New HIPAA rules will burden physicians rather than enhance privacy

By the end of the year, the Department of Health and Human Services (HHS) is expected to unveil changes to the HIPAA Privacy Rule, which is being eagerly awaited by hospitals and physicians. According to the new rules, healthcare providers might be required to take heed of instances where patients’ health information might be disclosed to third parties for treatment and managing payments. Although advocates opine that the rule would ensure substantial consumer protection, in reality, the rule lays an immense burden on hospitals and physician practices to establish new capabilities, while failing to enhance privacy for patients in a meaningful way.

The HITECH Act of 2009 introduced the scaffolding for the new “accounting of disclosures” rule expansion.
Health care professionals were required by lawmakers to

a) produce a report presenting disclosures of electronic protected health information (ePHI) for each patient dating 3 years back, and
b) make that report available to the patient upon request

The HHS sought public feedback in May 2010 on various concerns, including
a) whether or not this rule is required, and
b) b) whether healthcare providers would be able to adhere to such a rule using current computer systems

The public provided a luke warm response. While some respondents indicated their support to the proposed rule to enforce transparency by healthcare organizations, others queried whether the gathered data would provide any transparency at all. Many healthcare providers pointed out that patients rarely sought such information, and even if they did, a basic version of the rule has been in place since 2003.

The HHS has proceeded with the expansion of the rule, despite public feedback. Not one but two new patient “rights” will be generated with the proposed rule:
a) One right would empower patients to a full accounting of disclosures, including particulars about the date, time, and caregivers involved in making each disclosure. Most caregivers will have to compile this information manually as they lack systems and softwares to facilitate this.
b) The second right would make the “access report” less detailed, in order to summarize who has accessed a patient’s information. The process of compiling information could be less tedious as some systems are already equipped with this capability.

Hospitals and doctors who would be covered by this rule will have the following 3 reasons to raise an objection:

1. Compliance is not simplified by adding more options: A right to an access report has been added to enable fulfilling a patient’s inquiry that is less burdensome but still HIPAA-compliant. Although the HHS believes that this would decrease regulatory impact, the additional right only includes another item to the list of functions to be implemented for those organizations that neither have the capability for automated accounting of disclosures nor automated access reporting.

2. Compliance is not rendered inexpensive by adding more options: The HHS believes that the number of patient requests for a full accounting of disclosures or for an access report will be low; therefore, the corresponding regulatory impact would be low. Doctors and IT managers who are responsible of compliance have no solace. IT managers are aware that it is often NOT the number of requests that mainly determine the cost, but the cost of configure one’s systems to generate the first request that matters when implementing a new functionality.

3. Privacy is not protected by adding more requirements: Because both types of reports would be retrospective, the proposed change to the HIPAA Privacy Rule does nothing much to protect privacy. The reports would only enable patients to see which people have previously accessed ePHI. This is a matter of concern for patients because these functions are not methods for capturing, communicating, or enforcing privacy preferences in the first place.

While privacy will not be enhanced with the proposed HIPAA rule change, it will impose substantial administrative burdens, staffing burdens, and expenses onto organizations that are already fraught by intense government regulations.
Even though health information privacy concerns many patients, enshrining it as a new set of “rights” granted by regulators who seek to expand HIPAA is an improper way to defend patient privacy.

Alternatively, hospitals and physicians should attempt to win patient trust by demonstrating good practices and including crisp-and-clear contractual commitments to ensure privacy.

The courts are well equipped to take a decision on such contractual issues. Let us not fall for government rule making processes, but actually use natural market incentives to secure our privacy.