On August 21, 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA), a piece of legislation designed to clarify exactly what rights patients have over their own medical information and to specify what procedures are needed to be in place to enforce appropriate sharing of that information within the health care community. According to Richard Sobel of the Hastings Center Report: “This law required Congress to pass legislation within three years to govern privacy and confidentiality related to [a patient’s] medical record. If that action did not occur, then the Department of Health and Human Services (DHHS) was to identify and publish the appropriate legislation. Because Congress did not pass required legislation, the DHHS developed and publicized a set of rules on medical record privacy and confidentiality” that required compliance from most health care providers by April 14, 2003. Since then, the HIPAA legislation has often been referred to as a privacy rule, but in reality it is disclosure legislation that “offers a floor, rather than a ceiling, for health privacy.” As such, the true purpose behind the commitment to patient privacy is to control how patient information is collected and by whom, how and where it will be stored safely for future retrieval, and how health care providers and other health care organizations will use it, ideally on a need-to-know basis only. As Bill Trippe explains the law in an Econtent article, “The key . . . is to provide authorized [health care professionals] with precisely the information they need, when they need it—but only the precise information they need so that [patient] privacy is not compromised.” However, while advances in information technology—specifically database technology—appear to offer the promise of functionality to do precisely that, the sheer number of combinations of users and needs in the provision of health care would seem to exceed even those grand promises. Compare, for example, the patient record needs of a doctor prescribing a specific medication, as opposed to those of a doctor giving a full physical examination. The former might need lab results and any relevant research about the medication; the latter would prefer to have the patient’s full medical history. It may be possible to retrieve that information from one comprehensive database, but if everyone has different information needs, how do you set up that database to restrict access where appropriate under the banner of need to know or to summarize information where needed to maximize patient privacy? The logistical challenges of this scenario are further complicated when you consider that the legislation covers not only patient care but also the administrative aspects of the health care system. For example, Sobel comments that HIPAA gave “600,000 ‘covered entities’—such as health care plans, clearinghouses, and health maintenance organizations— ‘regulatory permission to use or disclose protected health information for treatment, payment, and health care operations’ (known as TPO) without patient consent. Some of these ‘routine purposes’ for which disclosures are permitted are far removed from treatment. . . . ‘Health care operations’ (HCO) include most administrative and profit-generating activities, such as auditing, data analyses for plan sponsors, training of non-healthcare professionals, general administrative activities, business planning and development, cost management, payment methods improvement, premium rating, underwriting, and asset sales—all unrelated to patient care.” HIPAA was enacted to address privacy concerns in the face of increasingly sophisticated database technology that can send your most private information to the other side of the globe in a split second. Ironically, however, many violations of the privacy rule have little connection, if any, with direct patient care and treatment. Consider the following two examples:
1. Patient MW, a victim of domestic abuse, informs [her nurse] that her status as a patient in the hospital must be kept confidential. [The nurse] assures MW that she’s safe and that the staff won’t share information with anyone who inquires about her. [The nurse] informs the unit clerk not to release any information on MW, but fails to remove MW’s name and room number from the assignment board [at the nurses’ station]. Later in the shift, MW’s husband enters the nurses’ station and asks the unit clerk for his wife’s number. The unit clerk, following the nurse’s instructions, states that she has no information on the person named. The spouse, upon looking around the nurses’ station, sees his wife’s name and room number. He rushes to the room and physically abuses her. The unit clerk calls hospital security, which promptly arrives and escorts the spouse off the unit. He’s subsequently jailed for spousal abuse.
2. A member of the electronic medical record (EMR) staff was conducting a training session for resident physicians and medical students at an outpatient facility. . . . The trainer used fictional patient records specifically created for EMR training purposes for the demonstrations and exercises. During the Q&A session one of the residents stated that just that morning he had had problems prescribing a specific medication in the medication module of the EMR, which had created an inaccurate entry in the patient’s electronic chart. The resident asked how he could correct the mistake. Since the trainer knew that many new EMR users had had similar problems with this feature of the EMR, she thought this would be a good “teachable moment.” She asked the resident the name of the patient. She then looked up the patient’s chart and projected the patient’s medication list on the screen for all the class to see. The trainer proceeded to correct the error in the EMR. While the first example represents a clear violation of the HIPAA legislation, since the patient’s room information was publicly accessible simply by visiting the nurses’ station, the situation is not so straightforward in the second example. The residents and medical students being trained were employees of a covered entity, and since training falls under the heading of approved health care operations, no violation occurred. Of course, it is debatable as to whether it was appropriate to display the patient’s records to the entire group rather than helping the one student after the class, since that choice calls into question the issue of using the minimum information on a need-to-know basis. What is clear, however, is that while the purpose of HIPAA may be clearly stated, the interpretation of the legislation lacks the same degree of clarity
1. Is the term privacy rule accurate in describing the HIPAA legislation? Why or why not?
2. Is it ethical for covered entities to be excused from getting patient permission to use their private information forroutine purposes? Why or why not?
3. Based on the limited information in this article, do you think the HIPAA legislation achieves its objective ofpatient privacy?
4. How could this issue of patient privacy have been handled in a more ethical manner?