The last seven years been witness to a behind-the-scenes legislative battle in Washington, D.C. over an enormously valuable yet previously inaccessible gold mine of data--the personal medical information of U.S. citizens. As medical records have migrated to electronic formats, enormous quantities of patient data that once sat in filing cabinets can now be instantaneously transmitted over the Internet. All kinds of interested parties are eager to make use of this data--physicians want their patients' previous diagnoses and treatments; hospitals and insurers want to know about utilization; law enforcement wants evidence of any crimes, employers want accountability for their health insurance premiums; and pharmaceutical companies want access to potential customers. Along with all these other groups, psychotherapists have a vested interest in this data--whether they know it or not. Beginning on April 14, 2003, the clinical relevance of this battle over health care information will become painfully apparent to our profession.
On that date a new set of federal regulations, mandated under something known as HIPAA (the Health Insurance Portability and Accountability Act), governing the privacy, security, and transmission of health information, will go into effect. Many believe HIPAA will change health care--particularly mental health care--in unimaginable ways. For the first time in the 227 year history of America, the federal government has granted itself the right to review everyone's medical record.
Where Did HIPAA Come From?
Passed by Congress in 1996, HIPAA is in some ways an admirable piece of legislation, principally for its most widely understood provision, COBRA, which allowed people to take their employer-paid health insurance with them upon job termination. However, included in the legislation was a section with the dubious moniker of Administrative Simplification Compliance Act, which required Congress to develop rules for the input, storage, use and transmission of electronic medical information. In response to the staggering increases in health care costs, national providers and insurers had argued that the differing laws and rules of 50 state added exorbitant administrative costs to healthcare. The federal standardization of record keeping was supposed to be an answer to the problem.
The intent of the HIPAA rules was to create quick, easy, and painless processes for authorizing and paying for treatment. But indications that creating such national standards would not be easy came first when Congress missed its own 1999 deadline for deciding on the rules and the task fell to the Department of Health and Human Services (HHS), which expanded regulations beyond electronic data to include traditional paper medical charts.
HIPAA contains rules governing a number of issues of particular relevance to mental health professionals. HIPAA's security rules delineate the steps providers must take to secure patient information. Its transaction standards and provider identification standards are designed to ease authorization, billing and payment of claims by third parties. These three standards are largely seen as beneficial.
By far the most controversial of all the new HIPAA regulations have to do with medical privacy. Traditionally, a consent form signed by the patient has been the gold standard for medical privacy protection, with penalties for violating clinician-patient confidentiality. This would seem to be a fundamental right requiring an act of congress to undo, yet it was ultimately decided by HHS. As one of my medical colleagues pointed out to me, the Hippocratic Oath of "telling no secrets" has been superceded by a HIPAA-cratic rule.
Instead of a signed consent governing access to protected health information, after April 14th, each health care provider, including private practitioners, will be required to issue a "Notice of Privacy Practices," that makes explicit where individuals' medical information "may" go and how it "may" be used. …