S U P R A S P I N A T U S

The ball of wax started rolling when the Association of Academic Health Centers (AAHC) published this report towards the end of June. It looked at HIPAA's impact on medical research and found that the law caused more problems than it solved:

The HIPAA Privacy Rule has a negative impact on research by:

• Generating confusion and misinterpretations due to the rule’s ambiguity
• Imposing a heavy administrative burden
• Hampering research participant recruitment

AAHC findings also identified how HIPAA harms certain areas and types of research, specifically:

• Access to stored tissue and genetic datasets
• Data warehouses, CTSAs, and medical records
• Community research

More recently, Deane Waldman at Huffington Post has been on a HIPAA tirade. The piece that seems to be getting the most attention is this one from June 30 titled "Shoot HIPAA the hippo".

If you work in healthcare, the initials HIPAA make you gag. If you are not in healthcare, you are probably unaware of this 2000-pound hippopotamus that you are supporting.

I'm not sure what hippopotami have ever done to invoke Waldman's ire so, but he is clearly no fan of them or of HIPAA. "Shoot HIPAA the hippo," he concludes in the June 30 article, and then goes on with another lengthy rant about HIPAA in this July 4 piece.

Then there is a smattering of local news stories, mostly about how HIPAA is an impediment to law-abiding cops trying to locate missing persons or individual citizens airing their HIPAA anecdotes.

I'm no great fan of HIPAA. But one thing common to nearly every anti-HIPAA story is a misunderstanding of what HIPAA actually prohibits and allows.

Here's Deane Waldman, for example:

HIPAA produces defensive behaviors by both individuals and institutions to avoid governmental wrath. Examples include the following.

• Shields in your dentist's office prevent you from seeing the computer screen.
• Hospitals charts have no names on outside.
• Each year, millions of useless hours are spent doing HIPAA Compliance Training.
• I am prohibited from emailing medical information to a colleague, any colleague.
• It is impossible to be in compliance both with HIPAA and the Patriot Act.

Nameless hospital charts are one example of way overly-zealous implementation of HIPAA. HIPAA permits "incidental disclosures" of patient health information, and glimpsing a name on a chart would certainly qualify as incidental. The most that the available guidance suggests is turning the chart to the wall, if reasonable to do so. And Waldman's statement that e-mailing medical information to a colleague is prohibited by HIPAA is just plain wrong.

And this is from the story about missing persons:

Paula Thomas believes HIPAA laws are preventing investigators from confirming her missing sister, Hueytown native Pam Biggers, is a patient at a Mansfield, Ohio mental clinic. "You can't get any information no matter what the case no matter what the explanation you give them. It is against the law for them to give you information, which I understand, but it is very disheartening."

It's not a unique case. Birmingham investigators say they too have run into the HIPAA trap. Lt. Henry Irby says many unsolved missing persons cases involving mental illness could be closed with help from the medical community. "There should be a way for the medical field to let us know about a persons identity. We are law enforcement."

But HIPAA laws are clear, releasing information without a patients written consent can result in serious criminal charges. That means even if doctors want to assist police in a missing persons case, by law, they can't.

Psychiatrist Armand Schachter says HIPAA laws are repeatedly drilled into staff members at Grayson and Associates. "HIPAA is very serious, you don't want to break HIPAA willingly and repetitively because it's really against a law that's been there for 12 years. And the law was specifically designed to protect the individual patients information."

But HIPAA specifically permits disclosure of "directory information," so the only circumstance under which HIPAA would block this facility from assisting the police is if the patient specifically asked the facility not to. On the other hand, the federal Part 2 rules are very strict about what information an alcohol and substance abuse treatment facility may or may not disclose about individuals seeking treatment. Such facilities may neither confirm nor deny the presence of any patient without a specific consent. In any event, it doesn't seem that HIPAA is the cause for secrecy.

And here's a true gem:

My friend lost her job because she gave patient information to a spouse, after verifying they were living together, when in fact they were not living together.

As well she should have, and I would certainly hope for that result even if HIPAA were not law. But that would not likely be the result, which is in fact (but one reason) why we have HIPAA.

The lack of understanding, though, points up the real problem, which isn't that HIPAA's principles are bad, it's that they aren't easily understood. As a rule intended to regulate front-line workers, HIPAA is simply terrible. Even lawyers adept at handling complex regulations do not command HIPAA in its minutiae; and nurses can't haul out the regulations for a little sit down read or, even better, seek an opinion letter from hospital counsel, before answering a phone inquiry. The resultant compliance strategy? Duck the call if possible; if forced to answer, say "no." And this is indeed what they do.

Of course, one wonders what would replace HIPAA if HIPAA were to go away? Mr. Waldman and the other HIPAA naysayers may well ultimately prefer "HIPAA the docile hippo" to the firebreathing Godzilla Congress could create if it ever readdressed the issue. And recall that the first round of HIPAA regulations, promulgated by an outgoing Democratic administration, were more restrictive than the set we are dealing with today. It may well be that, in the grand scheme of things, the HIPAA you know is better than the HIPAA you don't.