The issue of confidentiality when applied to modern American healthcare is fraught with differing objectives, creating myriad complications as the needs of each attempt to merge together in their search for common ground and compromise. To arrive at a sense of clarity, we must look to those exceptions that define the fundamental system of rules at the heart of our nation’s health care structure, as the conflicting areas to be found within shed light on the vulnerabilities of the concept as a whole. The demands of federal statutes aside, gray areas abound, since attorneys can breach the duty of confidentiality in response to threats against life or to prevent substantial bodily harm, physicians must answer to certain matters of public health before protecting the secrets of the patient, and spouses can freely tell all when it comes to the actions of their partner, even if the words between them remain protected.
In direct opposition to the fundamental tenet for which it now stands, the introduction of the 1996 Health Insurance Portability and Accountability Act (“HIPAA”) did not originally include privacy legislation, but was modified in November 1999 to address patient concerns. Some 52,000 public comments and another year later, the U.S. Department of Health and Human Services (“HHS”) issued final regulations known as the HIPAA Privacy Rule. HHS again modified the Privacy Rule in March 2002, and after 11,000 more public comments, issued its directive in August 2002. Since that date, HHS has been nothing short of prolific, releasing HIPAA’s Security Rule governing “e-PHI” in February 2003, HIPAA’s Enforcement Rule in 2006, the Breach Notification Rule as well as HITECH (the Health Information Technology for Economic and Clinical Health Act) Enforcement Rule in 2009, and the updated Administrative Simplification Rule in 2013, among others. Now in 2016, whether providers are ready or not, the Office of Civil Rights (“OCR”), the federal agency responsible for policing patient privacy, announced it will commence wide-scale audits to ensure and enforce HIPAA and HITECH compliance.
The absence of consistent or even cogent public policy behind HIPAA makes this body of law frustrating to patients and providers both. While the desire to foster open and frank communication marks the foundation for protecting confidential discussions between priest and penitent or taxpayer and tax return preparer, HIPAA fails to distinguish between confidentiality and commonality. Instead, HIPAA protects those who fail to protect themselves. Though an attorney and client may renounce their right to privilege by speaking in a crowded elevator, the protections of HIPAA remain sacrosanct to any patient in that same elevator who speaks aloud about an upcoming appendectomy or a recent bout with a sexually transmitted disease. That said, these expansive HIPAA safeguards prove helpless in response to a data breach, at least with respect to the estimated 112 million health care records compromised in 2015. This highlights the fact that HIPAA’s foremost goal is in some ways flawed at its very core.
To best understand what exactly we are trying to protect, we must ask ourselves why we have encased patient health information (“PHI”) in such an impenetrably regulated fortress. By its very nature, matters of the body are commonplace in health care, and the system seeks to streamline itself by reducing various ailments to 14,400 ICD-10 codes. Within any one condition, however, there may exist layers of confidentiality, useless to the diagnosis and irrelevant to treatment. As a result, that which happens outside the scope of medical oversight during treatment is of no concern to HIPAA, irrespective of any need for confidentiality.
HIPAA imposes draconian punishments on the medical provider who speaks out of turn concerning a simple broken bone, though the cause of the fracture remains bare and exposed, equally, for the accidental slip and fall or deliberate battery. This defines the type of complexity HIPAA cannot reconcile, even after 20 years of presiding over health care. To counteract such disparity, HIPAA regulations must be broad enough to absorb these distinctions, a solution to which is markedly inflexible.
Such emphasis on inflexibility often gives rise to failure, as was the case with the Berlin Wall, Prohibition and punishment for preexisting health care conditions. If modern medicine offers any lesson on how to address HIPAA’s shortcomings, we should attack the cancer of the act’s imperfections from the inside out, rather than blasting a circumference far beyond its borders. Another strong indication that HIPAA may have been doomed from the start is the frequency of data breaches, which are increasing at such a rate there may soon be no PHI left to protect. Before HIPAA takes its next evolutionary step, modern medicine must ask itself if it is worse to fail in the attempt to protect that which is held sacred by law or ignore the transgressions occurring below the surface that so desperately need to be targeted.
To heal the body it may also be necessary to treat the mind, but HIPAA only protects both when medicine recognizes one as a comorbidity of the other. When this is not the case, all of HIPAA’s power slices the treatment in half, at least in terms of confidentiality. What remains of the act’s reach is therefore totally ineffective in light of it’s ultimate intent. At the crossroads where HIPAA now stands, a decision must be made whether to let HIPAA kill health care through its preordained powerlessness, or whether HIPAA itself must be laid to rest.