Tuesday, June 11, 2013

HIP HIP HIPAA HOORAY! Where's My Medical Privacy?

And whatsoever I shall see or hear in the course of my profession, as well as outside my profession in my intercourse with men, if it be what should not be published abroad, I will never divulge, holding such things to be holy secrets. 
   *       *        *
Today, I"m ranting about medical privacy (now gone) and electronic medical records over on KevinMD.  The link is HERE.  Did you know that hospitals now send your medical information to the state (at least in our state), whether you want that or not? 

And while you're reading about privacy, there's a terrific article in the Wall Street Journal called Families of Violent Patients: We're Locked out of Care.

Okay, I'm going to make a confession here.  I have no idea what HIPAA is.  I don't know, I don't care.  My practice is small enough that I don't have to give out privacy notices, and I confine my "HIPAA" comments to "I don't release information without your permission."  I also note that I do release information in case of an emergency and that the state has requirements about the reporting of child abuse.  But from my take on it, HIPAA is not about who doesn't get your information, it's a long list of who DOES get your information, like it or not.  When I go to the doctor, I often cross out some of the listed entities, and tell them I don't want my information released.  But no one reads these things so it's just about making me feel like I have some control.  We all like those delusions.

Before HIPAA, doctors were not allowed to release your medical information without your permission.   There was this guy, way back when, named Hippocrates who had something to say on the matter.  Psychiatrists never did talk about your care without your permission, I remember this from before HIPAA.  

Regarding the Wall Street Journal article -- the implication here is that suddenly HIPAA prevents families from getting information about patients against their will.  I sometimes wonder if there is a reason the hospital/doctor/etc aren't plugging harder to talk with the family.  In the case of a violent patient, no doctor wants to see their patient hurt someone or die, and it's hard to imagine that if it were crucial to to share this information, a psychiatrist wouldn't say, "Listen, I can't treat you if you won't let me include your family."  The slant of the article assumes that the patient is always the sick one and that the family is well and harboring nothing but good intentions.  Perhaps the family has been intrusive, or the patient is really adamant.  Do we really want to tell a psychiatrist our private thoughts knowing they will repeat them to our family members whom we don't want to know them?  There are times when a really psychotic person won't allow communication because in the past, the family has insisted he take medication or go to treatment he didn't like, but which helped him anyway, and perhaps that was the right course of action.  But there are also times when families make the situation worse.  I don't think the issue is HIPAA, but I do imagine that part of it is that hospital staff don't have the time to work with patients and their families to help everyone come to a place where families know how to be helpful without being intrusive, and patients can feel more comfortable and respected.  These things take time (sometimes a lot of time) and if you're fighting with insurance companies for an extra day, and spending your time entering data into the computer, when a patient says "No, don't talk to my family,"  the doctor may just say "HIPAA, I can't," without exploring whether that makes sense or if there is a way the patient might allow communication about some aspects of care.  And finally, there is nothing about HIPAA that prevents family members from giving crucial information to a doctor.    

Okay, I've ranted for today.


Anonymous said...

Wow, and not a word about Ed Snowdon, the NSA (my next door neighbor here at Perkins), Verizon data collection, or the national security exception to HIPAA. I wish the state was the only government entity interested in my data (and only in my health care data)!


jesse said...

So as I was thinking about how to respond to Dinah's completely valid objections and concerns, I was simultaneously watching the BBC'c Laura Trevelyan present a piece about a French town in which Jewish children were protected from the Nazis, no one at all breathing a word of who they were or what their background.

Imagine if there had been HIPAA then; certainly there is information no one can keep out of a medical record. For more personal information alert the doctor in advance that there is something you wish to be confidential, and be sure he or she is not typing at the time...

Dinah said...

So Jesse, when you tell your doctor, "I don't want you to enter into the medical record that I take Viagra, or that I take Xanax, or that I take Seroquel, because I don't really want the curious residents I supervise to know this," how should the doctor respond? If there is an electronic medical record in place for an institution, can a patient really request that actual medical information not be added? And if the doctor is uncomfortable with this, must he comply with the patient's wishes? It's one thing to ask, "please don't record that I'm having an affair."

I don't have an answer to this. Apparently information can be marked as 'sensitive' in the new system and then limited to the department, but not the medication list or the problem list.

jesse said...

Dinah, of course certain medical information must be in the record, but some does not have to be. For instance, if in your history there was something you did/tried/etc when in college you might not want it in a record that is so easily obtained. You cannot stop the doctor from entering it into the record once you tell it to him, but you can have a discussion about it before you divulge it and then possibly decide not to do so. Obviously this depends on a number of circumstances and I am not suggesting that something potentially important be left out, only that some discussion is possible.

In our field there is a lot of information we hear that we would never put in a record. Psychiatric histories and records once contained much more than medications/procedures, but because they never were completely private most psychiatrists are extremely discreet when it comes o recording certain things. As they should be.

So I agree completely with you.

Dinah said...

Jesse said "Of course certain medical information must be in the record." So the patient has no right to withhold the fact that they are on viagra, seroquel, and xanax from the dermatologist? Or from some curious bypasser who violates your privacy by looking at a chart accessible to thousands? Or from the state of Maryland? When the chart was paper and in my doctor's office, I didn't have to worry about who looked at it.

You think there aren't doctors who look at their spouse's electronic record trying to be helpful? What if the spouse had an abortion she hadn't mentioned in the past, or he got syphillis from a prostitute. And people may tell their doctor spouse it's fine if they look -- check my labs, check my brain scan, totally forgetting that they told a gynecologist 10 years ago that they had once upon a time given a baby up for adoption as a teenager. An electronic record doesn't forget and doesn't allow you to have a private conversation with your doctor.

jesse said...

@Dinah, I'm completely in agreement to you. My comments were just suggestions on how a patient might try to handle this. Your points are excellent.

Anonymous said...

If anyone thinks that their PRIVATE HEALTH INFORMATION IS PRIVATE.....they're nuts!!!

Western New York has a program called HEALTHeLINK. My husband and I both opted out and sent consent denials to all of our physicians. We have refused to allow any access to our records, even in the event of a medical emergency.

I am absolutely unconvinced the private health information is not used and abused in a variety of settings.

Medical and nursing students are given access to your medical information if they do a rotation at a medical group. You are required to sign a release before you are accepted as a patient and if you don't you will be discharged. If you sign the release and then decide at a later date to rescind the consent, you'll be discharged. I know...it happened to me.

Unless and until there is a "revolt" by healthcare consumers (and note I don't refer to myself as a patient...I have no patience!)
we will continue to be abused by arrogant and dismissive doctors, University-sponsored medical practices, hospitals and other healthcare providers.

Medical consumers MUST take back control over who and for what reason their health information is being diseminated. No information should ever be released with out the persons WRITTEN AUTHORIZATION.

Lindz0123 said...

I agree! Does anyone know of a group of people protesting the complete lack of privacy in electronic medical records? Or do we need to start one?

Zoe Brain said...

Medical records are a really, really difficult area to work in, from a database viewpoint.
Each individual field must have its own security level. From "entering physician's eyes only" through to "any authorised viewer", and many points in between.

In fact, implementations usually don't do this, or make any attempt. The data, once in, is visible to anyone with access to the system. There's no "Need to Know" restrictions attached, no compartmentalisation, no security level.

Need To Know - the viewer must have demonstrated that they , well, need to know this info.

Compartmentalisation - might be research, treatment, statistics (anonymised) each giving access to a different subset of the info.

Level - patient permission to reveal withheld, etc etc.

All your concerns are valid.

Dinah said...

Zoe Brain --
Thank you for your message last week. That was so very nice. I very much appreciate the support...

Anonymous said...

The strange thing about HIPAA (Health Insurance Portability and Accountability Act) is that the law was in fact not related to privacy at all when first written. It was created to address "portability" of policies - basically to prevent insurers from having pre-existing waiting periods for all new members. Most of the privacy elements were tacked on later and they continue to be tacked onto today.

As with pretty much every federal document ever produced (ever try reading the Affordable Care Act?), what HIPAA actually requires is very complex - so complex that there are many people making a living as lawyers and privacy coordinators trying to interpret the law. Many people are so confused they just refuse release of ALL information to avoid a HIPAA violation. I think that is at play to a large degree in staff's reluctance to involve families.

By the way Dinah - if a spouse is looking at electronic records that person is opening themselves up to prosecution and fines as it's a HIPAA violation. That's a pretty clear one despite their good intent.

Dinah said...

A spouse looking at medical records without permission is subject to prosecution if they do so without permission and GET CAUGHT. I want the authorization to be in advance.

The patient might well give permission for her doctor spouse to look at her records/check labs/ get the name of that medicine she used to be on that she had that rash with. Medical records have easy access, no erasability, no ability to screen. So the podiatrist does know that you were treated for vaginismus, whether you want that or not. I've had a physician patient decide that the orthopedist friend seeing her for a sports injury doesn't need to know she takes an SSRI. Electronic medical records take away your right to withhold that information, even if it was years ago.

So spouse says, honey look that up for me, the doctor isn't calling me back and I want to know. Spouse totally forgets in the angst of the brain scan that 12 years ago she was treated for an STD. Oops. Not a violation, she gave permission, but you have to know that if you share anything with one health care provider, it gets shared with all of them, as well as students/etc on an inpatient unit, and any curious soul (like that other cute doc who gave her that STD) who is willing to risk getting caught, is also welcome to see your records. And they go to the state, like it or not, to be made accessible to other medical institution unless you proactively go into the system and tell them not to release your information (the state still gets it, you can't opt out of that).

Sarebear said...

I found out last fall that, in our state, Medicaid recipients were being automatically opted IN to the state EMR. I was upset, and got rather agitated in my post about it, so I stepped back to revisit the issue another time, which I haven't done yet.

I know there's a whole slew of other issues with my situation (the rights of publicly funded program recipients vs. the rights of the people/state funding said program/recipients) than what you mention here, but privacy is a big one. (I found a quote or two by some state legislator on this issue that seem positively Neanderthal to me, seem positively as though public assistance recipients are less than other people, etc. and that is part of what really upset me).

Being forced to opt in is another (as it seems is kinda being done in your state with hospitals automatically sending info to the state?).

There was discussion in our state apparently about not giving an option for Medicaid recipients to opt out of this, but that @#$@ legislator with the awful quote(s) wasn't allowed to rule the day, thank goodness. I believe they are going to revisit the issue soon, but it's been too upsetting for me to revisit yet. I will, though.