This is a big week for every U.S. medical provider. HIPAA is no longer the beast braying outside the door. Now it's pushed its way into the waiting room and the back office. This is a giant pain in the neck for providers today but ultimately will be a good thing for patients and healthcare in general.
After endless lobbying, public comment and a change of administration and direction, the privacy regulations of the Health Insurance Portability and Accountability Act of 1996 finally are taking the stage.
What this means practically still is to be determined. For most patients, their first encounter with HIPAA, privacy notices and their rights in all of this will take place when they next interact with a doctor, the hospital or pharmacy. Undoubtedly, there will be plenty of confusion, as there is with any new right. And those who dare look at an actual medical record will be baffled, not understanding either the language or the uses to which the information is put.
In time, this process will smooth out quite a bit, as more people become accustomed to having to approve the use of their medical information. For some it won't be quite so novel. As reporter John Morrissey details in this issue (p. 4), some or most of the rights spelled out in the new HIPAA privacy rules are available to patients in many parts of the country through existing state laws.
The worries of some about problems with getting prescriptions filled and insurance claims paid seem exaggerated. In any case, the need for those rules is obvious. Anyone who has stood at a pharmacy counter and been asked out loud which drug he or she is taking, or had a personnel manager in an office lobby ask how a medical problem is going will welcome additional privacy.
Undoubtedly, there will be hospitals and doctors who take the restrictions too far. Already there are reports of doctors saying they won't call to remind patients of an appointment, even if they don't specify what the appointment is for. Some patient forms may be poorly written and legalistic, making it hard for the average patient to understand. Much like other new laws, this one will take some getting used to, but common sense will prevail.
There will be civil and criminal complaints pressed, and plenty of private lawsuits filed. Some of the suits will have to do with the use of private information by drug vendors, which still is allowed under this law as long as the patient signs the standard consent forms. Compared with the rampant misuse of private medical information that has gone on pre-HIPAA, we'll take this one mistake in the law.
This HIPAA does have some sharp teeth: Civil and criminal penalties ranging from $50,000 to $250,000 in fines and one to 10 years in prison will be levied by HHS' civil rights division and the U.S. Justice Department if patient information is used for "commercial advantage, personal gain or malicious harm."
It also must be remembered that this is far from the end of new HIPAA regulations. Requirements for computerized insurance transactions take effect in October, and in coming years security regulations governing access to electronic medical records and the appointment of security officers at every medical practice will come online.
Conforming to these new regulations will cost the private and public sectors an estimated $22 billion in the coming years. It seems a small price to pay for making personal healthcare information available only on a need-to-know basis.
What do you think? Write us with your comments. Via e-mail, it's [email protected]; by fax, dial 312-280-3183.