HIPAA: Bad Law or Bad Press?

by Eve B. Scheffenacker

On April 14, 2003, the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA) took effect. This rule launched a far-reaching effort that has changed the way health-care providers, administrators, and plans operate. Its purpose is to require any organization that handles personal health information to design its policies and procedures to protect the security of patient data.

Health-care organizations have spent years and as much as $17 billion dollars preparing to comply with HIPAA. The only evidence of that effort that most of us see is the variety of unintelligible privacy notices we've signed since April 14. But for people whose relatives or friends have been hospitalized or under other medical care, HIPAA has created new and frustrating obstacles to taking part in care giving or even paying a visit. These and other glitches have made the news and the e-mail circuit around the country. Thus, this so-called step forward for health-care consumers quickly has gained a bad rep.

How bad is it, really? Can you believe everything--or only--what you read or hear? Does HIPAA protect our health-care information from everyone except the people who treat us and the ones who bill us?

HIPAA's good intentions

The privacy rule was written to increase patients' control over their health information and its use. Under HIPAA, health-care providers and other "covered entities" (health plans and clearinghouses that encode medical data) must get your consent before sharing your health information for any reason besides treatment, payment, and health-care processes. To ensure this privacy, HIPAA requires covered entities to close any procedural loopholes that might give someone unauthorized access to your health data. It also requires all covered entities to use standard procedures for keeping records and filing claims. Finally, HIPAA gives you the right to see your medical records and to add your own comments or corrections to them. (Many, but not all, states allowed this before HIPAA.)

"Overall, this rule is a good thing and an important first step," says Carole Doeppers, a consumer privacy consultant in Madison, Wis. "The health-care community is far more aware of privacy issues than ever before. It is also far more vigilant about protecting its patients' information."

Good intentions gone astray?

Since before HIPAA was effective, however, editorials and news reports have labeled it as a bad thing. Instead of protecting people, the media claims, HIPAA is shutting many of them out--often from information that they or the public needs. News articles include personal stories to make this point, sometimes drawing flawed conclusions to make their claims more dramatic.

For example, reporters no longer can get the names and other information about hospital patients, such as victims of a major accident. Under HIPAA, a reporter must ask for a patient by name. The hospital will provide a general statement about the patient's condition, but only if the patient is in its directory, and the patient may opt out. Editorials say this obstructs the public's right to know. And one article claimed: "If HIPAA had been in effect on Sept. 11, hospitals wouldn't have been able to post victims' names." Not true. HIPAA does not prevent hospitals from releasing relevant information about patients to law enforcement and public health officials, and in cases of public emergency. Also, HIPAA doesn't restrict how reporters can use information they get about the patient. It just forces them to go to a source that's closer to the patient.

Stories abound about hospitals' refusal to share information with members of a patient's family. For example, Linda Napiwocki, Middleton, Wis., is her stepmother's agent for health care. When her stepmother, who lives in Arizona, had emergency surgery, Napiwocki had to consult with the hospital staff about her stepmother's treatment. "At the hospital, the nurses wouldn't talk to me about my stepmother. They said it was against the law [HIPAA], and that they'd be fined thousands of dollars if they did."

This kind of story horrifies anyone who's involved in caring for a relative. The truth is that a provider can share information with a relative, agent for health care, or even close friend that the patient names. The information must be relevant to that person's involvement with the patient's care. Also, though the fines are steep, the risk is minimal. You won't find HIPAA police lurking in hospital halls waiting for a nurse to leak a patient's data. And no one can sue a health-care provider for breaking the law. Health and Human Services will investigate a provider only if it gets a complaint of a major violation.

Here are some other HIPAA misrepresentations in the press and rumor mills:

One relates to the simple act of picking up a prescription at a pharmacy. Contrary to what you might have heard, you can pick up someone else's prescription, even if that person isn't a relative. No ID necessary.

Reports say that covered organizations will recover their costs for HIPAA compliance by charging clients more. In reality, HIPAA forbids providers from passing those costs through to consumers. So relax. You have only the normal double-digit health-care inflation to worry about!

It is true that clergy may run up against HIPAA when they try to visit members of their congregation in the hospital. This is because patients now have to choose not to be listed in the hospital directory. So if a patient objects to being listed, the hospital can't tell anyone that he or she is there--not even the minister. The problem here stems not so much from HIPAA as from hospitals' failure to explain the patients' options.

Is this all HIPAA's fault?

You can blame HIPAA for its monumental complexity. Two years ago, it was difficult, if not impossible, to predict every interaction and situation that the privacy rule would touch. Leaders of covered organizations still say they don't fully understand how HIPAA will "play out." They have based some of their new procedures and policies on educated guesses. And, as in the case of clergy visits, they sometimes lacked foresight.

As for the employees on the front line, their training hasn't always been perfect. So you may meet nurses and other care providers who think they'll be sued if they talk to the "wrong" person.

Think of the first six to 12 months of life with HIPAA as the first few weeks after a restaurant opens. Almost all health-care employees have new routines, techniques, and rules to follow. Be patient with their learning curve. Procedures still may be somewhat fluid, changing as they come up against the reality of explaining things to patients, sharing information, and delivering care. While the dust settles, ask a lot of questions and inform yourself.

December 22, 2003