Who: William R. Braithwaite, MD, PhD, FACMI
What: Senior Advisor on Health Information Policy, the Office of the Assistant Secretary for Planning and Evaluation in the U.S. Department of Health and Human Services.
How: Physician, medical information specialist, 20-year academic career at the University of Colorado School of Medicine. Graduate of the Robert Wood Johnson Health Policy Fellowship Program and internship with the Senate Finance Committee Health Staff. He became one of the major authors of the Administration Simplification language that was attached to the Health Security Act before its introduction on the Senate floor.
A lackadaisical healthcare industry, government bureaucracy, bullying vendors and a fearful public are threatening key pieces of HIPAA, the Health Insurance Portability and Accountability Act of 1996. Today, after more than two years of complex government and industry maneuverings, important administrative and financial transaction standards are well along the path to industrywide adoption. Unresolved, however, are some of the Act’s thorniest components, including privacy issues, which are key to HIPAA’s success.
Bill Braithwaite tackles HIPAA controversies head on in his post as senior advisor on Health Information Policy at the U.S. Department of Health and Human Services. In the following interview, Braithwaite talks from his office in Washington, D.C., about the challenges facing the unresolved HIPAA provisions and the goal to streamline healthcare administration.
How can HIPAA help solve healthcare’s security problems?
Most industries that use information technology pay close attention to the need for security in their systems. They value the information they have and strive to protect it. For many reasons, many of which are incomprehensible, healthcare has been very lax. Current practices are not acceptable. However, there are four issues that must come together to solve the security problems.
One, awareness. Everyone in the organization must understand the importance of security and the associated technical requirements. Many computer systems have security capabilities with timed log-ons, biometrics, multiple passwords and audit trails, but typically the security system isn’t turned on when the system is installed. Naturally, if a feature is not used, system vendors stop producing systems with the capabilities. This cannot be allowed to happen.
Two, cultural acceptance. Doctors and nurses, burdened with increasing documentation, often refuse to use a system that demands keyboard skills and increases charting time. This must be resolved, perhaps in finding different and more creative approaches to security barriers.
Three, administrative policy. The issue of security must have a major emphasis in training but a hard line administrative backup is required. Administrators must be willing to fire people over breaches in security.
Four, law. The security policy must be turned into law with mandates and penalties. Security regulations that are emerging now have the administrative simplification law to back them up with penalties.
What makes this security policy unique?
The specific policy stated is nothing unusual or onerous. It is a standard security policy that would be used for any industry other than healthcare (for details, see "Battening Down the Hatches," below). It’s scaleable. A one-person practice with a PC can implement every one of the security measures required as can the largest multi-national corporation.
We expect complaints, especially from small providers because they are the most likely not to understand the policy. Consequently, we have gone to some lengths to try and provide an example of how a small provider might deal with this complex-looking matrix of requirements.
Beyond security, what are the major obstacles to HIPAA implementation?
There are two right now. One is the furor over a choice for the individual identifier. The other is the Paperwork Reduction Act (PRA) of 1995 (for more about HIPAA opposition, see the sidebar, "Counterpoint: HIPAA Hiccups," below).
The issue of privacy to precede other implementations has been the intent of HIPAA from the beginning. The timing of the regulations is such that privacy protection will be in place before anyone is mandated to use the standards. The angst among uninformed people has reached the point that some members of Congress are considering writing a law that stipulates that privacy legislation must be in place before the standards are implemented (assignments for identifiers, etc.). Go ahead--restate HIPAA if it will make people more comfortable, just so long as it doesn’t change the intent. And so long as it permits the industry to go ahead and start building information systems. They don’t need to actually implement them until the privacy is in place.
The original bill that I helped write for the Senate finance committee included a section on health information privacy that was at least as large as the section on standards--Congress stripped it out. It was there again in 1996, as part of HIPAA--for about five minutes.
One of the things we did manage to get into HIPAA was the backup clause that states that if Congress does not pass a general health information privacy law by August 1999, the Secretary of the Department of Health and Human Services (DHHS) has the authority to do so by regulation. Now, that authority is limited to information associated with electronic transactions, but it’s better than nothing.