My patients needed a lot of my time today. They had questions and concerns. They didn't feel well. They were short of breath, had chest pain or diarrhea or influenza or all three. The practice of medicine isn't simple.
As I was going through charts before leaving the office, my partner showed me a story from the newspaper of the American Medical Association, the American Medical News. (None of us is a member of the AMA, but they send us their publications anyway.) According to the piece, the government is going to crack down on physicians with tough new privacy rules. Given that pretty much no one understands anything about our health care system I went to the government link provided to check out the new rules. I was not enlightened, although if you skip down to page 5,687, you get to some of the meat.
From what I can tell by reading the article and the rules, my practice will be responsible for a risk assessment program for health data. We must regularly check our risk assessment system in some way. And we must hunt down and report any breaches in information security. AND we must somehow insure that other people who handle our data (the shredding company, etc.) being careful. I'm not sure if the guy who hauls away shredded records needs to be checked out.
This sounds somewhat reasonable, but it's terribly confusing, and failures can result in fines from $100 to $1 million.
I'm not sure what small practices will do with these rules; probably they'll try their best to understand them and comply, especially given the potential fines, fines that could easily close a practice for good.
If these rules really do hold doctors responsible for mistakes made by the guy who shreds old charts, and requires a new level of data security, one with business-endangering sanctions, I'm concerned.
Where do you want your doctor's focus? I spent today in exam rooms, explaining diseases, holding hands, going over risks and benefits of medications. And now I'm looking over new regulations, ones that on their face seem well-motivated but whose implementation may be complicated to say the least.
As a patient, I want my doctor's attention focused squarely on me. I don't want him spending a lot of time worrying if his storage locker is secure enough, if his "data risk assessment," which is not well defined, is up to date and proper.
If we want doctors to spend time treating patients, laws must be designed so that obeying them isn't costly, confusing, and distracting.
Peter A. Lipson, ACP Member, is a practicing internist and teaching physician in Southeast Michigan. After graduating from Rush Medical College in Chicago, he completed his internal medicine residency at Northwestern Memorial Hospital. This post first appeared at his blog at Forbes. His blog, which has been around in various forms since 2007, offers "musings on the intersection of science, medicine, and culture." His writing focuses on the difference between science-based medicine and "everything else," but also speaks to the day-to-day practice of medicine, fatherhood, and whatever else migrates from his head to his keyboard.