Introduction:

Recently I received a notice from my health care company regarding their changes to privacy practices, which took effect on April 14, 2003. Those changes were made according to the new federal regulation called the Health Insurance Portability and Accountability Act (HIPAA). In that notice, the company listed possible situations that protected health information will be used and disclosed, such as for payment purposes, for health care providers in connection with their treatment activities. With the notice in mind, I explored the privacy and security issues regarding health information, and influences of HIPAA.

With the development of electronic medical records and the linking of clinical databases, concerns regarding the privacy and security of health information are growing, especially sensitive information such as HIV status, psychiatric records, and genetic information stored in medical records. Prior to automation, health information was accessible only from central locations, and hard to transfer or copy a large volume of records. Computer networks, however, have changed this situation dramatically. Data can be easily copied, and are accessible from multiple points of access. Additional security concerns derive from the pervasive use of the World Wide Web. Although a Web-based interface to retrieve data can be controlled by a permission system, the assurance that the intended limits are indeed enforced is difficult to achieve. Nor is it necessarily possible to determine what the user intends to do with the information retrieved and if the user therefore is a threat to patient privacy.

Individuals assume that they have the right to keep information about their health private, yet most would agree that health care providers need access to related facts about a patients history, test results, allergies, symptoms, and response to therapy in order to provide advice and make decisions that will be in the best interests of the patient’s health. Others, such as researchers, health insurers, life insurance companies, employers, and marketers of health products, all have needs to access some types of health care information. Taking health insurers for instance, they seek to combat rising costs of care by using large amounts of patient data in order to judge the appropriateness of medical procedures. In order to strike a balance between access and privacy of personal information, regulations need to be established to better support the purpose.

Background:

HIPAA is the first comprehensive federal law that applies to all Americans, and address the privacy and security of personal health information. It was signed into law on August 21, 1996 and aimed at reforming health care and recognizing the health care industry’s increased use of and reliance on electronic technology. Regulations regarding privacy and security fall in the administrative simplification section, which was designed to simplify the administration of health insurance by recognizing the efficiencies and cost savings technology. HIPAA focuses on two main areas:

This law and is accompanying regulations developed by the Department of Health and Human Services (DHHS) apply to healthcare clearinghouses, health plan and providers. All forms of personal health information are covered including paper, electronic or oral communications. Major requirements are listed as follows:

• Management and control of protected health information, including when a medical practice can use or disclose healthcare information without patient authorization, business associate compliance with HIPAA and circumstances under which a medical practice must obtain written authorization prior to using or disclosing personal health information.
• Patient rights, including allowing access to information in the medical record for inspection or copying, the right to restrict certain uses and disclosures of personal health information, a physician's duty to provide written notice of information uses and the right to amend or correct protected health information.
• Appointing a privacy officer to document, implement and oversee the privacy and security policies and procedures of the practice, including the administrative requirements of training and enforcement vital to practice compliance.

The proposed HIPPA security rules were published in August 1998, but the final rules have yet to be published. The requirements can be divided into four categories:

• Administrative procedures: Documented, formal practices to manage the selection and implementation of security measures.
• Physical Safeguards: Protection of physical computer systems and paper medical records from unauthorized access, intrusion and damage.
• Technical Security Services: Processes to protect, control and monitor information access.
• Technical Security Mechanisms: Processes to prevent unauthorized access to data transmitted over communications networks.

Current Status and Challenges:

The empowerment of patients to control their medical records, and get better informed, and the enrichment of their ways to communicate with physicians will bring profound challenges to current patient-physician relationship.

One study by Institute of Medicine estimates that as many as 98,000 people die in any given year from medical errors that occur in hospitals. That's more than die from motor vehicle accidents, breast cancer, or AIDS--three causes that receive far more public attention. It suggests that many medical mistakes result from inadequate data transfer among physicians and from laboratories to physicians. Just imagine how many law suits will be filed if a patient or relatives find out such errors! Will this trend toward more informed patients put physicians at a more disadvantageous position, or on the contrary, better informed patients can help physicians form more correct analysis, thus reducing such medical errors?

There are many software vendors already in the electronic medical record (EMR) business. However they face a same problem: convincing physicians to use the system. Dr. Rick Peters, the founder of iTrust, admits that physicians are never going to be faster on a computer than they are at dictating and handwriting. Even if EMR takes only 90 seconds, with the average patient visit being 10 minutes, that is a 15% decrease in productivity, says Dr. Jeremy Nobel, a professor at Harvard School of Public Health and cofounder of NaviMedix. No doctor or provider would tolerate that, he says, so the issue becomes one of giving back value in other areas.

Another issue is cost. To build a widely available, yet highly reliable and secure EMR network requires advanced technology, equipment and highly skilled people. Even after the network is built up, it will require ongoing maintenance and continuous fight against intruders. If HIPAA's intention is to increase efficiency by going online, and reduce cost through less paperwork, it remains a big question whether it is the case. One example is that in the early stage of Internet, people are enchanted by the idea of paper-less office by putting document in electronic form. However it turned out that paper usage has increased instead of decreased, because people tend to print on-line documents out and read them offline.

Future Forcast:

Patient and physician relationship will be changed. Strong privacy policy and procedures may add difficulties for physicians or other employees to access medical information, but provide patients with trust, and with trust comes willingness to share information. A heightened awareness of current privacy issues provides an opportunity to reinforce the commitment to respecting privacy that medical providers have toward their patients. Practice employees who interact with patients can be better prepared to answer patient questions about privacy and security measures implemented by the practice.

For the security aspect, an IT security plan should be established according to the level of digital technology used in a practice. For instance, all workstations where patient information is displayed will be situated so only authorized practice personnel will be able to view the screen. All products and services using the Internet as a means of transmitting patient information and all browsers used in the practice will support 128-bit encryption. Most important of all, the management needs to ensure the practice is actively adhering to the privacy and security policies and procedures established based on the HIPAA regulations.