HIPAA privacy: what is the dilemma? - Counterpoint

Physician Executive, Jan-Feb, 2004 by Richard Stubbs, Laird Pisto, Cherbon VanEtten

We were asked to respond to the concerns raised by Drs. Herman and Peel regarding the HIPAA privacy rule. In their article they contend:

* Elimination of the consent requirement creates an open book for all Americans' medical records

* HIPAA interferes with the physician-patient relationship and creates new ethical conflicts for physician executives and

* HIPAA privacy notices are inaccurate or incomplete

Recognizing the privacy rule has generated some stress and confusion for physician executives, our conclusion is that the HIPAA privacy rule actually strengthens the physician-patient relationship and offers a new set of tools and resources for physician executives tasked with managing patient privacy issues within their organizations.

Elimination of the consent requirement did not create an open book for all Americans' medical records.

The HIPAA privacy rule granted all Americans a core set of federal rights and protections related to their medical record information while preserving those existing state laws that provide greater rights and protections. These regulations reinforce the long-standing ethical duty of all physicians to maintain patient confidentiality.

The privacy rule provides a national framework from which to meet those ethical obligations while keeping in mind a need for balance between privacy and availability of information for the provision of and payment for health care.

Elimination of the burdensome consent provision is one example of how this balance is being reached. Under earlier versions of the rule, regulators proposed a requirement that mandated written patient "consent" be obtained prior to any use or disclosure of protected health information (PHI). This included exchanges of routine information needed in order to simply make a referral to a specialist, or have a prescription filled.

In the preamble of the December 28th, 2000 final privacy rule, it was acknowledged that, "it would be difficult, if not impossible, for health care providers to treat their patients and run their business without being able to use or disclose protected health information for these purposes (treatment, payment and health care operations)." (65 Federal Register 82649 (Dec. 28, 2000))

After months of discussion and comment from a very broad range of constituents, including providers and patients, a reasonable determination was made that consent would not be required for exchanges for purposes of treatment, payment and health care operations (TPO).

Instead, providers would be required to make a good faith effort to obtain the patient's written acknowledgement (45 CFR [section] 164.520(c)(2)(B)(ii)) of receipt of the notice of privacy practices. The version also emphasized the providers' obligation to use and disclosure only the "minimum necessary" (45 CFR [section] 164.514(d)) information needed to effectuate the care, payment or health care operation associated with that exchange.

This minimum necessary provision provides an added layer of scrutiny to the process of exchanging PHI. Both the "sender" and the "recipient" of PHI, have the burden of not only limiting the amount and type of information exchanged, but also the "use" of that information once exchanged.

The HIPAA privacy rule places much greater constraints on the use and dissemination of PHI than ever existed prior to HIPAA.

Furthermore, the privacy rule requires that prior to every exchange that the covered entity verifies the identity and authority of the person requesting the PHI. This validation process--another added layer of scrutiny--protects the patient from having his or her information disclosed to unintended or unauthorized recipients.

Every covered entity with access to PHI, and every covered entity's business associates, are now subject to voluminous rules and procedures dictating who can receive PHI, how they can receive it, when they can receive it and why they can receive it.

Prior to HIPAA, few states had any procedural protections in place, and even fewer states offered the patient any rights with regard to how their health care information was shared or maintained.

No harm to physician/patient relationship

The privacy rule does not interfere with the physician/patient relationship and does not create new ethical conflicts for physician executives.

Physicians have long dealt with conflicts of interest. No group is more aware of this than physician executives, each of whom must balance the interests of their organization against the interests of their patients and patients' families.

Physicians, indeed, have a duty to their patients first; however, this duty does not allow a physician to simply overlook other obligations to legitimate interests such as family members, hospitalization utilization directors, insurance companies (who pay the bill) attorneys, etc.

Physician executives now have a powerful added tool in their arsenal to protect and maintain patient privacy standards within their organization, as well as additional rules that allow for the protection and limited use of PHI for purposes of health care operations.