Available at 
Tweet
Here is an article I saw on HIPAA... Thought it was interesting given some earlier discussion about the topic. I was surprised at how the law has been so misconstrued in some cases!
Craig is 200 miles west of Denver on what is still called Colorado's frontier. It is a community small enough that many people use family names or landmarks like the Smith place rather than street addresses to describe where their neighbors live.
That seemed to be merely a rural custom in the town of 9,189 until the U.S. government's new law designed to keep medical records private took effect in April. To protect the privacy of those needing medical help, 911 dispatchers stopped mentioning residents' names in radio calls to emergency response teams. That made it more difficult for the teams to find addresses.
Craig resident Joanne Lighthizer says that on June 9, she watched helplessly as emergency crews stopped nearby to ask for directions while her neighbor, Francis Moore, lay dying from a heart attack in his backyard. He was 54. "We could see them going to the other houses," Lighthizer says. "One of my neighbors told me they went to her house and asked where the address was. She said, 'If you tell me the name, I can tell you where it is.' And they said they couldn't. We waited and waited. I've never been so frustrated."
To Lighthizer, the incident was a dramatic example of the widespread confusion created by part of the Health Insurance Portability and Accountability Act (HIPAA), which set a national standard for medical privacy by making the unauthorized release of medical information a crime. In thousands of instances, the law has been interpreted in extreme and often incorrect ways that critics say have been impractical at best and nonsensical at worst.
The law, which is more than 500 pages, also has sent ripples through the medical community by forcing doctors and hospitals into expensive changes in record-keeping and other routines. The law's rules, or misinterpretations of them, have angered doctors and patients and led some members of Congress to wonder whether their quest to protect patients' privacy went too far.
In Craig, it's unclear whether medics would have been able to save Moore if they had reached him sooner. A representative of the emergency crew says there was no delay in getting to Moore. A sheriff's deputy who inquired about Moore's address at a neighbor's house did not respond to requests for an interview. But the new privacy law actually does not prevent 911 dispatchers from using residents' names in radio calls, and officials in Craig now have dropped the addresses-only policy.
Craig wasn't the only town where officials initially misread the law, which critics say is vague and difficult to understand. Overreaction to the law has caused much of the confusion.
"One of the main sources of medical errors is poor communication," says Deeb Salem, a cardiologist in Boston. "HIPAA is another barrier to communication. The principles, the ideals are fine. The cost of chaos, money and possible patient injury have not been taken into account."
The HIPAA was passed by Congress in 1996 to allow patients easier access to their medical records and to limit others' ability to get such information. It took the government seven years to write the regulations for enforcing the law.
Richard Campanelli of the U.S. Department of Health and Human Services (news - web sites) says the law requires that "reasonable safeguards" be taken to protect patient information. "The two goals here were to protect privacy of patient information and to do so in a way that does not impede access to quality care," says Campanelli, director of the department's Office of Civil Rights.
The privacy provision applies to hospitals, doctors, pharmacists and health insurers, and was designed initially to protect computerized medical records and billing. But it has been interpreted much more broadly.
Thousands of doctors, for example, have stopped sending out appointment-reminder postcards, figuring the cards could be read by someone other than the patient. Some doctors have stopped leaving messages on patients' telephone answering machines, fearing that other family members might listen to them. Wives have been told they no longer could verify dental appointments for their husbands.
Such postcards, phone calls and spousal verifications are allowed under the law, Campanelli says.
Meanwhile, some hospitals stopped providing information to patients' family members and clergy. Some weekly newspapers stopped publishing birth announcements because hospitals stopped providing the names. In a few cases, new privacy policies at hospitals have stymied police trying to investigate crimes.
Dean Akings, the police chief in Great Bend, Kan., could not get information about the medical condition of two murder suspects who were wounded in a shootout May 9. The hospital, 120 miles away in Wichita, also refused to say when the suspects might be discharged.
"Our dilemma was, we didn't want our suspects getting away," says Akings, who asked Wichita police for help. "It worked out, but it was just such a hassle."
Refused data on donated heart
The law does not prohibit hospitals from providing names and basic information about patients, Campanelli says, and it allows hospitals to release information to police to help investigations.
But even Janlori Goldman, director of the Health Privacy Project, a consumer group in Washington, D.C., that pushed hard for the law, learned firsthand how some hospitals have misread the law.
When Goldman's cousin was rushed unconscious to a hospital in Bethesda, Md., the hospital refused to give relatives any information or even confirm that the cousin was there.
"I had worked on getting a medical privacy law for 10 years," Goldman says. "And here I was ... getting cell phone calls from family and friends who said the hospital won't give out the room number."
But, she says, "we need a privacy law because people are afraid to go to the doctor or be honest with (doctors) for fear that sensitive medical information will be used to deny them jobs or their ability to get benefits."
The law has led some hospitals to restrict exchanges of information with other treatment facilities.
Salem, a cardiologist at Tufts-New England Medical Center, was treating a heart-transplant patient in June when Salem was told that the donor had bacteria in his blood. Salem needed to know what type of antibiotic to prescribe to the heart recipient. But the hospital that supplied the heart refused to identify the bacteria, saying that would violate the donor's privacy. So Salem treated his patient with several antibiotics.
"That was the one that blew my stack. I wrote a letter to the editor of the New England Journal of Medicine (news - web sites)," says Salem, chairman of the department of medicine at Tufts University School of Medicine. "I ended up getting e-mails from California to New York from physicians saying that we are seeing this ourselves."
Judith Tintinalli, chairman of the emergency medicine department at the University of North Carolina-Chapel Hill, says doctors no longer discuss treatments among themselves via e-mail because of HIPAA. "There is virtually nothing in writing and nothing in e-mail," she says. "I don't think that's meant by HIPAA, but that's how people have interpreted" it.
Such e-mails are, in fact, allowed under HIPAA, with "reasonable and appropriate safeguards."
Tintinalli adds: "One of our jobs is doing SARS (news - web sites) surveillance. We're very limited in that. Although we might want to know who might have SARS, HIPAA won't allow you to know who that patient is."
In the medical community, there is rising concern about the cost of complying with the privacy rules, too. Many doctors say the government has issued a mandate without providing funds to pay for it.
Blue Cross estimates the cost of complying with the privacy law at about $43 billion over five years to cover new staffing, computer software and paperwork.
A group of 660 physicians in Wisconsin spent $75,000 on paper, printing, mailing and handling privacy notices for 200,000 patients. A 145-bed hospital in Concord, Mass., calculated that each year it will have to document more than 300,000 disclosures of protected information.
"Did we really need to regulate every last detail of this?" asks Mary Grealy, president of Healthcare Leadership Council, a coalition of CEOs of leading health-care companies, hospitals and universities. "Think of how many physician office visits there are, how many prescriptions are filled, how many hospital visits there are. There are billions. All of those have to be addressed in some way."
Is new law 'overdue or overkill'?
Few disagree with the need to protect patients' privacy. The question is, how?
Congress couldn't agree on how to impose the privacy rules and had the Department of Health and Human Services write them.
After the final version took effect on April 14, the department was inundated with questions about how to interpret the law. Campanelli's office has spent months trying to guide the public and the medical community through the confusion. Answers to frequently asked questions are posted at http://www.hhs.gov/ocr/hipaa.
"Many of the misconceptions, they're not a problem with the rule, they're misconceptions, and we're seeing them cleared up," Campanelli says.
He says the privacy law:
Does not prevent doctors or hospitals from sharing information with other doctors or hospitals in order to treat their patients.
Allows hospitals or doctors to share information with the patient's spouse, family members, friends or anyone the patient identifies is involved in their care.
Does not prevent hospitals from disclosing names to clergy or from keeping patient directories. It does not require patients to sign up to be included in the directory, but it does allow patients to "opt out" and not be listed.
Does not apply to most police or fire departments; they may release names and information about accident victims, homicides and other incidents. HIPAA does limit the information that emergency medics may disclose.
Still, some say the fine print seems contradictory. Doctors say their lawyers tell them the law can be interpreted several ways.
"I hired an attorney who does nothing but this," says Michael Fleming, a doctor in Shreveport, La., and president of the American Academy of Family Physicians (news - web sites). He adds the rules are both confusing and maddeningly specific. "They are very picky, all the way down to the size that you have on your printed pieces of paper that your patients have to read and sign."
Campanelli says some of the confusion has arisen because some hospitals or doctors have chosen to go further than the law requires to keep information secret.But others say fears of violating the law prompted overreactionsto it.
"We've moved into the era of hyper-compliance," Grealy says. "People are so worried about the government coming after them, the pendulum has swung in the opposite direction."
Fines for criminal violations, in which a person knowingly obtains or discloses health information in violation of HIPAA, can be as much as $250,000. Civil penalties for unintentional violations range from $100 for an inadvertent disclosure to $25,000 for failure to comply with the law.
Last month, Sen. Larry Craig (news, bio, voting record), R-Idaho, chairman of the Senate Special Committee on Aging, held a hearing to examine whether the new law is "overdue or overkill."
"A kernel of congressional intent has grown into a towering tree of regulatory complexity," Craig said.
On Sept. 30, Colorado Attorney General Ken Salazar issued his interpretation of HIPAA at the request of the Colorado State Patrol. In the meantime, the State Patrol, which operates the 911 center in Craig for Moffat County, Colo., recommended that dispatchers be practical and use residents' names in emergency calls if necessary.
Jim Wolfinbarger, Colorado State Patrol spokesman, says he hopes the attorney general's opinion will encourage common sense in dealing with the new law. "It's going to take a while to get back to a reasonable exchange of information," he says. "There's no magic answer."
That seemed to be merely a rural custom in the town of 9,189 until the U.S. government's new law designed to keep medical records private took effect in April. To protect the privacy of those needing medical help, 911 dispatchers stopped mentioning residents' names in radio calls to emergency response teams. That made it more difficult for the teams to find addresses.
Craig resident Joanne Lighthizer says that on June 9, she watched helplessly as emergency crews stopped nearby to ask for directions while her neighbor, Francis Moore, lay dying from a heart attack in his backyard. He was 54. "We could see them going to the other houses," Lighthizer says. "One of my neighbors told me they went to her house and asked where the address was. She said, 'If you tell me the name, I can tell you where it is.' And they said they couldn't. We waited and waited. I've never been so frustrated."
To Lighthizer, the incident was a dramatic example of the widespread confusion created by part of the Health Insurance Portability and Accountability Act (HIPAA), which set a national standard for medical privacy by making the unauthorized release of medical information a crime. In thousands of instances, the law has been interpreted in extreme and often incorrect ways that critics say have been impractical at best and nonsensical at worst.
The law, which is more than 500 pages, also has sent ripples through the medical community by forcing doctors and hospitals into expensive changes in record-keeping and other routines. The law's rules, or misinterpretations of them, have angered doctors and patients and led some members of Congress to wonder whether their quest to protect patients' privacy went too far.
In Craig, it's unclear whether medics would have been able to save Moore if they had reached him sooner. A representative of the emergency crew says there was no delay in getting to Moore. A sheriff's deputy who inquired about Moore's address at a neighbor's house did not respond to requests for an interview. But the new privacy law actually does not prevent 911 dispatchers from using residents' names in radio calls, and officials in Craig now have dropped the addresses-only policy.
Craig wasn't the only town where officials initially misread the law, which critics say is vague and difficult to understand. Overreaction to the law has caused much of the confusion.
"One of the main sources of medical errors is poor communication," says Deeb Salem, a cardiologist in Boston. "HIPAA is another barrier to communication. The principles, the ideals are fine. The cost of chaos, money and possible patient injury have not been taken into account."
The HIPAA was passed by Congress in 1996 to allow patients easier access to their medical records and to limit others' ability to get such information. It took the government seven years to write the regulations for enforcing the law.
Richard Campanelli of the U.S. Department of Health and Human Services (news - web sites) says the law requires that "reasonable safeguards" be taken to protect patient information. "The two goals here were to protect privacy of patient information and to do so in a way that does not impede access to quality care," says Campanelli, director of the department's Office of Civil Rights.
The privacy provision applies to hospitals, doctors, pharmacists and health insurers, and was designed initially to protect computerized medical records and billing. But it has been interpreted much more broadly.
Thousands of doctors, for example, have stopped sending out appointment-reminder postcards, figuring the cards could be read by someone other than the patient. Some doctors have stopped leaving messages on patients' telephone answering machines, fearing that other family members might listen to them. Wives have been told they no longer could verify dental appointments for their husbands.
Such postcards, phone calls and spousal verifications are allowed under the law, Campanelli says.
Meanwhile, some hospitals stopped providing information to patients' family members and clergy. Some weekly newspapers stopped publishing birth announcements because hospitals stopped providing the names. In a few cases, new privacy policies at hospitals have stymied police trying to investigate crimes.
Dean Akings, the police chief in Great Bend, Kan., could not get information about the medical condition of two murder suspects who were wounded in a shootout May 9. The hospital, 120 miles away in Wichita, also refused to say when the suspects might be discharged.
"Our dilemma was, we didn't want our suspects getting away," says Akings, who asked Wichita police for help. "It worked out, but it was just such a hassle."
Refused data on donated heart
The law does not prohibit hospitals from providing names and basic information about patients, Campanelli says, and it allows hospitals to release information to police to help investigations.
But even Janlori Goldman, director of the Health Privacy Project, a consumer group in Washington, D.C., that pushed hard for the law, learned firsthand how some hospitals have misread the law.
When Goldman's cousin was rushed unconscious to a hospital in Bethesda, Md., the hospital refused to give relatives any information or even confirm that the cousin was there.
"I had worked on getting a medical privacy law for 10 years," Goldman says. "And here I was ... getting cell phone calls from family and friends who said the hospital won't give out the room number."
But, she says, "we need a privacy law because people are afraid to go to the doctor or be honest with (doctors) for fear that sensitive medical information will be used to deny them jobs or their ability to get benefits."
The law has led some hospitals to restrict exchanges of information with other treatment facilities.
Salem, a cardiologist at Tufts-New England Medical Center, was treating a heart-transplant patient in June when Salem was told that the donor had bacteria in his blood. Salem needed to know what type of antibiotic to prescribe to the heart recipient. But the hospital that supplied the heart refused to identify the bacteria, saying that would violate the donor's privacy. So Salem treated his patient with several antibiotics.
"That was the one that blew my stack. I wrote a letter to the editor of the New England Journal of Medicine (news - web sites)," says Salem, chairman of the department of medicine at Tufts University School of Medicine. "I ended up getting e-mails from California to New York from physicians saying that we are seeing this ourselves."
Judith Tintinalli, chairman of the emergency medicine department at the University of North Carolina-Chapel Hill, says doctors no longer discuss treatments among themselves via e-mail because of HIPAA. "There is virtually nothing in writing and nothing in e-mail," she says. "I don't think that's meant by HIPAA, but that's how people have interpreted" it.
Such e-mails are, in fact, allowed under HIPAA, with "reasonable and appropriate safeguards."
Tintinalli adds: "One of our jobs is doing SARS (news - web sites) surveillance. We're very limited in that. Although we might want to know who might have SARS, HIPAA won't allow you to know who that patient is."
In the medical community, there is rising concern about the cost of complying with the privacy rules, too. Many doctors say the government has issued a mandate without providing funds to pay for it.
Blue Cross estimates the cost of complying with the privacy law at about $43 billion over five years to cover new staffing, computer software and paperwork.
A group of 660 physicians in Wisconsin spent $75,000 on paper, printing, mailing and handling privacy notices for 200,000 patients. A 145-bed hospital in Concord, Mass., calculated that each year it will have to document more than 300,000 disclosures of protected information.
"Did we really need to regulate every last detail of this?" asks Mary Grealy, president of Healthcare Leadership Council, a coalition of CEOs of leading health-care companies, hospitals and universities. "Think of how many physician office visits there are, how many prescriptions are filled, how many hospital visits there are. There are billions. All of those have to be addressed in some way."
Is new law 'overdue or overkill'?
Few disagree with the need to protect patients' privacy. The question is, how?
Congress couldn't agree on how to impose the privacy rules and had the Department of Health and Human Services write them.
After the final version took effect on April 14, the department was inundated with questions about how to interpret the law. Campanelli's office has spent months trying to guide the public and the medical community through the confusion. Answers to frequently asked questions are posted at http://www.hhs.gov/ocr/hipaa.
"Many of the misconceptions, they're not a problem with the rule, they're misconceptions, and we're seeing them cleared up," Campanelli says.
He says the privacy law:
Does not prevent doctors or hospitals from sharing information with other doctors or hospitals in order to treat their patients.
Allows hospitals or doctors to share information with the patient's spouse, family members, friends or anyone the patient identifies is involved in their care.
Does not prevent hospitals from disclosing names to clergy or from keeping patient directories. It does not require patients to sign up to be included in the directory, but it does allow patients to "opt out" and not be listed.
Does not apply to most police or fire departments; they may release names and information about accident victims, homicides and other incidents. HIPAA does limit the information that emergency medics may disclose.
Still, some say the fine print seems contradictory. Doctors say their lawyers tell them the law can be interpreted several ways.
"I hired an attorney who does nothing but this," says Michael Fleming, a doctor in Shreveport, La., and president of the American Academy of Family Physicians (news - web sites). He adds the rules are both confusing and maddeningly specific. "They are very picky, all the way down to the size that you have on your printed pieces of paper that your patients have to read and sign."
Campanelli says some of the confusion has arisen because some hospitals or doctors have chosen to go further than the law requires to keep information secret.But others say fears of violating the law prompted overreactionsto it.
"We've moved into the era of hyper-compliance," Grealy says. "People are so worried about the government coming after them, the pendulum has swung in the opposite direction."
Fines for criminal violations, in which a person knowingly obtains or discloses health information in violation of HIPAA, can be as much as $250,000. Civil penalties for unintentional violations range from $100 for an inadvertent disclosure to $25,000 for failure to comply with the law.
Last month, Sen. Larry Craig (news, bio, voting record), R-Idaho, chairman of the Senate Special Committee on Aging, held a hearing to examine whether the new law is "overdue or overkill."
"A kernel of congressional intent has grown into a towering tree of regulatory complexity," Craig said.
On Sept. 30, Colorado Attorney General Ken Salazar issued his interpretation of HIPAA at the request of the Colorado State Patrol. In the meantime, the State Patrol, which operates the 911 center in Craig for Moffat County, Colo., recommended that dispatchers be practical and use residents' names in emergency calls if necessary.
Jim Wolfinbarger, Colorado State Patrol spokesman, says he hopes the attorney general's opinion will encourage common sense in dealing with the new law. "It's going to take a while to get back to a reasonable exchange of information," he says. "There's no magic answer."
Comment