There are some greedy-butt lawyers out there scare-mongering people into thinking that their life depends on not giving name rank and serial number to anyone; and to telling them that if they do, they can get multi-million dollar settlements out it.
HIPAA's first purpose was to enable hospitals and physician's offices to exchange information on insured patients with the insurance companies so that they could get paid for the work done that was covered by the policies; and to do it in a manner that got the right information associated with the right patient, the right account, and the right policy.
HIPAA's secondary purpose was to protect people's health information from being released to people who didn't have a need for it that wasn't in the patient's self-interest to reveal.
We've seen massive benefits coming out of the human genome project. The return on investment in that has, and will continue, to blow away the few billion dollars invested in it.
The same thing can happen with technology applied to the health care IT stimulus. The capacity exists to greatly reduce medical care errors and oversights, and hence, costs, with a comprehensive, centrally-accessible, well-designed patient medical record.
It needs to be primarily be accessible by the patient, the patient's care giver(s), and the patient's insurance company(s). The patient needs to be able to authorize people to access their record in a timely manner. The system needs to provide secure authentication of the people asking for access to the information.
The secondary purpose of this database is to enable it to be used as a research tool. But it has to be done in a way that won't exploit the people recorded in the database. This research tool will enable us to find better treatment regimens, identify environmental health risks, track epidemics, identify health promoters, and other benefits we can't imagine at this time.
The industry charged with scaring physicians about HIPAA requirements (and avoiding automation like a plague) has gone into overdrive over changes to the law created by the Obama stimulus.
The stimulus, by the way, is now called the American Recovery and Reinvestment Act. The part dealing with health IT is called Health Information Technology for Economic and Clinical Health (HITECH — get it?).
In brief, the new act extends the definition of “covered entities” to include all those a physician’s practice does business with — lawyers, accountants, suppliers, etc.
So if you’re handing your lawyer patient records (as in a malpractice suit) that exchange of data is now covered under HIPAA. They can’t spread it around as part of your defense.
HITECH also tells all “covered entities” they have to notify authorities if data is lost. Previously only Arkansas and California had this requirement — apparently everywhere else doctors were dropping laptops with patient data into trash cans and keeping it a secret.
Needless to say consultants (with dollar signs in their eyes) are in full hair on fire mode. The stim didn’t include money for HIPAA compliance, but these folks are feeling plenty stimuluated nonetheless.
Even David Kibbe (friend of the blog) told a reporter this means small medical practices will “face additional costs for health IT implementation” as a result of all this.
Please.
Are you handing patient records to all and sundry? Are you giving them willy-nilly to your accountant, your lawyer, your suppliers? With names attached? Really?
I doubt it. If you are, shame on you. If not, you don’t have much to worry about here. Don’t start.
As to the notification requirements isn’t that simple common sense? Lose your wallet and you’re going to call the cops — same with your patient records.
HIPAA is not an excuse not to automate. It simply provides the equivalent of a fiduciary duty on anyone dealing with someone else’s personal, private medical records. Most of its provisions are simple common sense.
Even The HealthCare Blog, for which Kibbe writes, has not been at all hair-on-fire over the new rules.
They recently featured a piece by Margalit Gur-Arie saying doctors need to get on board with Electronic Health Records (crediting Kibbe for his help) and another Kibbe-Klepper piece warning that the present health care market is a bubble about to burst.
Nothing there about “don’t automate or the HIPAA will get you.”
Unfortunately an entire industry has developed over the last decade using HIPAA as an excuse to keep automation at bay, and now that industry is baying like mad.
