HIPAA enhancements to improve emergency department security☆
Abstract
The Health Insurance Portability and Accountability Act (HIPAA) seems to be as useful as is capitalism to the medically uninsured (or perhaps, as necessary as another leukotriene inhibitor for asthma). Is the emergency medical community doing enough? Can we improve on HIPAA to increase privacy in the emergency department? HIPAA regulations are reviewed in all their wondrous complexity and simplified so that even your medical director can understand them.
HIPAA is the most controversial government legislation to affect health care since EMTALA introduced the medical screening examination (which enhanced emergency care in the same way that prohibiting peanuts on airlines has made our airspace safe).
The new privacy regulations limit the ways that health plans, pharmacies, hospitals, and other covered entities can use patients' personal medical information. The regulations protect medical records and health information from being communicated orally, being written on latex gloves, or being transmitted via Morse code.
But have we gone far enough? Has HIPAA really made our nation secure?
Why do we need more HIPAA guidelines?
Just because the HIPAA Summary of the Privacy Rule is 23 pages long doesn't mean that it goes far enough to protect our privacy. Health information abuse is the most horrible, bad thing to come along since millions of evil teenagers started file sharing on the Internet. I can think of at least 3 reasons why we should have even more enhancements to HIPAA …
1.Stimulating the economy: One of the greatest benefits of a complex and comprehensive privacy policy is that no single person is capable of understanding it. This means that multiple organizations, both public and private, must be developed to implement, supervise, and teach the rest of us. This drives up costs and stimulates the economy. This is a very good thing. Think of the great work done by the IRS, OSHA, and the EPA.
2.Critics of HIPAA (known as Hipaacrites) are misguided souls who have no idea of the potential gains and benefits more restrictive health information security will bring. We need to fight for our rights in the same way that Congress fought for our right to have skateboard ramps leading into every building in the United States.
3.More laws mean more lawyers. And if we didn't have those, we might have to spend the money on universal health care, or something equally impractical.
Accordingly, I have considered some further enhancements to health information privacy that we can develop in our own emergency departments (EDs).
•Have patients sign a blanket consent allowing the administration to do anything necessary to secure the safety of the patient, hospital, and nation (similar to a Congressional consent to go to war).
•“De-identify” patients: remove all identifiable markings, including sanding off tattoos and randomly removing teeth to confuse dental record spies.
•Smuggle patients into the ED like Jack Ruby under his jacket.
•Take the license plates off all the cars in the ED parking lot so pesky detectives can't identify them.
•Insert completely fabricated health information into the documentation. This will throw potential health information abusers off the track.
•Every patient will have to pick a password and code name, like some illicit chat room. Meanwhile, have the employees' access codes to computer information change every 15 minutes.
•Write all medical records in invisible ink. (I loved this when I was a kid!)
•Ask patients for the middle 4 numbers of their social security number at registration.
•Develop more acronyms: speak and write only in capital letters or abbreviations. JCAHO hates this, but then, why are they called JCAHO, huh?
•Write records backwards using a mirror like Leonardo da Vinci (the other Leonardo).
•Give patients disguises: wigs, fake moustaches, etc. A dress-up chest can be available in the waiting room/triage area. Not only will this help protect patients from health information abuse, but it can be fun dressing up … “You're the third fireman/maid I've seen today.”
•Randomly order diagnostic tests and treatment so no one can identify a patient by their management.
•Make access to medical records more difficult. Consider moving your medical records department to a different building, or even a different city. Put the records in big bank-like safes with multiple security levels, secret handshakes, and code rings.
•Use hospital security to their full potential. (Too long have we underutilized these devoted employees who have left promising careers in fast food management to earn minimal wage in our EDs.) Teach security personnel how to do retinal scanning by using their big black flashlights and have them manually scan everyone they pass in the halls. Fingerprint every patient at triage and then have security personnel dust all the doorknobs in the ED at every shift, looking for matches.
Overview of HIPAA regulations
What exactly is HIPAA, and how is it spelled? Congress issued patient privacy protections as part of the Health Insurance Portability and Accountability Act of 1996.1 The first-ever federal privacy standards to protect patients' health information took effect on April 14, 2003.
Notice of privacy practices. Patients will be asked to sign, initial, or otherwise acknowledge individually each of the 14,203 paragraphs of the original congressional act. (Congress has reserved 13 million square acres of national forest to supply the necessary paper products.) Do not despair, however. Patients are not required to actually read or understand any of the details of the act, which was penned by trained Congressional lawyers. Most patients will want to file their privacy notices with similar notices they receive from their banks, mutual funds, utilities, and Blockbuster accounts.
Limits on use of personal medical information. The privacy rule does not restrict the ability of doctors, nurses, and other providers to share information needed to treat their patients. Rather, this legislation stops fiendish health care providers from selling patient health information to life insurers, banks, bookies, video stores, and marketing firms. Congress is wise to just how much money physicians are making from these sales and wants it to stop.
Confidential communications. Under the privacy rule, patients can request that their doctors, health plans, and other covered entities take reasonable steps to ensure that their communications with the patient are confidential. For example, a patient could ask a doctor to call his or her office rather than home and utter the password “Ecky-pikang-zoop-boing-goodem-zoo-owli-zhiv,” and the doctor's office should comply with that request if it can be reasonably accommodated.
Employee training and privacy officer. Because privacy is the number one concern of Congress, ahead of national health care or drug plans or even Iraq, it is incumbent upon the covered entity to forego all other medical training until everyone knows HIPAA thoroughly. If covered entities learn an employee failed to follow these procedures, they must take appropriate disciplinary action, such as forcing them to circle the pronouns in the original privacy agreement.
Access to medical records. Before release of any medical records, patients will be required to memorize and recite the complete text of the privacy agreement they have signed with the health care provider. Health care providers may charge for listening to this recitation.
Civil and criminal penalties. Criminal penalties can range up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm. If you are considering such criminal behavior, you may note that killing the patient has much lighter penalties.
Complaints. Consumers may make a formal complaint regarding the privacy practices of a covered health plan or provider. If such a complaint occurs, it will be filed along with all the other complaints about privacy that the government has received. Just because there's only been a grand total of 3 complaints in the past 30 years doesn't mean that this isn't a priority in the public's eyes.
Equivalent requirements for government. The government reserves the right to follow whatever interpretations they deem necessary and may sell your information if the price is right. Where else do you think e-mail spam lists come from?
Frequently asked questions
HIPAA may confuse you a little and lead to depression, suicidal ideation, and urinary incontinence. To simplify things, here are some frequently asked questions and their answers (more FAQs are available on the government Web site, but the file requires security clearance and password and takes 3 days to download with a broadband connection):
I believe I have found a cure for cancer and want to do a research study on the effect of this new treatment. How do I recruit patients?
•As you know, all health information is completely protected, so you cannot contact patients with any disease directly. We are doing this for the safety of our patients. We suggest trying an infomercial on the Discovery Channel or wearing a sandwich board in front of your hospital.
May I get access to my own health records?
•Yes. As soon as we can find them. We had them yesterday.
Why has so much effort been put into HIPAA now?
•To divert your attention from the lack of oversight of the SEC, NYSE, and campaign finance reform.
Can I ask a patient to be contacted for possible participation in future, unspecified research projects?
•Why? Do you know something? What aren't you telling us? Is it safe? … Is it safe? We have ways to make you talk …
Am I a covered entity?
•Oh my, yes, I hope so. If you aren't we suggest getting covered before the JCAHO surveyors come. And we all know how helpful they've been ….
Department of Emergency Medicine, University of Michigan, Ann Arbor, MI, USA
Address for correspondence: Jeffrey Freeman, MD, 2124 Chaucer Drive, Ann Arbor, MI 48103
☆ The author reports this study received no outside funding or support.
Reprints not available from the author.
1 Note: Do not confuse HIPAA with: HIPA (The Hawaiian Island Paddlesports Association) or HEPA (filters that are supposed to clean your air but end up getting clogged and burning out your motor). Actually, HEPA and HIPAA are not really that different.
FULL TEXT
