In 1996, the Health Insurance Portability and Accountability Act (HIPAA) became law. Its purpose was to update healthcare information records so that they were in keeping with the digitization practices of modern record keeping. Privacy was another issue. Many people involved in patient care, administration, and insurance had access to patient records. Before HIPAA, there were no federal regulations that addressed patient record privacy. Through HIPAA, Congress sought to protect health records because there were so many people who had access to them. Keeping records in a digital format would allow even more people access to health records, which is why Congress recommended that the Department of Health and Human Services (HHS) issue regulations. Congress passed all of the legislation regarding HIPAA while President Bill Clinton was in office. When George W. Bush became president, he reopened the comment period for HIPAA and later modified HIPAA “exceptions for treatment, payment, and healthcare operations” (Solove, 2013, pp 24-25). This stalled much of HIPAA well into 2005. The HIPAA law continued to be debated and revamped and by 2008 HIPAA advocates were claiming that the rule was not even being enforced. There had been over “33,000 HIPAA complaints filed” (Solove, 2013, pp 24-25). Only 8,000 of those complaints were investigated with the result that no fines whatsoever were issued. Journalist Laura Parker of USA Today noted that the problems with HIPAA were caused by the new Congress and the George W. Bush administration. HIPAA was originally 337 words long. By the time Congress was done with it in 2003, the privacy regulations and exemptions from regulations document about HIPAA was 101,000 words long. Parker attributes this enlargement, and the subsequent confusion, to the fact that the “regulations were issued at the end of the Clinton administration but revised by the Bush administration” (Parker, 2003). Instead of maintaining the original goal of making the system digital, under Bush and the 2003 Congress health care providers had to give patients lengthy, multi-page documents and disclosures. HIPAA was further weakened by the disallowance of lawsuits over privacy violations. Instead, the new regulations required injured parties to file complaints with the federal government. Those complaints were shuffled around and no fines were imposed for violating HIPAA. In January of 2009, Barack Obama became President and the HITECH Act was signed, making HIPAA enforcement penalties stronger, requiring notifications if there was a security breach, and expanding patients’ rights (Solove, 2013, pp 24-25). One example of the changes that took place once HIPAA was enforced was the actions taken against pharmaceutical company sales representatives and their practices. Before HIPAA enforcement it was common practice for pharmaceutical sales representatives to obtain the prescription records of doctors. Knowing the “prescribing patterns of physicians” was a good way for pharmaceutical sales representatives to solicit business. According to a report by journalist Natasha Singer of the New York Times, “Drug makers spent about $6.3 billion on marketing visits to doctors in 2009, the last year that such figures were available, according to IMS Health” (Singer, 2011). After HIPAA enforcement began in earnest in 2009, “some entities [were] fined millions of dollars for privacy breaches” (Solove, 2013, pp 24-25). According to a publication by Alliance for Health Reform, Privacy, security, and the regional health information organization, Regional Health Information Organizations (RHIO) must handle patient records in accordance with HIPAA’s privacy and security standards. Regulations apply to privacy and security, which are separate issues: “Privacy is the protection of the patient health information [and] Security is the means by which organizations ensure the availability, confidentiality, and integrity of that information” (Rosenfeld, Koss, Siler, and California HealthCare Foundation, 2007, p 5). HIPAA establishes the framework for the way in which RHIO manage the privacy and security of the records. Kaiser Family Foundation offers information on how HIPAA applies to people who are dealing with pre-existing conditions and is referred to as the “portability issue” (2012). People who are part of a group healthcare insurance plan and who want to change to a non-group plan may benefit because of HIPAA. If a person has had continuous health insurance coverage for 18 months under a group insurance plan then per HIPAA guidelines they may be able to enroll in a non-group plan, the pre-existing condition notwithstanding. HIPAA does not regulate the new fees that may be charged for the new plan, and these are quite costly (2014). In 2014 the U.S. Department of Health & Human Services offers written guides and online information about HIPAA in order to assist patients and healthcare providers. HIPAA goals are much the same as they were originally: to simplify records management and adopt digital record keeping that ensures efficiency and security as well as patient privacy. There are continuous advances being made in the technology used to store and retrieve information. This may or may not cause new privacy issues to arise that will need to be addressed by HIPAA.
References
Alliance for Health Reform. www.allhealth.orgKaiser Family Foundation www.kff.orgParker, Laura. (Oct. 16, 2003). Medical Privacy Law Creates Wide Confusion. USA Today. Rosenfeld, S., Koss, S., Siler, S., & California HealthCare Foundation. (2007). Privacy, security, and the regional health information organization. Oakland, Calif: California HealthCare Foundation.Singer, Natasha (April 24, 2011). A Fight Over How Drugs Are Pitched. New York Times.Solove, D. J. (January 01, 2013). HIPAA turns 10. Journal of Ahima / American Health Information Management Association, 84, 4, 22-8.