This article “A Time to Kill HIPAA” first appeared in the Daily Journal on May 5, 2017.
“Sarcasm: the last refuge of modest and chaste-souled people when the privacy of their soul is coarsely and intrusively invaded.” – Fyodor Mikhailovich Dostoevsky
Imagine a world in which a basic identification card contained a lifetime of medical information, immediately accessible during a routine physical or life-threatening emergency. The technology behind such seeming science fiction could heal a fragmented health care system, affording providers access to critical information in a timely manner to ensure the highest standard of care with maximum efficiency. Only a few years ago, such inefficiencies inherent at the core of American health care provision resulted in as much as $226 billion in increased spending annually, yet salient health care information remained just out of a provider’s technical reach.
The greatest obstacle standing between American health care and the elusive, omnipotent digital medical record turns 21 this summer, the equivalent of a modern-day Methuselah in an industry defined by zeros and ones. Born the same year Google launched and the price of gasoline was $1.22 per gallon, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) sought to improve portability and continuity of health insurance coverage by, among other things, adopting standards for organizations to develop ways in which electronic health transactions could improve health care while also addressing the security of electronic health information systems. HIPAA’s privacy component debuted in 1999, followed by a series of modifications in 2002, as well as the addition of a security rule in 2003 and an enforcement rule addendum in 2006. Changes in health care and technology during the first decade of HIPAA ultimately led to the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which specifically focused on the privacy and security concerns associated with electronic transmission of health information by strengthening the civil and criminal enforcement components within HIPAA.
Together, HIPAA and HITECH revolutionized the way health care providers (also known as “covered entities”) and the non-clinical entities with which they teamed (also known as “business associates”) shared and made available for use patient health information (PHI). With such broad definitions of “breach” and the resultant draconian punishments for noncompliance, HITECH sent the act of sharing health care information back in time in many ways, forcing providers to rely upon the United States Post Office to deliver highly personal, often time-sensitive, sometimes life or death information, while improvements were made to the infrastructures within which electronic and facsimile transmissions took place. Purportedly simplified in 2013 through even more regulatory modifications, modern day HIPAA regulation affords practically no room for error for those who utilize technology as a way to improve the delivery of health care in the United States. As it turns out, we have come to learn that health care is more about perseverance than perfection. … Read more →