From the Editor

HIPAA: The good, the bad, and the ugly

Author and Disclosure Information



As physicians scrambled to comply with the recent HIPAA deadlines, some existing concerns were brought to the surface (Is it appropriate to speak with the patient’s significant other about her health?), while the predictable question held the limelight: Is HIPAA worth all this trouble?

Now, we’re experiencing what we’ve warily anticipated since 1996, when the Health Insurance Portability and Accountability Act (HIPAA) was enacted.

In passing this landmark law, Congress set its sights on noble goals: to provide greater access to seamless health care, to protect the privacy of health-care data, and to promote the standardization of electronic transactions in the health-care industry.

However, the government’s attempt at “administrative simplification”—as HIPAA’s Title II has been dubbed, in a tribute to bureau-crat-speak—is likely to complicate the work of all clinicians and strain the foundation of patient care: the physician-patient relationship.

The good: HIPAA’s worthy goals

Title I of the 2-part HIPAA attempts to protect health-insurance coverage for workers and families when they change or lose their jobs. Title II, meanwhile, aims to standardize electronic transactions and code sets, implement privacy and security requirements, and establish a federal system that assigns unique identifiers to every health-care provider, insurer, and patient.

These imperatives would improve our ability to provide the best of care, and merit our earnest efforts.

The bad: New tensions in the doctor-patient trust

A core principle in any therapeutic clinical relationship is trust among the patient, family, and physician. While HIPAA’s privacy and security requirements are intended to increase and solidify this trust, the secrecy likely to result from the act’s strict implementation could actually strain this fragile relationship.

For example, now that HIPAA’s privacy and security rules are being implemented, in many hospitals, family members have arrived to visit a loved one, only to be turned away by nurses fearful of revealing protected information (the patient’s location in the hospital, diagnosis, condition) without explicit permission from the patient. Thus, adding to every physician’s multiplicity of daily concerns will be the persistent worry, “Who can have access to what information?”

Many doctors will likely limit their personal interaction with the patient’s loved ones and seem more guarded when they do try to communicate—and the outcome may be less trust between families and physicians.

The ugly: Complexities, criminal penalties

In one respect, HIPAA might be aptly retitled “An Act to Ensure the Full Employment of Lawyers.” The legislation is so complex that health-care providers, insurers, the government, and possibly even patients will need expert administrators and lawyers to help guide their actions.

Providers must now assign responsibility for information security to someone in their office or hire a security consultant and implement a security-management program. In addition, every practice is required to develop a privacy policy, communicate that policy to every patient, and appoint a privacy officer to field patient complaints. The American Hospital Association expects that HIPAA compliance will cost providers $22.5 billion over the next 5 years.1

Most outrageous and unnecessary are both existing civil penalties and the proposed increase in criminal penalties for clinicians convicted of releasing protected information. According to current legislation, transgressions such as billing errors are not illegal unless it is proven that the clinician acted “willfully and knowingly.” However, some legislators are trying to weaken this evidentiary standard, exposing more clinicians to legal sanctions.

Any law that turns large numbers of ordinary citizens into criminals is likely to cause serious problems.

More good than bad, overall?

Of course, there are upsides to this legislation:

Increased awareness. HIPAA has certainly made clinicians more sensitive to their responsibility to protect patients’ medical information.

Streamlined insurance claim system. In what will likely be HIPAA’s most important immediate improvement, it may simplify interactions between health-care providers and the insurance industry. HIPAA has promulgated 10 National Standards for Electronic Data Interchange for the transmission of health-care information. These include standards for eligibility and response times, referral certification and authorization, claims and encounter information, payment and remittance advice, and claims status.

As a result, when HIPAA is fully implemented, there will be 1 standard form for submitting claims—compared to the 400 different insurance claim forms in use previously. This change, at least, will likely save administrative work in doctors’ offices.

Privacy assurance adapted to the electronic age. Of course, the issue of privacy itself cannot be overlooked. HIPAA’s security and privacy provisions are necessary to help safeguard health information housed on computers and accessed through the Internet.

When medical records are stored and transmitted in electronic form, the risk for unauthorized access is higher than with paper records. The “low-tech” nature of medical records handwritten by physicians ensured a measure of privacy. Such records are largely illegible and often cannot be clearly interpreted, even by other doctors, and are therefore of inconsistent utility. The need to physically find and photocopy handwritten records stored in locked file cabinets poses another deterrent. Health information that is neatly typed and saved to a central computer server offers much greater potential for access by hackers and other evildoers.

Next Article: