Blog | Tuesday, January 21, 2014

Should HIPAA compliance guard all protected medical information?

Everyone is familiar with the acronym HIPAA, which is the 1996 edict called the Health Insurance Portability and Accountability Act. Isn’t that a smooth and melodious name?

These are rules and regulations that are designed to protect your confidential protected medical information. I support the mission. I don’t think that your medical records should be deliberately or inadvertently shared with those who are not lawfully permitted to view them.
• Medical charts (remember when there were medical charts?) should not be left open on the counter.
• A physician should not yell to front desk personnel within earshot of others to give the patient a psychiatric referral.
• Elevators are not proper venues to have medical discussions about specific patients.
• Medical information should not be disclosed to inquiring friends and family without permission.

I maintain that HIPAA has been OperationOVERKILL for many physicians and staff. Keep in mind that doctors, at least in my generation, have been imbued with a culture of confidentiality. For me, HIPAA has not changed my personal practices as I’ve always kept protected information private. There are entire industries now whose function is to assure that billing software, electronic medical records (EMR) and various medical vendors are ‘HIPAA compliant’. Of course, I recognize that the EMR era has unique privacy concerns that must be addressed. Yes, privacy and protection are necessary, but HIPAA often extends further than it should and is often the grist for office eye-rolling banter.

But, as is often the case with bureaucratic mandates, common sense is left at the curb. Clearly, there are circumstances where absolute compliance should be relaxed even if this is a technical violation. Do we really want 100% HIPAA compliance? Do we ever want 100% compliance in any sphere? If we insist on a policy of zero tolerance of weapons in our schools, for example, do we support suspending a second grader who fashioned a gun out of a Pop-Tart? Zero tolerance invariably leads to absurd situations.

A woman fell and was sent by her doctor to the emergency room so that ankle X-rays could be done. Fortunately, there was no fracture. Afterwards, the doctor’s staff called the hospital to have the relevant records faxed, but the request was denied. The heavy hand of HIPAA was firmly raised. They would need a signed release by the patient to authorize transfer of records to the very doctor who sent the patient to the emergency room in the first place. The reason given was to be faithful to HIPAA. The woman does not have a fax machine and had to hobble from her condo to the front desk for the signing and faxing ceremony. Luckily, this forced ambulation did not further damage her ailing ankle.

Readers might be wondering how I am knowledgeable about an individual’s private medical information. The patient is my mother. I share the vignette even though I did not obtain her signed release authorizing me to disclose her protected medical information to my millions of readers. I now live in fear that a middle-of-the-night knock on the door will be the HIPAA police. If this blog and its author disappear, then you will know what happened.

This post by Michael Kirsch, MD, FACP, appeared at MD Whistleblower. Dr. Kirsch is a full time practicing physician and writer who addresses the joys and challenges of medical practice, including controversies in the doctor-patient relationship, medical ethics and measuring medical quality. When he's not writing, he's performing colonoscopies.