Tag: HIPAA

Doctors as Data Entry Clerks for the Government Health Surveillance System

As a practicing physician I have long been frustrated with the Electronic Health Record (EHR) system the federal government required health care practitioners to adopt by 2014 or face economic sanctions. This manifestation of central planning compelled many doctors to scrap electronic record systems already in place because the planners determined they were not used “meaningfully.” They were forced to buy a government-approved electronic health system and conform their decision-making and practice techniques to algorithms the central planners deem “meaningful.”  Other professions and businesses make use of technology to enhance productivity and quality. This happens organically. Electronic programs are designed to fit around the unique needs and goals of the particular enterprise. But in this instance, it works the other way around: health care practitioners need to conform to the needs and goals of the EHR. This disrupts the thinking process, slows productivity, interrupts the patient-doctor relationship, and increases the risk of error. As Twila Brase, RN, PHN ably details in “Big Brother in the Exam Room,” things go downhill from there.

With painstaking, almost overwhelming detail that makes the reader feel the enormous complexity of the administrative state, Ms. Brase, who is president and co-founder of Citizens’ Council for Health Freedom (CCHF), traces the origins and motives that led to Congress passing the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. The goal from the outset was for the health care regulatory bureaucracy to collect the private health data of the entire population and use it to create a one-size-fits-all standardization of the way medicine is practiced. This standardization is based upon population models, not individual patients. It uses the EHR design to nudge practitioners into surrendering their judgment to the algorithms and guidelines adopted by the regulators. Along the way, the meaningfully used EHR makes practitioners spend the bulk of their time entering data into forms and clicking boxes, providing the regulators with the data needed to generate further standardization.

Brase provides wide-ranging documentation of the way this “meaningful use” of the EHR has led to medical errors and the replication of false information in patients’ health records. She shows how the planners intend to morph the Electronic Health Record into a Comprehensive Health Record (CHR), through the continual addition of new data categories, delving into the details of lifestyle choices that may arguably relate indirectly to health: from sexual proclivities, to recreational behaviors, to gun ownership, to dietary choices. In effect, a meaningfully used Electronic Health Record is nothing more than a government health surveillance system.  As the old saying goes, “He who pays the piper calls the tune.” If the third party—especially a third party with the monopoly police power of the state—is paying for health care it may demand adherence to lifestyle choices that keep costs down.

All of this data collection and use is made possible by the Orwellian-named Health Insurance Portability and Accountability Act (HIPAA) of 1996.  Most patients think of HIPAA as a guarantee that their health records will remain private and confidential. They think all those “HIPAA Privacy” forms they are signing at their doctor’s office is to insure confidentiality. But, as Brase points out very clearly, HIPAA gives numerous exemptions to confidentiality requirements for the purposes of collecting data and enforcing laws. As Brase puts it, 

 It contains the word privacy, leaving most to believe it is what it says, rather than reading it to see what it really is. A more honest title would be “Notice of Federally Authorized Disclosures for Which Patient Consent Is Not Required.”

Privacy? Nuthin’. Respect My Authoritah!

A fascinating enforcement action under the Health Insurance Portability and Accountability Act (HIPAA) shows what really matters in the world of privacy regulation.

The U.S. Department of Health and Human Services has imposed a $4.3 million civil penalty against Maryland-based Cignet Health for violations of its regulations. HHS’s Office for Civil Rights (OCR) found that Cignet violated 41 patients’ HIPAA rights by denying them access to their medical records, which they requested between September 2008 and October 2009. The penalty for these violations is $1.3 million.

But Cigna’s real crime was willful disobedience of the government. Who knows why, but according to the government:

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations.

The penalty for that was $3 million.

Notably, the HHS release says nothing about the condition of the aggrieved parties. How are they doing with their $31,000 a piece? Does it fully compensate for their inability to access medical records during the relevant period?

Just kidding! Nobody really cares.

This enforcement action has nothing to do with remedying a genuine breach of privacy—an annoyance and genuine paperwork problem, yes—and everything to do with sending a message: You will respect my authoritah!

Your Medical Records Aren’t Secure

I have one observation about, and one minor difference with, the very good—and very concerning—Wall Street Journal opinion piece by Deborah Peel of Patient Privacy Rights. The piece announces PPR’s “Do Not Disclose” campaign around health information, which will soon be pouring into promiscuous, government-designed “electronic medical records.”

In a January 2009 speech, President Barack Obama said that his administration wants every American to have an electronic health record by 2014, and last year’s stimulus bill allocated over $36 billion to build electronic record systems. Meanwhile, the Senate health-care bill just approved by the House of Representatives on Sunday [now signed into law] requires certain kinds of research and reporting to be done using electronic health records. Electronic records, Mr. Obama said in his 2009 speech, “will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests [and] save lives by reducing the deadly but preventable medical errors that pervade our health-care system.” But electronic medical records won’t accomplish any of these goals if patients fear sharing information with doctors because they know it isn’t private…

Describing how the Health Insurance Portability and Accoutability Act (HIPAA) undermined health privacy, Peel says, ”In 2002, under President George W. Bush, the right of a patient to control his most sensitive personal data—from prescriptions to DNA—was eliminated by federal regulators…” Other than the quibble about whether federal law ever gave patients anything that could be genuinely called a right, this is correct and concerning.

What’s interesting is that the policy is routinely ascribed to President Bush (not only by Peel). My suspicion is that blaming President Bush props up the dream that privacy can be maintained in a system that centralizes control of health care—if only the right party is in power.

In fact, the passage of HIPAA in 1996 (under President Bill Clinton) set the course for this outcome. The fact that HIPAA privacy was undone during the Bush administration is a coincidence convenient for his ideological and political opponents. If I’m mistaken, the proof will be the reversal of the policy during the current administration. I’m not aware of any plan for that to happen.

“Electronic record systems that don’t put patients in control of data or have inadequate security create huge opportunities for the theft, misuse and sale of personal health information,” says Peel. I agree, but more importantly, I think, public policies that don’t put patients in control create the same—or at least parallel—problems.

Transferring control of health care to the federal government transfers control of health information to the federal government. The government has interests distinct from patients, and no matter how hard one fights to protect patients’ privacy interests, the government’s interests in cost control, social engineering, and such will ineluctably win out.

Public policies that restore power to patients will restore health privacy to patients. A decade or two of exploring alternatives to patient empowerment may drive the lesson home.