Often times in medicine, or even life in general, we might be required to revisit the origin of a popular belief, phrase, or “common-sense” piece of knowledge. Through numerous transmissions, these concepts can stray far from their original meanings and transform into something entirely different and even erroneous. Unfortunately that seems to be happening with HIPAA. Speak the words among providers and you’ll likely invoke thoughts of uptight regulators in suits and extraordinarily hefty fines issued to those foolish enough to have loads of data on a unsecured laptop computer. However, HIPAA is not about overbearing rules or inconveniently adding to the documentation burden. It is about privacy.
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is simply a federal law put in place to protect the identifying information of any patient getting medical care. It gets a little detailed, but essentially the law was put into place so that providers, clearinghouses, and insurance companies make a serious effort to protect information like names, birth dates, social security numbers, photographs, and any other unique identifier a person may have. The end-goal is that a patient’s medical needs are kept private. Aside from being a basic human right, privacy should be protected for additional reasons like the possibility of discrimination against patients by employers or insurers (see preexisting conditions).
Big (Unsecure) Data
For better or worse, we will soon be so proficient at collecting data that nearly every aspect of our lives will be quantified. Despite being completely obtrusive and a little creepy, this massive data collection and analysis will have benefits like solving the obesity epidemic and finding new treatments for many diseases. Unfortunately that is an optimistic view. Currently, most of the data collected with our mobile devices is simply being used to find more efficient ways to market to us. Even more, as we’ve seen over the past couple of years, we are nowhere near experts at data security. Think back to 2013 when Target failed to protect the credit and debit cards of over forty million customers. However, health data is much more sensitive, considering that we can’t simply cancel and replace health information in the same way we would a stolen credit card.
“We’re HIPAA compliant… right?”
Aside from data security, there’s a lot of confusion around HIPAA in general, especially with smaller medical practices. Our recent survey showed that practices are far from HIPAA compliant. Many practices are struggling to train their employees (only 56% of office staff said they’ve received HIPAA training within the last year). And only 45% of respondents reported that their practice has a (HIPAA-required) breach notification policy. At the end of the survey, respondents were asked, “How confident are you that someone in your business is actively ensuring HIPAA compliance?” With only 38% saying “very confident,” it’s clear that we, as an industry, have some work to do. Practices certainly have a lot on their plate, between ICD-10, Meaningful Use, the ACA - but we can’t let HIPAA fall to the wayside. Aside from increased communication and simple education, I suggest we do one more small thing to bring the focus back to what matters.
Ditch the Acronym
Whatever reason a patient may have to keep data private, providers should be making it a top priority. With so much conflict surrounding our personal information, we absolutely cannot afford to take this matter lightly. This isn’t about documentation written in 1996 or outrageous fines. It is about protecting the privacy of people. So, let us rid ourselves of the strange acronym that reminds us of a water animal and take on this issue by giving it a name that makes sense: PATIENT PRIVACY.