Happy 20th Birthday, HIPAA!
August 19, 2016
Birthdays are always fun. Well, sometimes. The Health Insurance Portability and Accountability Act (HIPAA) is 20 years old this year. It was born out of wedlock, the result of a union between an industry that cannot be trusted and patients who must be protected. No, there was no marriage because the economies could not be fully disclosed and melded the way most marriages are.
When HIPAA entered healthcare in 1996, it was about protecting the personal health records of patients who change insurance companies when they change jobs.
Today, HIPAA has grown into a behemoth of complex regulations that frustrate many and are fully understood by few. The regulations have intruded into every aspect of health care and every aspect of the patient experience.
At this time, HIPAA provides a means of reporting breaches, has increased its penalties, and has refined its final rules and defined those who are accountable. It has inspired the development of sophisticated electronic health record programs as well as their responding high cost.
What Patients Want
Still, HIPAA justifies a defense of “If you ask, I won’t tell.” Families want to know how their parents or children are, but nurses will not tell. Adult children call for updates on their mother or father, but nurses will not tell. Is this what we wanted?
In my study on patient privacy, I found that patients who are hospitalized value their own autonomy, their control over their own bodies, and their own identity in the moments when they are most vulnerable. They want those who need to know, to know.
Patients also want family members to be able to reach them. They want nurses to protect them from people they don’t want to have access to them. Patients’ signatures on privacy statements are often given without reading them. They do what they are asked to do. And, during a health crisis, HIPAA as a set of regulations meant to protect patients, could not be more irrelevant to a patient who is facing a life-threatening illness.
HIPAA Too Complicated?
The ethical practice of patient confidentiality prior to HIPAA offered more protection and was far less complicated. Today’s private and secure patient portals are neither private nor always secure. Only the respect that exists between patients and those who care for them is tangible. Still, patients want to trust their physicians and nurses. The thought of having to edit their discussions for fear of disclosure is untenable and places them at greater risk.
Is patient privacy now reduced to electronic records only, or does it extend and exist in the domain of human caring? Does privacy mean today what it meant 200 years ago, prior to phones, fax machines, email, and insurance?
Is privacy a safe practice, one that keeps patients healthier and reduces risk? In the face of 112 million records being breached in 2015, does any patient know or inquire about this statistic?
It is time to re-evaluate HIPAA.
We need to look at what it has done to the relationships that are the core of health and care, and whether privacy is still clearly defined in a meaningful way. We need to separate regulated privacy from personal privacy, acknowledging that the free flow of information about a patient to those involved in his or her care is what is best and what is safest.
Want more insights about privacy and the patient experience? Download “The Role and Perception of Privacy and Its Influence on the Patient Experience,” a whitepaper I wrote for The Beryl Institute in 2011 based on my doctoral research.
P.S. If you like this post, please do me a favor and share on LinkedIn, Twitter, Facebook, etc. Also to get automatic notices when a new post is published, subscribe (upper right). No spam – just great content. Thanks!