HIP HIP HIPAA HOORAY! Where's My Medical Privacy?

And whatsoever I shall see or hear in the course of my profession, as well as outside my profession in my intercourse with men, if it be what should not be published abroad, I will never divulge, holding such things to be holy secrets. 
   *       *        *
Today, I"m ranting about medical privacy (now gone) and electronic medical records over on KevinMD.  The link is HERE.  Did you know that hospitals now send your medical information to the state (at least in our state), whether you want that or not? 

And while you're reading about privacy, there's a terrific article in the Wall Street Journal called Families of Violent Patients: We're Locked out of Care.

Okay, I'm going to make a confession here.  I have no idea what HIPAA is.  I don't know, I don't care.  My practice is small enough that I don't have to give out privacy notices, and I confine my "HIPAA" comments to "I don't release information without your permission."  I also note that I do release information in case of an emergency and that the state has requirements about the reporting of child abuse.  But from my take on it, HIPAA is not about who doesn't get your information, it's a long list of who DOES get your information, like it or not.  When I go to the doctor, I often cross out some of the listed entities, and tell them I don't want my information released.  But no one reads these things so it's just about making me feel like I have some control.  We all like those delusions.

Before HIPAA, doctors were not allowed to release your medical information without your permission.   There was this guy, way back when, named Hippocrates who had something to say on the matter.  Psychiatrists never did talk about your care without your permission, I remember this from before HIPAA.  

Regarding the Wall Street Journal article -- the implication here is that suddenly HIPAA prevents families from getting information about patients against their will.  I sometimes wonder if there is a reason the hospital/doctor/etc aren't plugging harder to talk with the family.  In the case of a violent patient, no doctor wants to see their patient hurt someone or die, and it's hard to imagine that if it were crucial to to share this information, a psychiatrist wouldn't say, "Listen, I can't treat you if you won't let me include your family."  The slant of the article assumes that the patient is always the sick one and that the family is well and harboring nothing but good intentions.  Perhaps the family has been intrusive, or the patient is really adamant.  Do we really want to tell a psychiatrist our private thoughts knowing they will repeat them to our family members whom we don't want to know them?  There are times when a really psychotic person won't allow communication because in the past, the family has insisted he take medication or go to treatment he didn't like, but which helped him anyway, and perhaps that was the right course of action.  But there are also times when families make the situation worse.  I don't think the issue is HIPAA, but I do imagine that part of it is that hospital staff don't have the time to work with patients and their families to help everyone come to a place where families know how to be helpful without being intrusive, and patients can feel more comfortable and respected.  These things take time (sometimes a lot of time) and if you're fighting with insurance companies for an extra day, and spending your time entering data into the computer, when a patient says "No, don't talk to my family,"  the doctor may just say "HIPAA, I can't," without exploring whether that makes sense or if there is a way the patient might allow communication about some aspects of care.  And finally, there is nothing about HIPAA that prevents family members from giving crucial information to a doctor.    

Okay, I've ranted for today.

Privacy please....

Over on Clinical Psychiatry News, I have a an article up on medical privacy, HIPAA, electronic medical records, routine dental care, compliance and regulation, and yes, fish.  Surf on over if you get a chance.

HR 4157: Electronic Health Records Debate

[Cartoon by Steve Greenberg, posted with artist's permission.]

Nick Meyers, the APA Director of Government Relations, sent the following memo out yesterday, alerting psychiatric physician members about pending national legislation on electronic medical records and their impact on privacy and confidentiality of personal health information. I'll try to post more on this later, but in meantime, contact your Senators and Delegates to let them know that privacy is important to you, and that you want to be notified if there is a breach in the confidentiality of your records (see latest VA fiasco here or here or here).

This afternoon, the House Energy and Commerce Health Subcommittee approved its version of legislation to facilitate the development of a national health information technology infrastructure (H.R. 4157). The Subcommittee action follows approval of a different version of the bill by the House Ways and Means Health Subcommittee, whose Chairman, Nancy Johnson (R-CT), is the lead sponsor of the bill.

As approved by the two Subcommittees, both bills codify the Office of the National Coordinator for Health Information Technology (ONCHIT), lay out broad policy goals for the establishment of a nationwide interoperable health information technology infrastructure, and include important “safe harbors” to the Stark II anti-kickback law as the HIT system is developed. The goals of the national HIT system include the promoting of health care quality, reducing medical errors, improving efficiency, facilitating portability of patient information by patients, and promoting health care research. The Ways and Means bill includes as a goal that the national HIT system “ensures that the confidentiality of individually identifiable health information is secure and protected.” The Energy and Commerce bill requires that the system is “consistent with legally applicable requirements with respect to securing and protecting the confidentiality” of patient records.

The Ways and Means bill as introduced included a study of privacy that opened the door to possible weakening of current privacy protections, and would have allowed the Secretary of HHS broad latitude in acting by regulation to “harmonize” privacy laws in a way that could have undercut existing HIPAA rules protecting state privacy laws that were stronger than HIPAA’s basic requirements. APA, both individually and in conjunction with the American Medical Association and mental health groups including the American Psychological Association and the American Psychoanalytic Association, has always sought to include the strongest possible privacy protections as one of the essential elements of any national HIT system. We met personally with Chairman Johnson and her key health staff to outline our concerns and to offer constructive suggestions about how the bill’s privacy language could be improved. With her support, our efforts resulted in an extensive reworking of the bill as approved by the Subcommittee. While not perfect, the changes are a very substantial improvement, and Chairman Johnson certainly deserves thanks for her efforts. A more detailed analysis of the changes is forthcoming.

The bill approved by the Energy and Commerce Health Subcommittee explicitly protects the current HIPAA “non-preemption” language that ensures that stronger state privacy laws will remain in force. While this is an important acknowledgment, additional work is needed to protect patient medical records, as evidenced by recent revelations of data and record loss in the VA system and DOD, among others. During Subcommittee debate, Democrats proposed an amendment that sought to strengthen the enforcement of existing privacy protections and require a privacy breach notification. The amendment failed by a vote of 10 to 12.

What’s next? Next Tuesday, the full Energy and Commerce Committee will consider its amendment to H.R. 4157. We also expect the full Ways and Means Committee to consider the bill as soon as next week. If the two bills continue to have major differences, they will have to be reconciled presumably in the House Rules Committee. Since the House GOP leadership has designated the week of June 18 as “Health Week” it seems very likely that HR 4157 – however amended – will be a centerpiece of the week’s activities.

HIPAA vs. the US Patriot Act

[Posted by ClinkShrink]
In the course of reviewing for my forensic recertification exam I am struck by the dramatic and divergent changes in patient privacy issues since I did my fellowship ten years ago. When I was in training the standard assumption was that psychiatric records were private and that a written release was required from the patient to disclose any information. That was pretty simple. We didn't have to think about electronic medical records, email, faxes, telepsychiatry or many other forms of electronic communication either because they just didn't exist or weren't in common use. Then came HIPAA. Enough said.

The latest and most counter-intuitive twist in patient privacy is now the U.S. Patriot Act. What this means for psychiatrists is that if the government wants your records, you give it to them. Period. And you can't tell your patient. Ever. A request for records under the U.S. Patriot Act comes in the form of a National Security Letter (NSL). According to the Foreign Intelligence Surveillance Act (FISA), an NSL must be approved by a judge of the Foreign Intelligence Surveillance Court. However, there is no requirement for any standard of proof that a national security issue is at risk---no "reasonable suspicion", no "probable cause"---and no mechanism to challenge the letter or appeal the granting of the NSL.

If you receive a National Security Letter you may not tell your patient that you received it or that you have turned their psychiatric records over to government investigators. This gag order is permanent. And the request is not limited to any particular physical location---keep this in mind if you have a home office.

As you struggle every day to interpret and comply with HIPAA regulations, it's ironic to know that the government could suddenly decide to rifle through your home office filing cabinet and there's really nothing you can do about it.

For those of you interested in learning more about the ramifications of NSL's and the Patriot Act on your practice, download the ACLU's pdf file on this issue:

Unpatriotic Acts: The FBI's Power to Rifle Through Your Records and Personal Belongings Without Telling You