Sunday, May 22, 2011

Taming HIPAA Insanity

The HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) has been around since 1996 - and it's amazing how many healthcare people still over-interpret the privacy and security regulations (and mis-spell it as HIPPA!).  Here is the actual law and check out, a nice website which brings together many sources of info.  

With respect to HIT, it focuses on Privacy and Security - and basically puts common sense into law:
* Privacy: This addresses policies - and says you can't just give personal health information (PHI) to anybody you want, such as Pharma or the local drugstore (before HIPAA, docs could actually do that legally).   But importantly - it does exclude "TPO" (Treatment, Payment and Operations).   In other words, there are no restrictions to healthcare organizations sharing PHI with one another as long as it involves treating a patient (or dealing with payment or other operations)! 
* Security: This addresses technology - and says you should have good technology in place to make sure your IT systems are not open to the free world.   Simple enough.

So it is fascinating how many healthcare organization still use HIPAA as an excuse for not sharing information.  I can't tell you how many fights I've been in with medical record departments who say that they can't fax me a report because they don't have a "HIPAA waiver" signed by the patient - even if I ordered the test!!!   Agghhh!  Usually the problem is that the bigger organization scared lower level staff with too many HIPAA emails... but the result is the same - making it harder to get the data which is needed.   And while I think this scenario has improved a bit, it is still happening every day.

So I saw this Healthcare IT News article last month entitled "Five social media tips for docs worried about HIPAA" - and thought it was good to share, as it is nicely worded, and I think extends beyond social media in its relevance (my comments will be italicized):

SEATTLE – While many doctors shy away from use of the Internet because of concern over HIPAA penalties, one company is advising the physician community to not become victim to HIPAA hand-wringing and fall out of sync with their colleagues who have learned how to responsibly utilize today's most valuable online visibility tools.

Avvo, the world's largest online directory for doctors and lawyers that provides free rankings for 90 percent of the working physicians in the U.S., offers five tips for physicians who are hesitant, because of perceived HIPAA restrictions, to embrace online and social media marketing.

The company, which was founded to service the legal sector, is no stranger to the impact of regulatory issues on the healthcare industry. Avvo is now striving to help doctors, who may be missing valuable networking opportunities because of unnecessary HIPAA fears, to adopt widely accepted, HIPAA-compliant practices for tapping the Web's significant marketing and reputation building channels.

"HIPAA is a well-intentioned, but poorly implemented law that is unnecessarily scaring doctors and keeping them in an unrealistic 'technology lockdown'," explained Avvo founder and CEO Mark Britton. "Avvo sits at the vortex between law and healthcare – and we believe passionately that physicians are needlessly hand-tied by HIPAA legalities. We want every working doctor out there to know that there are many appropriate and safe channels through which they can build their profile and reputation on the Web."

Avvo, which offers free phone consultations to physicians who have questions about how to safely market their reputation on the Web, equips doctors with the following five tips for managing their career online:

1. DO: Use email, SMS and social media messaging. These are acceptable tools for making outreach to patients, the media, medical industry influencers, and other doctors. The HIPAA regulations actually encourage the use of alternative communication methods, particularly as patients express their preference for a particular mode of communication.
(HIPAA does not ban email, in fact it encourages it... but it does say that patients have the right to tell their doctors if they don't want to be contacted by email, or phone, etc...)

2. DO: Feel free to share information with other providers. Many health professionals set up unnecessary procedures that make it harder to share patient information with other providers. If you need input from another provider, you don't have to worry about HIPAA compliance. In fact, HIPAA guidelines specifically permit the sharing of information with other providers (freely and without patient consent) for the purposes of patient treatment.
(Correct - let's use common sense for the sake of the patient!)

3. DO: Feel free to answer general patient questions - there is no HIPAA bar to providing this information. Whether it's participating in Avvo's free online Q&A or other forums on- or off-line, answering general health-related queries in a public forum will not present a HIPAA-related problem for doctors. These tools offer a powerful means for patients to take the first steps to getting the care they need.

4. DO: Keep family members in the loop. It is unwarranted to let HIPAA be an excuse for not keeping family members engaged and involved, where relevant, to provide support that is in the best interest of the patient. There is wide latitude under HIPAA to inform a patient's family members about his or her status – and this extends to liaising with family members electronically as well.
(I've been guilty of this as well... and now go back to good old common sense if I am unsure.  I will also make sure to check with certain patients as to their wishes on this - particularly new adults or the elderly.)

5. DO: Exercise common sense and reasonable practices in all instances to ensure the privacy and security of your communications with patients. This general rule of thumb applies whether the communication is by email, SMS, fax or instant message.

While Britton agrees that HIPAA has created a general "culture of paranoia" among medical practitioners and has in many ways served to logjam the essential progress of technology's role within the healthcare industry, he adds that it is just "unreasonable" for doctors not to embrace the social media revolution because of over-exaggerated fears of privacy and security violations. That level of restrictive behavior, he cautions, is "wholly impractical in today's business climate" and he advises doctors to go ahead and embrace digital tools while still preserving the health and integrity of the patient-physician relationship.