Hospitals and physician practices are waiting with bated breath for the final changes to the HIPAA Privacy Rule, which the Department of Health and Human Services (HHS) is expected to release by the end of the year. One of the new rules could require healthcare providers to keep track of the instances in which patients’ health information is shared with third parties for reasons including treatment and managing payments. Advocates argue that the rule would provide a critical consumer protection. What the rule actually creates is a substantial burden on hospitals and physician practices to establish new capabilities, while failing to enhancing privacy for patients in a meaningful way.
The scaffolding for the new “accounting of disclosures” rule expansion was introduced in 2009 in the HITECH Act—the healthcare portion of the stimulus legislation. Lawmakers indicated that they wanted to require healthcare providers to be able to generate a report showing disclosures of electronic protected health information (ePHI) for each patient going back three years, and provide that report to the patient upon request.
In May 2010, HHS requested feedback from the public on a variety of concerns, including a) the need for such a rule, and b) the ability of healthcare providers to comply with such a rule using the computer systems that they currently have in place. Interest from the public was lukewarm at best. Some respondents indicated that they support the proposed rule as a way to force healthcare organizations to be more transparent; others questioned whether the information gained would provide any transparency at all. Many healthcare providers pointed out that patients rarely, if ever, ask for this information—even though a basic version of the rule has been in place since 2003.
Despite this feedback, the Department of Health and Human Services (HHS) has, so far, moved ahead with expanding the rule. The proposed rule would create not one but two new patient “rights.” One right would be to a full accounting of disclosures, including details about the date, time, and caregivers involved in making each disclosure. Most providers currently lack a system that does this, and thus would have to compile this information manually. The other right would be to a less-detailed “access report,” which would summarize who has accessed a patient’s information. Some systems currently have this capability, so the process of compiling information potentially could be less labor-intensive, at least comparatively speaking.
Hospitals and doctors who would be subject to this rule have at least three reasons to object:
1. Adding more options doesn’t make compliance simpler. The intent of adding a right to an access report is to provide a way to satisfy a patient’s inquiry that is less burdensome but still HIPAA-compliant. HHS believes that this would lessen the regulatory impact. However, for organizations that currently have neither the capability for automated accounting of disclosures or automated access reporting, the extra right only adds another item to the list of functions to implement.
2. Adding more options doesn’t make compliance cheaper. HHS has argued that the regulatory impact would be low because the number of patient requests for either a full accounting of disclosures or for an access report will likely be low. This is no consolation for doctors and IT managers who are in charge of compliance. As IT managers know, when implementing new functionality, it is often not the number of requests that primarily determine the cost; it is the cost of configuring one’s systems to generate the first request that matters.
3. Adding more requirements doesn’t protect privacy anyway. The proposed rule change to the HIPAA Privacy Rule in fact does little to protect privacy because both types of reports would be retrospective. The reports would only show patients which people have accessed ePHI in the past. These functions are not mechanisms for capturing, communicating, or enforcing privacy preferences in the first place, which is what most patients are actually concerned with.
The proposed HIPAA rule change will not enhance privacy. What it will accomplish, though, is the imposition of substantial administrative burdens, staffing burdens, and costs onto organizations that are already struggling under the weight of intense government regulation.
Many patients are rightfully concerned about the privacy of their health information. But the proper way to protect patient privacy is not to enshrine it as a new set of “rights” granted by regulators who seek to expand HIPAA. Instead, we should let hospitals and physicians win patient trust competitively through the demonstration of good practices and through the inclusion of clearly-worded contractual commitments to ensuring privacy. The courts are well-equipped to adjudicate such contractual issues. Let’s use natural market incentives to secure our privacy, not government rule making processes.
Jared Rhoads is Director of the Center for Objective Health Policy an independent organization whose mission is to advance rational, rights-respecting solutions to health reform. The Center’s main outreach program is The Lucidicus Project, which provides free books to medical students.
Submit a guest post and be heard on social media’s leading physician voice.