HIPAA Privacy Laws and the Legal Aspects - Coursework Example

HIPAA Privacy Laws and the Legal Aspects The primary goals of the HIPAA act are contained in its it was intended to protect privacy while insuring portability of medical records. This paper will deal with the privacy laws for healthcare records—the intentions of the lawmakers in promulgating HIPAA—and how they have worked in practice. HIPAA stands for the “Health Insurance Portability and Accountability Act.” It was intended, as stated in the preamble, To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes. (CMS) In practice, HIPAA required hospitals and physicians’ offices to provide access of medical records to patients and their physicians, whether or not those physicians are a member of the hospitals’ network. If these records are digital (an important condition), then HIPAA laws apply. If the records are analogue (i.e. written in longhand, or with a manual typewriter), then most of the HIPAA provisions did not apply, with the exception of the requirement to make the records available to the patient upon request within a certain period of time. The HIPAA laws attempted to solve several problems: keep the healthcare records away from insurance companies that may use them to make decisions on whether or not to cover potential insurees, and to prevent employers or prospective employers from having access to records in order to exclude certain pre-existing health conditions. The HIPAA laws had a perhaps unintended effect: to take away the stranglehold that physicians and especially hospitals had on patients’ records, which were (and continue to be) a way to keep the patient within the hospital’s healthcare provision, and therefore not to lose prospective future revenues from that patient. Up until the time of HIPAA’s passage, hospitals and physicians could make it difficult or impossible to transfer records to another hospital or physician. Essentially, the hospitals’ argument was that they were the rightful owner of the patient’s records. HIPAA defined the patients’ records as clearly the property of the patient. In practice, it has proven more difficult to implement HIPAA than first thought. Most hospitals have a plethora of different kinds of software, which make it difficult to find and share records. Although a hospital may be able to produce hard-paper copies to fulfill a patient request, they are still unable in many cases to provide a standard digital record for all the facets of a patient’s stay. The reason is that, despite common HL-7 and other protocols, many hospital systems do not interact with one another (NeoTool). If a patient has an MRI image produced by a GE machine, and a cardiac catheterization image produced by a Philips machine, both must be stored and read in different formats (despite the attempts to make manufacturers focus on a single DICOM 3 standard (NEMA)). If one desires, for example, to pull together a set of patient records which includes several different kinds of images, physicians’ diagnoses and test ordering, laboratory results and billing records, the hospital may be forced to resort to three to five different kinds of files in order to produce the requested files. For those portions that are (still) recorded by hand, the hospital must find the paper copy and reproduce it in order to complete the file. In one area, the HIPAA requirements have led to improvements in service: guarding the privacy of patient’s records. Prior to 1996, physicians, staff and others in hospitals could have free and unfettered access to patient records. There were few criminal consequences for those who chose to disseminate patients’ health records. One of the reasons that HIPAA was passed at the time that it was is that there was a growing political concern that, with the rapid digitization of patient records, it would become much easier to access or disseminate patient records; this has been largely prevented by the hospitals’ efforts to conform to the law. (Root). HIPAA has created several problems for legitimate use of patient records: examining hospital procedures and operations, and conducting medical research. If, for example, a hospital administrator would like to group patient records in a way which allows him or her to understand the efficiency or patient outcomes, HIPAA could be interpreted in a way which forbids such aggregation. In order to remove some of this constraint, the HHS administration, under Secretary Tommy Thompson, decided in 2004 that such aggregation could be allowed. This was challenged in court by Tedd Koren, in a class action suit naming 750,000 affected patients (Dynamic). While it is not yet known what the outcome of this and other suits will be, it is likely that hospitals will be able to continue to aggregate data, as long as the patients’ ID’s are protected from individual identification. A similar problem has occurred with medical research. One clinically-useful method of clinical research is to retrospectively analyze patient records for trends in diseases and treatments. As with studying hospital efficiency, aggregating such records can pose HIPAA problems, which must be overcome through safeguards. HIPAA’s reduction to practice has resulted in pros and cons. On the positive side, it has created an awareness within hospitals of the need to safeguard patients’ data. It has also made it possible for patients to make choices about their healthcare provider, in particular, making it easier for patients to move from one healthcare provider to another with less difficulty in obtaining their medical records. On the negative side, HIPAA has gone only halfway. By not mandating a longer-term move to standardized record-keeping and digitization, it has left hospitals and physicians’ offices with the current hodge-podge of different operating systems and non-standardized communications media. Whereas the rest of industry and consumer markets have accepted internet protocols, Microsoft or Linux, and a series of additional standard protocols to store and communicate information, the hospital and its staff have remained in balkanized groups. The result is that, in attempting to meet HIPAA requirements, hospitals are forced to produce paper (and film) records which cannot be digitally communicated to other health care institutions. Physicians who do not have easy networked access to patients’ records are still therefore obligated to rerun tests or make educated guesses about work that has been done previously. In order to provide longer-term privacy and portability, hospitals and physicians must redouble their efforts to increase interoperability of their software systems, and provide a more unified database which is easier to share with patients and other healthcare institutions. Thus the promise of “Portability,” which was a key part of the HIPAA act, has some room for improvement. Bibliography CMS. "HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT." 2007. CMS. 9 December 2007 . Dynamic. "HIPAA Runs Into Legal Trouble Lawsuit Challenges Patient Privacy Regulations." Dynamic Chiropractic 29 January 2004: n.p. NEMA. "DICOM 3." 2007. NEMA. 9 December 2007 . NeoTool. "HL7 and HIPAA: What you need to know." 2007. NeoTool. 9 December 2007 . Root, J. Field Guide to HIPAA Implementation (Field Guide to Hipaa Implementation). Washington: American Medical Association, 2004. Read More