HIPAA Part 2

Time for our 2^nd chapter of the HIPAA saga.  As we left it last time, George Bush signed the High Tech Act into effect in 2002 and you would have thought that was the end of government intervention into our protected health information (PHI).  But that would be too easy.  The Office of Civil Rights (OCR) has continued to tinker with the privacy portion of HIPAA over the last 13 years, to the point that Congress felt obligated to pass the Omnibus Bill in 2013 which was signed into law by President Obama personal healthcare information.  So we are very restricted on who we can give out PHI to including even spouses, children and parents.  For example, we had a patient call up a few weekends ago with the need for antibiotic medication for a dental infection.  She was not feeling well enough to drive down to the office so we could dispense her the medication and she wanted to send her husband or her sister, who lives close by, to pick up the antibiotics and pain medication.  Unfortunately, since we did not have a signed HIPAA release for her to either her spouse or sister we could not dispense the medications for her.  In addition new FDA restrictions do not allow us to call in the medications to a pharmacy without a signed release form.  All the prescriptions now have to be handwritten out by the prescriber completely and picked up by the patient when the pharmacy does not have a signed release on file, HIPAA again.  Fortunately, she was eventually able to have someone drive her here to pick up her medications, but what a mess!  Does it really need to be this complex? Or is there some reasonable ground that we could offer privacy, but reasonableness.  By the way, the official list of definitions in the Omnibus bill is almost 20 pages long and we do now currently in our office have 14 different signature forms for your protected health information storage and dissemination requests.  As the definition of family, that government form is over 2 pages long.  If this seems like overkill, it probably is.  But leave it to the government to protect your personal identification just like they did for the over 20 million Federal employees that had their information hacked from Federal storage.  The take away message must be protect yourself as best you can and hope for the best.  After all, as my father told me, we live in a free country, not necessarily a fair one. 

HIPAA Part One

I have been spending many many odd time hours at the office recently.  It's not so that I can provide the best quality dental care to our large family of patients, but rather on reviewing new government regulations that affect my practice, as well as the practice of all of my peers and of medicine in general.  That acronym is HIPAA, which stands for the Health Insurance Portability and Accountability Act.  You will note that there is no word privacy here.  That is because that is not the reason for the law as it was written in 1996.  History shows us that the bipartisan law was proposed by Senator Ted Kennedy and Nancy Kassebaum and sent to President Bill Clinton for his signature in August 1996.  The reason for the law was a concern for what was termed “job lock” and the insurance coverage of pre-existing medical conditions.  In addition the government set about the process of trying to save money by verifying the portability of dental insurances.  There was also a mandate for fraud and abuse in the law and administrative simplification provisions which they thought could save the government somewhere between 3 or 4% in administrative costs for Medicaid and Medicare.  Yes, it is all about the money.  Then there was a provision in the law, put in the last minute, for privacy.   Kennedy and Kassebaum realized that there may be a problem with electronic transfer of data between insurance companies and the government and they assigned a mandate for congress to resolve this privacy issue within 3 years.  As you can expect, by 1999 they had not fulfilled that mandate, and the job was turned over to HHS (Health and Human Services) who established OCR (Office of Civil Rights) to write the privacy laws which came out in November 1999.  The document was 300 pages long and was released December of 2000.  In the “final regulations” they mentioned 265 times the term "reasonable" in trying to make the privacy laws appear to be easy to manage.  The final guidelines were released in July 2001.  But by then there were modifications of the Notice of Proposed Mandates that came out in March of 2002 which went into effect in October of 2002.  This eventually led to the forms that you sign at our office today, the “Notice of Privacy Provisions” and our “good faith effort” in getting you that information.  The unfortunate thing about this process is really the privacy portion of the law really boils down to a few short words “we get your PHI (personnel health information) from you and we should not give it to anyone without our permission.”   Unfortunately those few words translated into thousands of pages of documents from the federal government that we need to evaluate and respond to with hundreds of pages of documents of our own and many many hours of time.  All this is based on the goal of saving the government 3% on this cost.   How much does that cost us in the medical field that is passed onto you the consumer?  I am not sure,However I am sure it is much more than 3%.  I will review the next phase of HIPAA and its current status in my next blog beginning with the HITECH Act (Health Information Technology for Economic and Clinical Health) and the finally the Omnibus Bill passed in 2013.