions.
The HIPAA law is now over 500 pages of technical language that terrifies healthcare providers (image: Shutterstock)
In the old days, before HIPAA, if your family doctor wanted you to see a cardiologist for a consultation about a suspected heart problem, he or she would pick up the phone and call the cardiologist and describe your problem and the reason for the consultation request. Then, after seeing you, the cardiologist would likely call your family doctor and explain his or her findings.
But doctors became frightened that transmitting that information without written consent would be a “HIPAA violation.” Consent forms carefully crafted by specialized law firms came into being and patients began being asked to sign them every time they saw a doctor, agreeing to allow the doctor to talk to other doctors. Sometimes, the invocation of HIPAA became almost silly, as doctors on rounds in the hospital started worrying that it might be a HIPAA violation if the person in the next bed heard them talking about a person’s condition. Rounds began being conducted at bedside in whispers or in the hallway. That way, the patient in a nearby bed cannot hear what the doctors and nurses are saying, but of course neither can the patient about whom they are talking.
Physician Allen Weiss collected a number of absurd invocations of HIPAA. He noted that because the definition of what constitutes a privacy rule violation are vague, “it is no wonder that many health care providers were driven by paranoia” to the kinds of absurdities in behavior he identified.
Incorrect interpretations of HIPAA have the potential to be worse than just silly; they can be dangerous, as when, for example, a patient’s regular doctor refuses to talk to emergency department doctors and nurses about a patient in an urgent situation because the patient hadn’t “consented.” Of course, the patient might be unconscious, and the emergency department personnel might just want to know if the patient has any ongoing conditions that might cause that to happen. All of this seems to ignore the fact that according to the Department of Health and Human Services, the HIPAA privacy rule only applies to “health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically” (Italics ours). HIPAA does not, in fact, prohibit doctors from sharing information with each other or with families without consent under emergency conditions. But fear of HIPAA has driven healthcare providers to such mistaken notions and consequent unfortunate behaviors.
There are many positive aspects of the HIPAA rules. The regulations set standards for the secure electronic storage of health records and impose penalties that can run to over a million dollars for data breaches that make public the health information we have a right to expect to be kept private. They also punish healthcare workers who snoop into the health records of patients they aren’t taking care of themselves, sometimes out of idle curiosity but other times even to sell health information about celebrities to the media.
Laws with good intentions, however, often get a life of their own, both in reality and interpretation. HIPAA has lead in many medical circles to the blanket belief that the best approach is “Don’t tell anyone anything and stay out of trouble”. The “I can’t do that because of HIPAA” refrain is all too often used—usually incorrectly—to prevent doctors from talking with each other or with patients’ family members, even when they know the patient would welcome such communication. That means that healthcare providers don’t understand the law well enough, in part because lawyers and hospital administrators persist in detailing the horrible penalties—huge fines and jail time—they will receive if they commit a “HIPAA violation.” No one tells young doctors “here’s what you are allowed to do.”
Both physicians and their patients seem to be complaining more and more that healthcare is becoming impersonal. Doctors and other healthcare providers feel trapped behind computers as they try to cope with the ever-increasing demands of EHR technology. They are also compelled to spend endless hours justifying the prescriptions they write to health insurance companies because of the prior authorization rules, which we have written about earlier. Patients feel that doctors have no time to listen to them, even though studies show that listening improves healthcare outcomes. HIPAA may be another contributor to this problem.
HIPAA began with good intentions and the 2003 Privacy Rule was really intended as a much needed protection of our privacy. It still is; without HIPAA we could return to the days when doctors openly discussed patient information with each other on the elevator, intrusive family members were given information that patients wanted to keep private, and health insurance companies bullied healthcare providers into releasing information to which they shouldn’t have access.
But revisions in the HIPAA laws are now clearly necessary. We need to make it possible for scientists to obtain and use large sets of anonymized healthcare data. At the same time, it might be a good idea to start giving healthcare workers lectures on what HIPAA does not prevent them from doing. HIPAA has some negative consequences on both large and small scales. Remedies are urgently needed.