Healthcare Training Institute - Quality Education since 1979
CE for Psychologist, Social Worker, Counselor, & MFT!!
Patients have long been concerned about the privacy of their health care information. "How private is 'private'?" is a question that echoes through the minds of patients every time they receive a stigmatizing diagnosis such as cancer, a sexually transmitted disease (STD), alcohol or drug dependency, a mental or emotional health problem, or trauma symptoms related to a personal and private experience. Federal regulations for health care providers that went into effect in April 2003 are touted as improving or ensuring the privacy of an individual's personal health information, but do they? We think not.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L. 104-191) is a multitiered, comprehensive, convoluted, and controversial federal law for sweeping health care reform. Although HIPAA is dramatically broader in scope than privacy protections for health care information, a provision for privacy in the form of a Privacy Rule is included in Title II of HIPAA under the Administrative Simplification regulations; this regulation has created widespread controversy, as well it should, juxtaposed with both civil liberties and the tenets of our profession s ethical code.
In preparation for the Privacy Rule compliance date in April 2003, executives of covered entities (CEs), which include health plans, health care clearinghouses, and health care providers, were involuntarily plunged into a mire of federal definitions, acronyms, regulations, and procedures that spiked the jargon meter. A veritable compliance melee erupted as a result of struggles to comply with the letter of the law in the face of inability to decipher what the letter of the law was. A health care network-wide plethora of brochures, forms, and flyers, ostensibly aimed at protecting patient privacy better than ever before, spilled from the many months of compliance preparations by each CE. But contrary to the HIPAA hype about patient protection, and despite the glacier of paperwork for protecting privacy that was spawned by the Privacy Rule, critics of HIPAA claim that this federal law erodes patients' right to privacy Citizens for Health filed papers in the U.S. district court in Philadelphia alleging that HIPAA regulations threaten "essential liberties [privacy] guaranteed by the Constitution" (Dougherty, 2003).
Privacy and confidentiality are in greater jeopardy than ever because of two security issues inherent in compliance with HIPAA regulations. The first security issue stems from the fact that health care providers are forced to use the Internet for sharing information and for billing purposes. Second, and counter to HIPAA's alleged intent, is the issue of access to private health information. According to a statement issued by Citizens for Health, "virtually all personal health information about every aspect of an individual's life can be used and disclosed routinely without notice, without the individual's consent and against his or her will" (Dougherty, 2003).
In the first instance, patient confidentiality is compromised by the federal government, health care workers, hackers, and the legal system. The federal government realizes a savings of billions of tax dollars by computerizing Medicare and Medicaid programs and HIPAA, and, except in very small practices, makes electronic billing mandatory. Also, to facilitate quick information exchange in medical emergencies, there is a push for universal patient identifiers, which relates to the second security issue. A nationwide linking of all medical records is possible with such identifiers (Gelman, Pollack, & Weiner, 1999). "A national health ID so presages a national health database that Congress has consistently refused to fund the program" (Privacilla.org, 2003, p.11). Even so, increasing amounts of new private health information will be traveling the electronic highways, in addition to what is already stored in computers by managed care companies, as the private insurance companies follow the government's lead.
Managed care personnel have secured private health information about patients and clients to verify the necessity of treatment (Harris, 2003). During the past 15 years service providers assumed that this confidential information would remain safe with managed care personnel. With the retroactive element of the 2003 amendments to HIPAA, making past medical information available electronically, how valid is that assumption? Several years of paper treatment plans and client progress reports can be scanned into computer banks and be available for dissemination via the Internet. Internet use for insurance billing and sharing information is mandated by HIPAA, and the pesky problem of keeping that electronic information safe and secure is also addressed by HIPAA, allocating that responsibility to the service providers.
Unfortunately, that allocation does not guarantee that private medical information will remain safe and secure in storage or transit via the Internet. As distribution of information widens via the Internet, that information is more apt to become public (Aaronson, 2002). With date of birth, gender, and five-digit zip codes, 87 percent of the U.S. population can be identified (Aaronson).
"Instances of computer security breaches and associated financial losses have soared in recent years" (Raul, Volpe, & Meyer, 2001, p. 2). Computer programs now exist to crack passwords. In the first 20 minutes of an attempted break-in to a database, 20 percent to 50 percent of the Microsoft Windows passwords of a corporation with 10,000 employees could be found, and 90 percent could be found within 24 hours "by adding a brute force attack" (Lee, 2001, p. 2).
Hackers have enjoyed success in these endeavors. The confidential records of thousands of patients were stolen from the University of Washington Medical Center in 2001 (Chin, 2001), and in Philadelphia, Drexel University College of Medicine's database of 5,000 neurosurgery patients was accessed last year (Chin, 2003). Microsoft and the Pentagon, with state of the art computer security systems, were recently victims of hackers (Chin, 2001).
Computer security companies advertising the need for their products focus on the lack of security in cyberspace. Security lacks are documented by the Computer Security Institute and the FBI, which found in 2002 that 90 percent of large corporations and government agencies were victimized by backers (Computer Security Institute, 2002). Doc-Shred (2003) estimated that "U.S. corporations are losing an estimated 100 billion dollars a year to information thieves" (p. 1). Prescriptions to remedy these situations include access-control servers, firewalls, intrusion detection, network scanning, encryption, and virtual private networks (Cisco Systems, 2001). However, as the hackers and computer security companies do battle, there is, to date, no foolproof system to keep Internet information 100 percent safe.
In addition to the problems of managed care's ownership and use of private medical information, the health care employee can compromise patient confidentiality through inadvertent errors. Electronic information can be sent to the wrong place, or the wrong information may be sent. The sheer volume of transmissions translates one simple mistake into thousands of cases misplaced or misdirected. Glitches occur within a "company's computer system leading to unintended dissemination of proprietary information" (Raul et al., 2001, p. 2). In August 2000, 858 Kaiser Permanente patients' confidentiality was breached when a computer glitch made incorrect appointments (Dyer, 2001).
In addition to negligent errors, people with access to medical information may have malevolent intent. A public health worker gave two newspapers a computer disk with 4,000 names of HIV-positive individuals. Medicaid clerks sold recipients' computerized printouts of financial resources to managed care companies. A banker called due the mortgages on cancer patients after cross-referencing information he obtained as a county health board member (Clark, 2001).
Legal recourse for damages caused by negligent failure to secure confidential information is woefully lacking. "To date no U.S. court has addressed the issue of liability for failure to secure a computer adequately" (Personick & Patterson, 2003, p. 45). The public bas no recourse to sue under the new privacy rule (Peisert, 1999). HIPAA threatens penalties for noncompliance with security regulations, but if backers or others obtain private information and an individual is harmed, suing in the courts does not seem to be an option. Rather, "if the right to refuse information sharing comes only from the HIPAA privacy regulation, the consumer can only complain to the Department of Health and Human Services (HHS), getting in line behind thousands of other people to see if the agency will pursue his or her interests" (Privacilla.org, 2003, p. 23).
The second confidentiality problem under HIPAA is that information may be shared without the patients consent and with the 2003 Amendments may be shared despite patient objections. Peter Kavanaugh (n.d.), past president of the Academy for the Study of the Psychoanalytic Arts, stated that the board of the Academy is opposed to the new
HIPAA-cratic oath that requires the entry of personal and private information into a nationwide computer data base where it can be accessed by dozens of government agencies, thousands of bureaucrats, pharmaceutical corporations, private insurance companies, police agencies, foreign government officials and others … without the person's consent, (p. 2)
Health studies and drug marketing are instances in which patient data is shared (Aaronson, 2002). Law enforcement officials' access to patients' medical information has been broadened (Gelman et al., 1999). Public health activities may necessitate collecting individually identifiable information, including genetic information, without bothering to ask for an individuals consent (Peisert. 1999). Another broad area that allows sharing information without consent is defined only as having "specified public and public policy related purposes" (Richards, 2003). The FBI's new surveillance system could conceivably be used under these broad purposes. The new system was dubbed "'Carnivore' because it has the ability to get at the 'meat' of interesting or suspicious communications" (Lycos, 2003, p. 1).
The plaintiffs' brief, submitted to the United States District Court for the Eastern District of Pennsylvania by attorneys James C. Pyles and Kenneth I. Trujillo in Citizens for Health v. Tommy G, Thompson, Secretary. U.S. Department of Health and Human Services, clearly delineates the privacy concerns regarding the 2003 Amendments to HIPAA. The brief states that
Honorable Mary Ann McLaughlin entered a temporary order enjoining HHS Secretary Thompson's use of the Amended Privacy Rule "to the extent that it authorizes and permits the use and disclosure of Plaintiffs' identifiable health information without their consent" (Citizens for Health v. Tommy G. Thompson). However, the final decision was favorable to the secretary of HHS.
In a news release on April 2,2004, the secretary stated that the "court's decision supports our authority to protect the privacy of patient health information in a way that does not impede their access to quality health care. … We will continue to educate consumers about these important new protections and to promote compliance by those who, under the law. must safeguard patient health information." (HHS, 2004). Citizens for Health filed a Notice of Appeal on May 27, 2004. The Appellate Brief in this matter was filed on August 23, 2004 (Appeal for Patient Privacy Foundation, n.d.).
Reflection Exercise #9