HIPAA Blog

[ Wednesday, December 24, 2008 ]

 

New push for EMRs? Some folks (not surprisingly those with an economic interest in such a strategy) are strongly advocating to the new Obama administration that greater use of electronic medical records is a necessary part of any healthcare reform. Of course, that's half the story; what about privacy (of course, the author says stringent privacy protections must be baked in; of course; he even starts that sentence with, "Of course."). He's surprised ("Amazingly," his sentence begins) that no healthcare organization accepts responsibility for maintaining complete medical records for each person; he goes on to compare the security of banking records (even in electronic form), and indicates that the same security could exist for health records; of course, not banking organization accepts responsibility for maintaining complete financial records for each person.

But he does provide a concrete solution: a health record bank where you could deposit all of your medical records. Actually, there are a handful of these resources out there already for anyone who wants to use them: Microsoft's HealthVault is one. This is a useful idea, but doesn't cure the ills, for a number of reasons. First, having all the records together in one place is good, but if they're in different formats it's not as usable as it could be. Secondly, it still relies on the individual to activate the process (or at least consent to the inclusion of information into the "bank"). Thirdly, as he notes, this is only really good for electronic medical records (although non-electronic records could easily be scanned and digitized as images, but again it would not be as useful as information that is truly electronic).

The final paragraph is the clincher: he notes that HIPAA is anti-consumer because it doesn't go far enough to protect privacy. How? Because the HIPAA covered entity is the one that determines whether a disclosure is for treatment, payment, or healthcare operations. Uh, actually, no: a use or disclosure either is or isn't for TPO. While the covered entity has to make a determination before making the use or disclosure, they can't simply say, "this is treatment," and therefore there's no HIPAA violation. In other words, the doctor can't put your PHI up on a billboard and say, "This is treatment," and be absolved of any HIPAA violation: putting your PHI up on a billboard would have to meet the definition of "treatment," and not simply because the doctor says it does. Just as the homeowner may make a split-second decision that shooting an intruder is in self-defense, whether the shooting actually meets the legal definition isn't determined simply because the homeowner says it did.

If HIPAA is anti-consumer, this record bank idea won't be workable.

UPDATE: oh, one other thing I forgot to mention: sometimes individuals will want certain medical information to be segregated from the rest, for good reasons or bad. If individuals do have a right to privacy of their medical information, then they should have the right to keep the records of their drug rehab out of the medical records maintained by their employer as part of an employer self-insured ERISA health plan; it's supposed to be kept confidential, but who knows what will happen when the head of HR, who's also the administrator of the employer's self-insured plan, sees that information? That's a reason for individuals to want to opt out (either entirely or selectively) from a record bank, particularly if they can't control who might contribute to it or who might access it.

Once again, privacy is the nemesis of information exchange.


Jeff [11:24 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template