Few argue that the privacy rule governing personal health information (PHI) wasn't necessary and long overdue, but like most complex legislative actions, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule has created a morass of misunderstanding and, in some cases, imposed unintended barriers to patients' care and wellbeing.
One among five major category subsections of the HIPAA regulation, the privacy rule attempts to create a baseline for PHI protection. Updates to guidance for the Act, which went into effect in 2003, were expected to address most unplanned circumstances, but it is unlikely the questions will ever cease. (See: http://www.hhs.gov/ocr/hipaa/)
Defining privacy — balancing providers' need-to-know for treatment purposes against patients' rights of control over how, when and where their information is shared and the implementation of adequate security measures — continues to create challenges. This is particularly true as healthcare organizations confront the issues of exchanging PHI across regional and national information exchange networks.
Beyond collaborative needs, however, technology innovations continue to create new conundrums. Identification of genetic disease markers has already begun to alter diagnoses and treatment options for certain diseases. But it has also created dilemmas for those managing PHI. For example, the capability exists to produce a genomic profile which identifies more than 80 genetic disorders much like chemistry test panels in wide use today, but privacy issues continue to hold back general availability.
The promise of locator and positioning systems is also great — and so are related privacy concerns. RFID systems are proving their worth in tracking equipment and, more recently, patients within facilities. Emergency departments and outpatient ambulatory units are among the earliest adopters. But when the technology gets deeply personal — as in embedded under an individual's skin — some people get very nervous.
And yet, there are places where such tracking would be invaluable. Among them are use with people challenged mentally and prone to wander. Beyond simply used as tracking devices, some implantable microchips already available can store information including medical records. Some providers are encouraging patients with conditions likely to result in emergency department visits to have such an implant. Although very few Americans have undergone the procedure so far, Delray Beach, Fla.-based VeriChip claims that 65 hospitals have agreed to implement its patient identification system.
Within the domain of public health, safety and well-being of the population at large necessitates overriding some privacy rights. Although most people understand and accept the government's role in curtailing communicable diseases, some New Yorkers are questioning that city's right to intercede on their behalf under its new diabetes surveillance system. The law requiring laboratories to report abnormal hemoglobin A1c test results to the city for its NYC Hemoglobin A1C Registry went into effect this past January and although officials continue to assure the public that their information is secure, privacy advocates question the reality.
And that reality will surely be reexamined in light of the assessment of Department of Health and Human Services' (HHS) security practices, which includes the nation's largest insurer — the Centers for Medicare and Medicaid. A recently released report issued by the Government Accountability Office delivers a scathing appraisal of the HHS' security practices citing "significant weaknesses in controls designed to protect the confidentiality, integrity, and availability of their sensitive information and information systems."
No wonder the public is worried.