(Anderson) Herald Bulletin
Recent cases in Indiana have revealed the inconsistent and hard-to-decipher rules protecting patient records under the Health Insurance Portability and Accountability Act of 1996, known as HIPAA.
Since its inception in 1996, HIPAA has been politicized, weaponized and misunderstood by the health care industry, litigators and the general public.
Since 2000, the U.S. Department of Health and Human Services has updated HIPAA provisions repeatedly to offer guidance, simplify rules, define confidentiality and clarify enforcement. The advent of health records electronically accessibility has added to the challenges.
In Indiana, the most egregious and best example of the confusion has been the case of Dr. Caitlin Bernard, who was accused by Indiana Attorney General Todd Rokita of violating HIPAA rules.
In 2022, Bernard treated a 10-year-old rape victim who was referred to her by an Ohio doctor. When questioned by a reporter, Bernard provided the age and home state of the victim but not the girl’s name. In May, the Indiana Medical Licensing Board found Bernard liable for violating privacy laws and fined her $3,000 but did not pull her medical license.
Granted, the attorney general’s office has been vital in shutting down unscrupulous practices. But no case has been used as blatantly as the 10-year-old’s plight to further a political agenda.
Indiana court cases related to HIPAA have involved a third party’s ability to access a hospital paging system that contained patient information and another where a medical assistant accessed a woman’s records to disclose them to the woman’s husband. In yet another, an Indiana software company paid $100,000 in 2019 to the HHS’s Office of Civil Rights after hackers accessed protected health information for about 3.5 million people.
In April, the U.S. Government Accountability Office, exploring electronic health information, underscored the variations in state privacy laws.
First, there’s misapplication of HIPAA, hindered by variations in state privacy laws.
Second, there’s the Health Information Technology for Economic and Clinical Health (HITECH) Act, which provided $23.4 billion to participating states to improve electronic health information exchanges.
Under the latter, the accountability office found that electronic exchanges had increased for large hospitals. Yet small and rural providers had difficulty in obtaining technology. An accountability officer survey found that smaller acute-care hospitals (with 100 beds or fewer) on average received mail or faxes 54.5% of the time, compared to larger hospitals at 38.5%. About 28% of small hospitals used a vendor’s network to store records; large hospitals were at 45%.
Lastly, the Trusted Exchange Framework and Common Agreement is intended to establish a countrywide medical records sharing system. The act, however, requires participants to adhere to rules that are substantially similar to HIPAA, including participants who are not HIPAA-covered entities.
Talk about confusion. We live in an era when HIPAA forces a reevaluation of trust and respect between patient and doctor.
We don’t want politicians to nudge their way into the patient-physician partnership. All we want is for licensed medical professionals to do their best to protect our health — and our privacy.