Map of life expectancy at birth from Global Education Project.

Thursday, November 16, 2006

Getting hip to HIPAA

One of the reasons they keep me around at my place of employment, in addition to the baba ganouj I make for festive occasions, is that I do the agency's annual training on client confidentiality and HIPAA. It occurs to me that most people really don't understand that HIPAA gives them significant rights, and that a lot of providers still don't really understand the spirit of it.

As readers probably know, HIPAA is the Health Insurance Portability and Accountability Act, which was enacted during the Clinton administration, but took effect in stages. What does an act with that name have to do with patient confidentiality? The original purpose was to make it easier for people to keep their insurance when they change jobs; and to simplify billing for health care services by establishing consistent standards for the relevant information systems. But Congress recognized that in the brave new cyberworld, there are substantial threats to our privacy that did not exist before. Electronic records can be duplicated, searched, sorted, and transmitted around the world instantaneously. They can be hacked and cracked, misused and abused, in ways that paper records cannot. And what the heck, people were concerned about the privacy of their medical information anyway. So they added protections for patients.

For much of the time leading up to implementation of the privacy and security rules, in 2003, health care providers were in a panic. It was going to cost them quadrillions of dollars to comply, it would be impossible to meet all of the requirements, patients would be harmed, yadda yadda. None of that happened, although a certain amount of overzealousness in the early years of the HIPAA regime did create some fairly ludicrous situations. But as it turns out, you can indeed call the person by name in the waiting room. (Unless they ask you not to - which is a reasonable request to grant.)

In fact, I think HIPAA has worked out just fine. Sure, your insurance company sends you that Notice of Information Practices in 6 point type, and don't bother to include the microscope you need to read it. That's a waste of paper. But there are now clear explanations of what health care providers must do to protect your privacy, expressed as a general framework, with the specific measures they have to take based on a standard of reasonableness. If you care to, you can find out exactly what the procedures are that your own providers use, and you can request that they be even more strict in your own case if you like. Here are some of the important rights that you have. And don't take no for an answer.

1) You own your medical records. They are yours. You can see them. You can have copies. If you want to see your medical records (including mental health and substance abuse treatment), your provider will give you a form to fill out requesting them. They have 30 days to give them to you, but it shouldn't take that long.

Your provider can withold part of your record from you for only two reasons: a licensed health care professional thinks that seeing some piece of information will put you in physical jeopardy (probably meaning make you kill yourself); or a third party's confidentiality (not a provider) would be violated. They have to tell you that they are witholding something, and why. Otherwise, it's yours.

2) If you think something in there is incorrect, you can ask to have it corrected. If they disagree, they have to include your rebuttal in the record.

3) You can request additional privacy protections and restrictions on the use of your private information, beyond what is required by law or normal institutional policies. They don't necessarily have to agree to these, but you are also free to take your business elsewhere if they don't.

4) You can ask them if there have been any unauthorized disclosure of your private information, and they have to tell you.

5) They have to insure the accuracy, integrity, accessibility, and security of your private information. They can only disclose it as necessary for providing you with treatment, for billing for their services, and for managing their operations (e.g., staff supervision and quality assurance), and that means disclosing the minimum necessary information to the minimum necessary people in order to get these things done. There are specific requirements about how they have to protect your private information. If they aren't doing it, you can complain, and get satisfaction. Here's how.

So don't say Congress never did anything for you -- at least not back in 1996.