LAW OFFICE OF BRIAN GARVES


Home

Curriculum Vitae

Contact Info

HIPAA

Confidentiality Laws and Issues


 HIPAA: THE Y2K OF THE NEW MILLENNIUM

 

SYNOPSIS B Health Entities can scale back their fears about HIPAA and its enforcement.  While the provisions must be followed, the agency responsible for enforcement has said it will be another year before any sort of systematic enforcement is begun.  In the meantime, the government is looking to voluntary compliance as it tries to sort out HIPAA=s impact and what constitutes a violation.  What is becoming clear is that much of the HIPAA panic and expense was unnecessary and was another instance of AY2K-type hyperbole”.

 

Let me take you back to the late 1990s, right before the change of the millennium.  People were panicking under the belief that the world was going to come to a halt on the strike of midnight of January 1, 2000, because all of the computers were going to crash and our cars and appliances would stop working.  As a result, companies paid billions of dollars to Y2K experts, consultants and attorneys to become “Y2K compliant.”  The government spent billions of dollars not only to head off this impending disaster, but also to be prepared “just in case” so that there would not be widespread panic and anarchy in the streets.  People were told to stock up on water, canned goods and cash.   And what happened?  Absolutely nothing.  And now, the same thing has happened again, this time with HIPAA.

For the past several years, hospitals and doctor offices have been spending millions of hours and dollars B giving those dollars to HIPAA consultants and attorneys B getting ready for the big day, April 14, 2003, when the HIPAA patient privacy rules went into effect. Telling everyone that no one could have access to any confidential information that they did not need to see, and that agreements had to be signed by janitors, among others, to ensure that if they incidentally saw confidential information, they would not disclose it to anyone.  Just like in the days preceding Y2K, as April 14th approached, vacations were cancelled and people were put on-call for the big day, anticipating a tidal wave of patients clamoring to assert their new rights and other privacy-related problems.

And what happened?  Virtually nothing.  What has been the effect of HIPAA since it went into effect this past April?  Well, other than filling the pockets of those HIPAA consultants and attorneys, HIPAA has had little effect.  In one aspect, HIPAA has been a tremendous success: HIPAA has done a wonderful job bloating the governmental bureaucracy and spending our tax money.  But in the Real World, HIPAA has had little effect, as was recently seen during a meeting of HIPAA-related bureaucrats that took place on June 24, 2003. 

Representatives from The Centers for Medicaid and Medicare Services (CMS, or for those of you that are slow to change, HCFA), and the Office of Civil Rights (which has the job of enforcing HIPAA), gave presentations to a meeting of the National Committee on Vital and Health Statistics.   Bureaucracy Nirvana!   They spoke about how HIPAA was going and their thoughts on the future.  What they actually did was provide a chilling perspective on HIPAA.

At the meeting, one of the first questions was whether HIPAA's original purpose -- to protect employees from having their employers access their health information -- was being carried out.  Let's read the bureaucrat's actual words from the meeting transcript:

BUREAUCRAT #1:     “But if we go back to the original thinking of why we needed privacy protections, if I recall correctly, the greatest concern that the public had was that their health care information might be inappropriately accessed by their employers. And that that might jeopardize either their ability to be hired, or their ability to retain their employment.

 

“So, now that you have started to have folks issuing complaints, are the complaints primarily inappropriate access to health care information by the covered entities?  To what extent are they still showing concern about employers having inappropriate access to health care information?”

And the answer?

BUREAUCRAT #2:     “On behalf of the Subcommittee on Privacy and Confidentiality, ... to answer your question, HIPAA actually does really very little, if anything to address that problem that you referred to.”

Great.

Since HIPAA really does not address what its original intent was, the question that should be asked is: Has HIPAA had a big impact on how patients are viewing their medical information?   One committee member’s comment is telling:

“It has kind of been to me anecdotally, an eerie silence during the last two months. I am on a board of a university specialty clinic which has literally thousands of patient services a day in primary care specialty, subspecialty, and so forth at the University of South Carolina, and 600 in-patients, and trauma services, and emergency rooms, and so forth.

 

“For the first two months of the HIPAA regulations, 10 people have asked for access to their medical record, 10 people. Almost without exception, nobody has read the authorization form. They have signed it without reading it, just saying where do I sign, and sign.

 

“Maybe because of the war in Iraq or I don't know what, people aren't that interested, or maybe they aren't that interested in the great majority. But it's been very quiet . . .”  (My emphasis.)

Now be honest: Could anyone really expect anything different?  Did anyone really believe that all of a sudden there would be a change in human nature and people would start reading all of the forms that they are given?  The bottom line is that all of the hospitals, clinics and physician offices have posted Privacy Notices and are giving copies to each patient, and no one is reading them.   And, when someone wants to sign a release for their records, just like before HIPAA, they do not read them; they ask for the form and then sign it. 

Despite the fact that one of the committee members has told these bureaucrats that people are not reading the forms, his words fell on deaf ears.  As if the man had never spoken, the bureaucrats just moved on to their next issue which was: What is being done to help the patients actually be able to understand the consent and authorization forms that HIPAA requires (which no one reads).

BUREAUCRAT #3:     “What is the impact of [HIPAA] on the ability of patients to understand the information that they are being given?  There is a large body of literature that indicates that patients have never understood the content of consent forms. And consent forms are far easier than the content of the authorization forms that are appearing for institutions to comply with regulations.”

The response, by the person from the Office of Civil Rights, was that HIPAA provides for the forms to be written in “plain English.” In all seriousness, it is true that, even if the forms are not being read by the vast majority of patients, those people that do want to read it need to be able to understand it.  But, the discussion about this provides great insight into the bureaucrat world (which will never be confused with the real world):

BUREAUCRAT #4:     “I neglected to mention all of the technical assistance materials that are out there. That HRSA has actually recently published a plain English guide for how to do notices in plain English. There is also a thesaurus that takes complicated privacy words and translates them into more reader friendly or sometimes lower literacy level type of options.”

This is what our tax money is being used for: a thesaurus for privacy-related words (Help me out: Why exactly can’t Roget’s Thesaurus be used?).  In addition, our money is being used to create a plain English version of the book on how to write in plain English.   Correct me if I am wrong here, but aren’t the people who need a “plain English” version of something, the people who wouldn’t need a manual on how to write in plain English?  And aren’t the people who actually need to write in plain English, the ones that don=t need something written in plain English?  I am so confused.

But seriously . . .

In the months leading up to the April 14, 2003, implementation, all of the lawyers and high-paid consultants were using fear tactics to get people to be ready for HIPAA -- that you better be ready come April 14th, because otherwise you will be hit with huge fines.  But what has happened since April 14th?  Nothing.  No squads of jack-booted HIPAA police have come banging on doctors’ and hospitals’ doors imposing big fines.  The government and the bureaucrats did not bother to tell people that there had been no money budgeted for enforcement or that they would not be enforcing HIPAA for a while longer.  No, they let everyone panic. 

Now, check out what the representative from the Office of Civil Rights, who will be doing the enforcement, revealed at this meeting:

“Our orientation toward enforcement is really a voluntary compliance orientation.”

This bureaucrat also said:

“On April 17, the department published an interim procedural rule, which is sort of the first installment of the enforcement rule for all of administrative simplification. When it is issued in its entirety, the enforcement rule will set forth procedural and substantive requirements for the imposition of CMP, civil money penalties, for violations of the HIPAA provisions. This was issued as an interim final rule, and . . . the interim procedural rule will expire on September 16 of next year, 2004.

“In the meantime, we are working on a substantive -- we will take the comments that we have received on the procedural rule. We will rework the procedural pieces, and at the same time, we are working on a substantive rule. And as Karen mentioned, we are working on issues such as determining violations, considering aggravating factors, calculating CMPs, burden of proof during hearings, and availability of further administrative review following an administrative law judge decision.  So, all of that is in the works, and in the end it will be one integrated rule that will be issued, and certainly that needs to be done before September 2004, because this interim procedural rule will be expired by that time.”   (My Emphasis.)

Putting that in “plain English” like the bureaucrats crave, they have issued a partial interim rule but will not issue the full rule, which sets out what is a violation and what the penalties will be, until September, 2004.  She concedes that the interim rules are not complete even in terms of what is going to be determined to be a violation, whether there are aggravating factors, and what the civil money penalties will be.  Conversely, her office must also be considering what will be determined to be an “incidental disclosure” that will not be a HIPAA violation.  Absent these specific parameters, she basically confirmed that unless a violation is clear-cut and sufficient serious to even consider criminal penalties, enforcement will be sparse.

So, for those keeping score, 1) HIPAA does not really address what it was intended to address;  2) very few people care; and 3) there has yet to be a determination of what is a violation; 4) there is not a complete set of procedural rules for processing (and appealing) violation determinations; and 5) there is not going to be any real enforcement for at least another year.

With this in mind, the bottom line is, while all health entities should be voluntarily making a good faith effort to comply with HIPAA, they should not to get too bent out of shape about the whole thing as it is going to take time to get the kinks out.  In the meantime, review your processes to keep confidential information confidential and to allow only those workers who need to see the patient information have access to it.  Along with this, keep in mind that you do not have to ensure that every potential disclosure is prevented, in that “incidental disclosures” that take place are not HIPAA violations.  In other words, do your best, don’t sweat the small stuff, and just wait for the entire HIPAA bureaucracy and system to “shake out”.

(Copyright, 2003, Brian R. Garves, Law Office of Brian Garves.)

 Back Button