“About whatever I may see a fear in treatment, or ever without treatment, in the life of human beings – things that should not ever be blurted outside – I will remain silent, holding well such things to be sacred, and not to be divulged” HYPPOCRATES
People have been concerned with the privacy of their health information for centuries. Their main concern until recently was limited to the health information that a physician kept – in the doctor’s memory until recently – about his patient. It was correctly perceived, from these early days, that sensitive information about the life, deeds and health condition of an individual meant, given a particular circumstance, control and power over that individual.
With increased complexity brought about by the institutionalization of health care services, the record–keeping activity on patients also escalated to the point of creating what could be identified as a health information services industry. There was also a concurrent expansion in awareness by interested (may we say prying) sectors of the society about the presence of such information pools that could be tapped to obtain pertinent data that could help advance their particular enterprises.
The problem of the privacy of health care information became more acute with the emergence of the new technology that made possible to gather, maintain and transmit this type of information in a tremendously wide and global scale.
The impact upon the individual of improper disclosure of sensitive health information can be greatly significant. Divulgation of such sensitive health information may determine if and individual gets a particular employment, insurance or political position or simply being ostracized from a specific social context.
A most celebrated case in these regards was that of Congresswoman Nydia Velázquez. On that occasion, when running for Congress in 1992 in New York, presumably confidential and delicate health information concerning her suicidal attempt was forwarded to the press after someone obtained the medical records of her hospitalization.
So, it is perfectly understandable that the patients are deeply concerned about this issue. A Gallup Organization survey in the year 2000 with a population sample of 1000 individuals made through interviews revealed that around 80% of the people felt that privacy of their medical records was very important; around 90% opposed giving access of their medical information to government agencies and 80% were against giving access of their medical information to their employers .So, a clear message has been sent: People do not want other people messing around with their medical information. The new Health Insurance Portability and Accountability Act of 1996 (HIPAA) grants particular attention to the privacy of health care information issue. This law applies to health care providers (physicians, dentists, pharmacies, hospitals, suppliers of durable medical equipment, skilled nursing facilities and others), health insurance companies and Clearinghouses. These three groups are collectively designated as “covered entities”.
The covered entities must have privacy compliance programs in effect by April 14th, 2003. The requirements to fulfill this compliance to the Privacy Rule are, among other things: Designation of a privacy officer, documentation of policies and procedures concerning privacy and security of the health care information, education and training of all employees of the particular covered entity about privacy issues concerning health information, implementation of the appropriate security measures for the protection of health information from intentional or accidental misuse, implementation of adequate measures to provide means for the patients to formulate any complaints about privacy of their health information and the development of procedures to sanction employees that violate the privacy policies of the organization.
The process to implement the Privacy Rule could be a complex one. It entails the development of a Notice of Privacy Practices for distribution to all patients, a new document called Acknowledgement of Receipt of the Notice of Privacy Practices, policies and procedures for the Minimum Necessary Standard, mechanics to provide access of the record to the patient and to amend the record if the patient believes there is missing or erroneous information. In addition, new contracts have to be made with the business associates of the organization and chain of trust agreements with the concerned parties, policies and procedures to ensure the safety of the protected health information and many more other documents that address particular processes and circumstances within the operative framework of the practice.
The implementation of the Privacy Rule of HIPAA will undoubtedly imply a substantial and non-reimbursable cost to the Health Care industry. The cost estimates range from $17.6 billion over the ten year period, 2003 – 2012 (Department of Health and Human Services) to $43 billion over a 5 year period ( Robert E. Rolan Company report for Blue Cross Blue Shield Association) The burden of the costs will be borne mainly by hospitals, physicians and payers.
The Privacy Rule of the Health insurance Portability act of 1996 is probable good for the patients by granting them more power to control their health information by conferring them more access to that information and providing safeguards and accountability of such information by the covered entities. On the other hand, it will impose a heavy financial burden on these same covered entities. The question about the actual motivation for the enactment of HIPAA and its privacy provisions have been brought about given the strong overtones of political nature of such a measure. On the same line, the real need for such a drastic undertaking has also been called into question, pointing out that strengthening of currently available statutes could have done the job the new law intends to do. So far, HIPAA has become part of the Law of the Land.
Copyright 2002 QBS, Inc.