On Aug. 21, 1996 — 20 years ago Sunday — President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law.
Back when bipartisanship still occasionally happened in Washington, this law, championed by then-Sens. Edward M. Kennedy (D-Massachusetts) and Nancy Kassebaum (R-Kansas) has come become to be defined by the privacy and security regulations that it enabled. Those took effect in 2002 and 2003, respectively, after the Bush administration modified rules that the Clinton administration rushed to finish before Clinton left office in January 2001.
But, as the formal name implies, HIPAA initially was known for giving people the right to “portability” of health insurance when they change jobs by limiting the ability for insurers to exclude coverage of pre-existing conditions. The complex law also led to standards for healthcare administrative transactions and a national system of provider identity codes.
HIPAA did call for a national patient identifier as well, but in 1998, Congress voted to deny the Department of Health and Human Services funding to implement a patient ID. The program still has never been funded, and the private sector has since taken it upon itself to address the issue.
So what has HIPAA accomplished in 20 years? Where has it fallen short?
With the anniversary upon us, STAT News on Friday published a series of articles commemorating this landmark law that’s so often misunderstood and misapplied. (“We can’t show you your medical records because of HIPAA” has been a common refrain, even though the statute says pretty much the opposite.)
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
One of the stories is a commentary from Janice Walker, Catherine Annas and Dr. Tom Delbanco, all of Beth Israel Deaconess Medical Center in Boston. Walker and Delbanco are co-founders of OpenNotes, an effort to convince physicians to give patients full access to encounter notes in their medical records.
They made the case that HIPAA laid the groundwork for better patient engagement and physician-patient communication through vehicles such as OpenNotes.
“While some states, like Massachusetts, had passed laws that protect the right of individuals to obtain copies of their medical records, such a right was not consistent across the country. In some states, you needed to file a lawsuit to see your medical records. Others required you to show ‘good cause,'” the BIDMC team wrote.
Still, HIPAA had flaws, some of which have become even more clear as the healthcare industry has transitioned from paper to electronic medical records in recent years. “What HIPAA didn’t do was make it easy to see [medical records],” Walker, Annas and Delbanco said (emphasis in original).
“HIPAA is landmark legislation that has benefited many average Americans. But it was written before anyone had fully realized the potential for electronic medical records. Its principles now need to evolve to reflect new and different demands,” they added.
Another STAT article, written as a news story by a staffer, took a consumer angle. It told a few inconvenient truths about HIPAA and patient data, including how many people and organizations legally have access to an individual’s information:
Many consumers think HIPAA ensures that hospitals can’t share patient information except with their insurance company. In reality, it only protects personally identifiable information. That means hospitals and other entities can, and do, share plenty of data about patients as long as it is de-identified and doesn’t include your name, birth date, and social security number. It can still include your diagnosis and other medical details.
As it turns out, the article notes, researchers and data miners often have better access to medical records than do the patients themselves. “That’s because, despite HIPAA’s protections, there is no standard set of steps consumers can follow to get their information from hospitals, putting them at a disadvantage compared to third parties that can get their records with relative ease and use them for their own purposes,” STAT reported.
And then there are those who obtain medical records illegally. HIPAA predates the rise in medical identity theft of recent years, and it can be “maddeningly difficult to correct” a medical record after a criminal gets healthcare under a false identity, the story noted.
HIPAA doesn’t address how to correct falsified records, according to a security professional interviewed by STAT.
It’s one of many reasons why many think the Clinton-era regulations need to be refreshed. HHS did publish what’s known as the HIPAA Omnibus rule in 2012 — as directed by the 2010 Affordable Care Act — but that hasn’t silenced all of the critics of the privacy and security rules in their current states.
Photo: Flickr user Lokate366
