HIPAA-cracy
posted by William McGeveran
This morning, vindication! When a long New York Times investigative piece says exactly what you have been saying for a long time, it feels very good.
So it is with this morning’s thumbsucker [reg/$$ req'd] about the ridiculous overzealousness and misunderstanding of HIPAA by health care professionals. HIPAA is the Clinton-era law that was principally concerned with making health insurance portable, but has become better known for its privacy-protection requirements. (In fact, the statute largely delegated development of all the details of the privacy provisions to the Department of Health and Human Services, which engaged in a lengthy and torturous rulemaking process.) As recounted at length in the Times piece, many employees at hospitals, doctors’ offices, and insurance companies use the statute’s supposed requirements as a shield for bureaucratic inflexibility in releasing information, even to close family members of an incapacitated patient. I have had numerous encounters with just such ill-informed stubbornness myself, and I find it maddening. (You can only imagine some of the arguments I have had with telephone receptionists who blindly invoke HIPAA.)
In addition to the direct trouble it causes for patients and their family, I fear the continued misuse of HIPAA undermines support for all privacy regulation. This is the only direct contact many people will ever have with privacy law in action. Who could blame them if they conclude that legal privacy restrictions are for the birds? Disregard for patient privacy was widespread before HIPAA, and I have no doubt legal regulation was called for. There have been 27,778 complaints under the law. But those harms are less visible to most of us than the new harm of mindless overprotection.
What’s fascinating is that the excessive caution in response to HIPAA comes against a backdrop of extremely low risk of sanctions. Exclusive enforcement power lies with HHS — the law provides no private right of action. And HHS has never imposed any civil or criminal penalty (although there are three criminal cases ongoing at the moment, those situations are extreme outliers). What explains this risk aversion given the vanishingly small risk of any real penalty?
The article points to one cause: the regulations are long and often vague (though not as bad as some claim); it is always easier to say “no” than to figure out how to say “yes.” HHS must do a better job at presenting plain-English materials. Training of front-line staff — who often have the most public contact — also needs to improve. There are policy changes that could help with these problems, starting with greater effort at HHS.
In addition, I blame the army of consultants who descended on the health care industry after HIPAA passed and exaggerated its complexity to claim that only retention of their high-priced services could ensure compliance. Many offices are still spooked by that sales pitch. Increased clarity from HHS might help here too.
Finally, I agree completely with the HHS official who told the Times,
“Either innocently or purposefully, entities often use this as an excuse. They say ‘Hipaa made me do it’ when, in fact, they chose for other reasons not to make the permitted disclosures.”
I call this last phenomenon “HIPAA-cracy.” You often see the same mindset in dealing with, say, insurance coverage disputes. Inflexibility and unhelpfulness are all too often a part of the modern health care experience. And I’m not sure whether any amount of careful regulatory design can overcome that.
[Cross-posted at Info/Law]
July 3, 2007 at 12:10 pm
Posted in: Administrative Law, Health Law, Privacy, Privacy (Medical)
Print This Post
Responses (7)
Frank - July 3, 2007 at 1:47 pm
Excellent points, all. It reminds me of a the constant evocation of “security” when anyone asks for any flexibility re established procedures.
It’s particularly sad here because HIPAA-cracy may undermine any chance we have of a coherent, interoperable, electronic medical records system; see, e.g.,
http://www.ncvhs.hhs.gov/050816p1.pdf
Eric Goldman - July 3, 2007 at 3:09 pm
You write: “I fear the continued misuse of HIPAA undermines support for all privacy regulation.” I hear what you’re saying, but I would phrase it differently. HIPAA vividly demonstrates the true costs of privacy regulation–whether the overprotection is rational or not, it was predictable and inevitable, and the resulting hidden costs should give us pause when contemplating other new privacy regulatory efforts. Eric.
William McGeveran - July 3, 2007 at 3:39 pm
I don’t think the industry response was “inevitable,” or a “true cost.” Other industries have managed to integrate privacy requirements, here and in other countries, without so much apparent overprotection.
But certainly you are right that, since a big part of the problem here was poor design of these particular regulations, HIPAA is a cautionary tale for lawmakers in future.
And what I meant was, if average citizens see HIPAA as the best we can do, then public support for undertaking privacy protection measures at all will be (unreasonably) reduced.
Doug Sylvester - July 3, 2007 at 5:22 pm
Not much to add here except to say that you are overlooking the role that privacy lawyers have played in this arena. I had the (mis)fortune of working for a firm at the moment GLB came into effect and our firm went to full court press to convince clients to take a far more “protective” (read: apparatchik enforced) view of GLB than I think was necessary or even wise.
My guess is that most doctors use lawyers to explain what HIPAA means and, as a result, are prone to accept the view that it means “no information at any time to anyone…even the patient.” The over-reaction of people to privacy issues is only made worse by the actions of the bar in overhyping both the dangers (to my mind) of over and under compliance with these “laws” and, worse, “public expectations” of privacy.
Ok–I think I’ve overplayed my hand here…
Doug Sylvester - July 3, 2007 at 5:24 pm
Ok–I’m not usre you overlooked the role that lawyers play..you were just too nice in calling them “consultants.”
David Harlow - July 4, 2007 at 10:49 am
Well, folks, it’s not true only if and when the NYT says it is . . . Lots of ridiculous behaviors have been inappropriately blamed on HIPAA for at least as long as the regs have been in effect. But hey, it’s only one link in a chain . . . . As a practicing health care attorney, I see HIPAA as just the latest fig leaf some parties try to use in explaining behaviors or in negotiating a deal when they don’t want to do something — as in, gee, I’d really like to agree with your reasonable request but I can’t (HIPAA made me do it). Before HIPAA it was Stark, the Anti-Kickback Statute, or incomplete readings of other regulatory schemes.
Some states (including mine, the Former People’s Republic of Massachusetts) have privacy rules stricter than HIPAA in many respects so the HIPAA-cracy is perhaps less pronounced than it is elsewhere.
See my post on rampant HIPAA confusion at: http://healthblawg.typepad.com/healthblawg/2007/05/hipaa_confusion.html
Mary H - August 6, 2007 at 6:39 pm
I read the NYT article with interest and curiosity. You all can scorn those of us who toe the overzealous line undertaken by our employers, but your jobs are not at stake. As a lowly psychiatric social worker I WILL be terminated immediately if I give information to family members trying to help their relatives, unless I have a current release. Yes, it’s cruel and ridiculous and interferes with care, but I won’t help my patients by getting fired because our corporate compliance officer is, um, eager. She has put a regulation in place where we cannot even use patient last names in our own internal emails to need to know staff. Indeed, under HIPAA we’re told that we can’t confirm or deny that a person receives treatment from us even if the relative or partner calling regularly attends appointments with the patient. I agree that’s it’s ridiculous and I’m furious that I’ve been lied to, but it doesn’t help my real life situation.
Leave a Reply