The Health Insurance Portability and Accountability Act (HIPAA) was endorsed by Congress in 1996 and was the last significant legislative legacy of Senator Ted Kennedy. It is enforced by the Office for Civil Rights and mandates nationally recognized regulations for use and/or disclosure of an individual's health information by a “covered entity”. Such an entity is a health plan, healthcare clearinghouse or healthcare provider. The benefits for patients, and potentially all 310,000,000 Americans and unknown number of undocumented immigrants who are patients, are mandatory control over their personal information, minimizing inappropriate disclosure, a mechanism to investigate breeches and holding violators accountable with civil or criminal penalties. Also, patients benefit because limitations were placed on denial of coverage for pre-existing conditions and the act eases transfer of coverage to new geographic or employment locations. By this accounting, HIPAA is a federal government regulation enacted for the public's benefit with no bias as to race, income, religion, sex or sexual preference. Unless, however, you are one of those “covered entities”.
HIPAA compliance is not like driving above posted speeds, providing alcoholic beverages to minors, or charging usurious interest rates. Compliance involves educating the entire workforce of the healthcare industry that generates 17% of Gross Domestic Product with the knowledge, materials and oversight to comply with the arcane jargon of a hundred pages of legislative statute-speak. The American Hospital Association estimated that the average cost of HIPAA training for each employee was $16 in addition to the substantial costs of printing a multipage rights form for every patient and displaying appropriate signage in every patient care area. Additionally, “covered entities” must keep a record of which patients received notices and often have to rebuild and redesign waiting rooms and registration units to ensure greater privacy. The Ponemon Institute surveyed 600 healthcare professionals representative of the spectrum of care providers and administrators in 2013. Their estimate was that HIPAA-related outdated technology and rules cost US hospitals over $8 billion each and every year-- a fixed new line on the cost sheet. The above are hospital costs, no one has an accurate estimate of costs for doctors' and dentists' and other providers' private offices. Moreover, for physicians, HIPAA compliance reduces the time available for patient care, makes access to electronic patient information more difficult (despite mandates of the Affordable Care Act) and restricts use of electronic communication. As is so often the case in the practice of medicine, no good deed goes unpunished. We practice as a calling, and have to given that insurers and the government continue to attack our reimbursement structure despite requiring more non-remunerative activity. HIPAA should serve as a reminder of the unintended consequences of well-intentioned laws, to both patients and physicians, and the destination the road paved with such leads.
By Norman Silverman, MD, with Ryan McKennon, DO and Ren Carlton