HIPAA hits a snag

Sept. 1, 2010

Recently, some 800,000 people with ties to a hospital in near Boston learned their sensitive personal data may have fallen into the hands of identity thieves. Back-up computer files with 14 years' worth of information on patients, employees, donors, volunteers, and vendors went missing after being shipped from the hospital to a data-management company hired to destroy the e-records. Names, addresses, phone numbers, birth dates, Social Security and drivers' license numbers, as well as protected health information like diagnoses and treatments, were among the lost e-documents.

In another episode, 87 people had their genetic test results mixed up. One woman panicked when she learned her son was carrying a life-threatening disorder and that he was not (genetically) her son. Another who always thought she was white found out most of her genes were of African origin. A third woman discovered that she was not a woman. Knowing that “DNA does not lie,” she wondered how to break this confusing news to her children. Then these three, along with 84 other clients of a testing company, discovered the test results had been mixed up among the group.

Neither lost records or mixed-up results is good news for the producers or the subjects of the material. Each of these incidents dredged up the controversies over keeping health records private and genetic test results regulated. The debate over genetic testing pits those who believe government should regulate them more closely against others who argue such policing will make the genetic tests too expensive and difficult to get.

These two incidents struck me as odd after all of the care taken to ensure that the HIPAA Privacy Rule, effective April 14, 2003, protects the use and dissemination of healthcare information. HIPAA standards covers employer-sponsored health plans, health insurers, healthcare clearinghouses, including billing services and community health information systems, and medical-service providers transmitting healthcare data in a way that is regulated by HIPAA. It establishes regulations for the use and disclosure of protected health information (any information held by any of these entities) which concerns health status and/or provision of healthcare and/or payment history.

A long list of complaints has been filed since HIPAA's inception, but the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the Wall Street Journal noted, has a long backlog, ignores most complaints, and, reportedly, has yet to take any enforcement actions against hospitals, doctors, insurers, or anyone else for rule violations.

Many hospitals broadly interpret HIPAA and have not allowed patient information or condition to be released to the families of hospitalized patients over the telephone, even if the patient is critically ill and the family member(s) live out of state. Strict penalties have been implemented for those who even unknowingly violate HIPAA in this manner; many (most nurses) have been terminated for accidental blunders of their hospital's interpretation of HIPAA.

That we worked so diligently and so long for a way to protect the privacy of our medical records, only to have them exposed seems a sad commentary on how serious some of us view the handling of those records. That the OCR has been overwhelmed with privacy-violation complaints does not bode well. That such privacy failures jeopardize other fledgling companies who guarantee to appropriately destroy old records is lamentable. That scientists on the brink of sorting out the mystique of personalized medicine are overshadowed by someone's poor administrative mailing skills is just dumb.

In a world open to what a Washington Post reporter termed “unfettered access to information,” there may be a case for some “oversight” as the head of the FDA's Office of In Vitro Diagnostics suggests, while the director of Boston U's Center for Translational Genomics and Health Outcomes likens an unregulated marketplace to “the Wild West …” and an over-regulated one a risk to “stifling innovation in a very dynamic industry.”

I find this schizophrenic “half-Facebook, half-HIPAA” world a strange dichotomy. I just hope I do not learn one day — via one or the other method — that I am actually a dog.