Springtime For HIPAA

“And now, ladies and germs, the moment you’ve been waiting for. Please put your hands together and give a big warm welcome because HIPAA is in the house! That’s right. It’s here and it’s based on fear. So let’s all welcome it together: Heil HIPAA! Heil HIPAA! Heil HIPAA!”

Obviously, I’ve been watching too many Mel Brooks movies. And because of that, I have the strangest hunch that what Brooks did to the Third Reich in The Producers, the rank and file of the healthcare industry will do to HIPAA’s rules and regulations (which went into effect this month). I’m not suggesting that people will mock HIPAA with the biting sarcasm and wicked wit of Mel Brooks or brazenly flaunt their disregard of HIPAA’s demands. Nor am I hinting that, when we take a peek behind the curtain to see who’s really running the show, we’ll find a bunch of lame bureaucrats and lobbyists named Larry, Curly, and Moe.

Let me go on the record predicting that, two years from now, we’ll be doing business as usual but with little more than lip service to HIPAA’s requirements. My guess is that the Bush administration will milk HIPAA for a few timely and obligatory sound bites and then let it die on the vine. All one has to do is examine the history of HIPAA’s creation and weigh the contradictions in today’s news to realize that these rules and regulations may be dead on arrival. Because Congress initially refused to act on it, HIPAA went into law by default. HIPAA was also born during the Clinton era and the Bush administration has worked hard to reverse many of the former President’s policies.

Don’t get me wrong. There are many good things about the new Healthcare Information Portability and Accountancy Act. But when one looks at how HIPAA impacts the healthcare information management industry, some of it is just not based in reality. After the courts ordered Verizon to identify a client who was downloading music files, do you really think that every home-based coder and transcriptionist is going to get an ISP to sign a statement respecting the user’s privacy as part of a “business partner agreement”? Do you really think an industry filled with home-based health information workers has the clout to take on AT&T’s corporate attorneys? Don’t make me laugh.

Sure, you can establish policies and procedures, encrypt your files, and use password protection all over the place. But can any home-based coder or transcriptionist really protect the privacy and confidentiality of patient medical records when, as a result of the Homeland Security Act, the government now has the power to enter your home or your computer and secretly record whatever they find without ever having to notify you? As of 2003, the government no longer even has to obtain a warrant from a publicly accountable judge demonstrating reasonable suspicion that any crime is being committed!

As one follows the news, it becomes obvious that mixed messages are filling the airwaves.

Sure, we need to lessen our dependence on foreign oil, but we’ll give you an impressive tax deduction if you buy a new Hummer!

Sure, you’re entitled to your privacy, but how would you like to snitch on your neighbor as a way of demonstrating your patriotism?

Trust me, folks. It’s business as usual. All one has to do is visit E-Bay, where people have been trying to auction off medical reports that have been stripped of any patient identifiers. Having announced, in an entrepreneurial burst of creativity, that such reports can be used as practice sessions by people who are studying to become medical transcriptionists, one transcription supervisor brazenly challenged E-Bay’s buyers to name the specialties for which they needed practice dictations and s/he would go get the appropriate reports. There was no question of who owned the data or if this was just the slightest bit unethical because – if one really wants to split hairs – the data does not contain patient-identifiable information. It’s just another quick and sleazy attempt to cash in on access to medical documentation – a simple and convenient marriage between data mining and Internet auction software.

Are you shocked? Appalled? Discouraged and disheartened? Then suppose we look at the perfect crime with which to illustrate HIPAA’s limitations. On December 14, 2002, thieves broke into the Phoenix offices of TriWest Healthcare Alliance. As part of their loot, they stole hard drives containing the names, addresses, phone numbers, medical claim histories, and Social Security numbers of 500,000 military service members and their families. The security breach was promptly brought to the attention of local law enforcement officers. And there are plenty of laws in effect to cover breaking, entering, burglary, grand larceny, and theft.

I do not have all the details of this crime. But my guess is that, rather than removing all the hard drives on site, the thieves simply grabbed the computers and ran. Have the thieves used any of their booty in a way that would jeopardize the confidentiality of someone’s medical history? Have they tried to sell the information for profit or use it for purposes of blackmail?

That, my friends, is the real question. They may have simply accomplished their goals by selling off the processing chips, memory, and motherboards while causing a major breakdown in TriWest Healthcare’s daily operations.

One of the ironies brought to light from this crime is that a House Government Reform subcommittee recently gave the Pentagon a failing grade for its computer security. So here’s my question: If the same government which is trying to put HIPAA into effect can’t protect the medical records of its own military personnel, should every home-based coder and medical transcriptionist be quaking in her bunny slippers when a child walks into her home office, stands in front of a computer whose screen displays patient information, and asks Mommy if he can go play with his friends? Get real.

Who’s going to report breaches of confidentiality each time a doctor is at fault? If we’re heading into an era of healthcare-related McCarthyism, shouldn’t we first round up all the physicians who keep dictating over cell phones while seated in airports, cars, and other “less than secure” environments and send them to detention camps? Give me a break! Doctors are notoriously lame at policing their fellow physicians. And any administrative underling who toys with the idea of ratting out a physician might want to think twice about trying to find a new job in an economy with soaring unemployment rates.

If anything prevents HIPAA from accomplishing its goals, I’m willing to place my bets on the biggest reality show of all time – “The Feh! Factor.” The ‘feh!' factor thrives on the healthcare industry’s legendary axis of evil: apathy, stagnancy, and inertia. And, like those two new scientific elements (Governmentium and Administratium), it can lay waste to the best laid plans of mice, men, and healthcare policy wonks.

For those who don’t know, the word “feh” is an age-old Yiddish expletive which can be taken to mean (a) “Who cares?” (b) “Why bother?” (c) “Not my cup of tea,” or (d) “You think I haven’t got bigger things in life to worry about?” Trust me – the “feh!” factor is already at work. I recently witnessed it in action.

During the week that I wrote this article, I was scheduled to undergo ambulatory surgery for a cataract extraction. UCSF Medical Center is one of the nation’s major teaching facilities – and certainly well aware of impending HIPAA requirements. But as I sat in the far end of a waiting room for the first stage of my presurgery registration, I could hear – with crystal clarity – every word and bit of patient information being discussed in a cubicle 20 feet away. A short while later, as I sat in that same cubicle being interviewed, I asked the administrative person if she was aware that I could hear everything being discussed between her and the surgical candidates she was processing. Was she aware that the physical layout of her office compromised patient confidentiality? Did she know if anyone at UCSF planned to do something about soundproofing the area?

Shaking her head in dismay, she confessed that she understood completely, and that the situation became worse when counseling elderly patients who were hard of hearing. She had repeatedly told her manager that it would be better to do the intake interviews behind closed doors (instead of in a semi-exposed cubicle), but nothing had been done about it. In fact, the office space had recently been redesigned! She then urged me to write a letter to the President of UCSF informing him of the problem and see if maybe that could produce some results.

Even if a breach is reported, what then? How will penalties be levied? How will patients be reimbursed for the harm they have suffered? Remember how long it took to convict Columbia’s doctors and administrators on charges of Medicare fraud? Just follow the money and see where it leads. HIPAA-related complaints are supposed to be handled by the Department of Justice’s Office of Civil Rights. But isn’t that the same Department of Justice which has recently been accused of undermining civil rights? Isn’t that the same Department of Justice which is trying to stall any requests under the Freedom of Information Act? Just how much money and manpower has been allotted to prosecute HIPAA-related breaches of patient confidentiality? With the government projecting massive budget deficits and drastically cutting funding for social programs, how much money and manpower will be available to cover the expense of prosecuting HIPAA-related complaints?

Color me cynical, but I’ve already seen how this works. Twenty years ago, HMOs used similar forms of corporate doublespeak and stall tactics when handling physician requests to authorize treatment for their patients with HIV. The strategy was simple – find any legal and ureaucratic ways to delay authorizing treatment and the patient will die before the treatment can be administered. At the time, it was a simple line-item approach to cost savings. It was business as usual.

Those diehard AAMT members who have brainwashed themselves into believing that HIPAA will eventually require medical transcriptionists to become licensed and certified really need to wake up and smell the coffee. HIPAA will only succeed if government, business, and society at large share the power, funding, and enthusiasm to make it work. But in this economy? And with this administration? Let me quote the first President Bush: “Ain’t gonna happen.”