HIPAA Revisited, Part 2: Seeking Balance

Part 1 of this two-part series outlines concerns about the privacy of personal health information more than five years after medical and health care organizations covered by the Health Insurance Portability and Accountability Act (HIPAA). Part 2 examines some of the myths and misconceptions surrounding HIPAA, as well as the ramifications of the act and its effectiveness.

One of the common myths surrounding HIPAA is that it is not a privacy law at all, and that it weakened rather than strengthened individuals' rights to health information privacy.

That's not the case at all, according to Deven McGraw, recently appointed director of the Center for Democracy & Technology's Health Privacy Project.

"This is completely unfounded. Before the HIPAA Privacy Rule was enacted, there were no federal standards protecting the privacy and security of health information. Unless they were specifically limited by any applicable state law, doctors and hospitals who handled personal health information could do anything they wanted with it, subject to whatever consent form the patient signed.

"The Privacy Rule, which is based on fair information practices, allows information to be used by health care providers and plans for treatment, payment and health care operations -- but it also sets specific limits on other uses of information, including use of information for commercial purposes like marketing," McGraw told CRM Buyer.

All We Need?

The other common myth surrounding HIPAA privacy rules are that they are sufficient to protect individuals' health information in the new digital age, at a time when personal health information is flowing farther and wider between a diverse range of medical and health care organizations, as well as third-party service providers.

Again, this is definitely not the case, McGraw continued. "We need to build on the protections already in HIPAA in order to respond to the increasing liquidity of sensitive, personal health information in the new e-health environment.

"There is a role for Congress to play -- but Congress should not attempt to legislate it all through a one-size-fits-all approach. The environment is rapidly evolving, and regulations that are more tailored to particular roles and contexts will be needed in order to best protect consumers and allow sufficient room for innovation. And, as I noted before, some of the protections may be best implemented through business best practices."

Gaps in Coverage

"The HIPAA statute itself says almost nothing about privacy -- it essentially says that there need to be rules developed for patient privacy," points out Kirk J. Nahra, who specializes in privacy issues as an attorney for Wiley, Rein in Washington, D.C.

"The major impact of the statute was to restrict the 'covered entities' to whom the rule applies. Therefore, the HIPAA Privacy rule is not an overall rule protecting medical information, but instead is a rule that provides certain protections when health information is held by certain people," Nahra told CRM Buyer.

There are gaps in HIPAA's privacy coverage, however, Nahra concurred. Both he and CDT's McGraw noted that a growing number of organizations not covered by HIPAA provisions regularly access and work with PHI, instances that will only increase as the digitization and sharing of medical and health care information across networks, as well as outsourcing of administrative and customer support services, continues.

"The primary 'gap' from the rule is that there are large numbers of entities that have lots of health care information about individuals who are not in fact covered at all by the HIPAA rules. This is becoming especially noticeable in connection with the development of electronic medical records and personal health records," Nahra stated.

Privacy, Health and the Internet

HIPAA's Privacy Rule "doesn't have anything to do with Web sites specifically, or any impact is only incidental," Nahra noted. "Moreover ... many health care Web sites are operated by entities who are not subject to the HIPAA rules."

In addition, many offshore companies work with members of the pharmaceutical, insurance and medical industries and as a result regularly handle PHI. DOW Networks, for example, provides VoIP (voice over Internet protocol) customer service and call center systems for pharmaceutical industry clinical and psychological tests, as well as medical transcription and translation services and CRM centers for X-ray technicians and centers that field follow-up questions for doctors' private practices.

As a VoIP provider, DOW treats HIPAA call center traffic similarly to credit card and other financial network traffic subject to privacy regulations and uses VPN (Virtual Private Network) or other technology to protect it, James Wilson, DOW Networks' vice president for direct sales , told CRM Buyer.

"The U.S.-based companies will set up a very rigid SOP (Standard Operating Procedure) to be 100 percent compliant with all HIPAA regulations, all of the time. They will also pay for a very tough audit bi-yearly and surprise audits to the call center.

"Many or most offshore call centers are not told they are following HIPAA guidelines or thought these audits are actually making their call center HIPAA certified. Call centers in the U.S.A. who are HIPAA certified receive a premium for that certificate; they very much know they are HIPAA certified," Wilson commented.

Expert Recommendations

So is there some consensus view of HIPAA's effectiveness and practicality when it comes to realizing the aims of better protecting the privacy of PHI while not encumbering medical and health care industry practices and research?

"In order to answer this question, you have to have an agreement on what the underlying objectives are. There isn't really any such agreement, other than to provide 'appropriate' privacy protection," Nahra commented.

"There are lots of complaints that the rule is not sufficiently protective of patient privacy, and other complaints that the rule is overly restrictive. Maybe one can conclude that if there are complaints from all directions, that the rule in fact strikes the right balance. The rule clearly has had a significant protection on increasing awareness of the need to provide appropriate protections for patient information."

Meanwhile, the CDT continues to advocate and lobby for further progress and revisions. Earlier this month, the Health Privacy Project released Version 1.0 of its "Comprehensive Privacy and Security: Critical for Health Information Technology."

There are a number of incremental steps that can be taken to do so, according to McGraw, including "tightening the definition of 'marketing' in the HIPAA Privacy Rule to ensure that identifiable health information cannot be used for marketing purposes without consumer consent."

The Health Privacy Project is also advocating for the following:

• Health and Human Services and the Federal Trade Commission coming up with recommendations for privacy and security protections for personal health records, particularly those offered by entities that are not part of the health care system;
• Establishing standards for notification in the event of a breach; requiring HHS to report annually to Congress on enforcement of the HIPAA Privacy Rule;
• And requiring HHS to develop a model one-page, summary privacy notice that is easier for consumers to read and understand, one that would supplement, but not replace, the more detailed notice that health providers and plans covered by the rule are required to provide.

HIPAA Revisited, Part 1: Privacy vs. Portability