Clown fishSend in the clowns.

As anyone in health care–or anyone who has received health care recently–knows, there are new federal privacy laws in place. These are referred to as HIPAA, for the federal legislation passed to insure portability in health insurance and privacy in health information. Well-intentioned and useful in many regards–it includes much-needed standardization of forms and electronic communication between providers and insurance carriers, for example–it nevertheless has caused significant changes in the way medical practices and hospitals handle patient privacy and health care information. And, as should be expected with massive federal legislation, there are, shall we say, some unintended consequences. I had the misfortune of falling into just such a snare recently.

Much of the surgery I perform is done on an outpatient basis–patients come in the day of surgery, have their procedure, and typically go home an hour or two later. In days past, prior to the implementation of HIPAA, when a patient reached the recovery room after surgery and became stable, their family was allowed into recovery to visit them. HIPAA did away with this practice, because of concerns that family would recognize another patient undergoing surgery that day, violating their privacy. Alternatively, the physician would go to the waiting area, and call out the patient’s name, in order to locate and talk with the family. This, as you can imagine, is a no-no now as well, but in practice it all worked quite nicely. Private rooms were always available when needed, when the news was bad, emotions high, or a long, detailed discussion required.

To eliminate the risks of accidently revealing confidential medical information or patient identity, a system of aliases was developed by our local hospital. Patients and their families were assigned a letter of the alphabet on admission, and a master sheet of patient names was given to the nursing staff and volunteers in the waiting area. So you were no longer Mr. Jones, but now were the letter “a”. As our ambulatory surgery suite is rather busy, families would go to double and triple letters if needed, such as “double-e” or “triple-m”. When the patient came out of surgery, the secretary in recovery room, who held the name-letter key, called the volunteers, giving them the name and the letter. The volunteers then announced the letter, the family, repsonded, and were placed in a private room to await the doctor. Nice, simple system, seemingly bulletproof … seemingly.

An elderly gentleman had surgical removal of a bladder cancer by me, using endoscopy–a common and generally uneventful surgery, which is often curative, as many bladder cancers are not very aggressive and can be totally removed by shaving them out of the bladder. After writing the postoperative orders and talking briefly with the partially-awake patient and his nurse, I headed out the the waiting area to talk with his family. They were waiting, as is customary, in the private conference room.

I introduced myself–not having met the patient’s family before (not an unusual circumstance)–and began to discuss his surgery. I reassured them that surgery had gone well, and that he had not had any problems with the procedure or anesthesia. They smiled and seemed relieved. I told them that I believed the cancer was totally removed, although the report from the pathologist several days later would provide the full answer. They were particularly pleased by this news, and seemed physically to relax a little. I advised them that this type of cancer tended to recur, and that he would need periodic scoping in the office to monitor for such an occurrence. They smiled, although seeming a little troubled by this thought (who wouldn’t be?). There smiles became more plastic, although I failed to notice the change. I then assured them that he would likely be stable enough to go home later in the day, without a bladder catheter.

The smiles froze, morphing into a look of pure confusion: “Home today?? We thought he was supposed to stay in the hospital for 4 or 5 days!”

That ghastly knot tied itself tightly, deep in the pit of my stomach, as the light switched on: “Yes–what surgery did you think he was having?” “He was having his colon removed.” Ooh-kaaay…how am I gonna talk myself outta this one?? I’ve been talking to the wrong patient’s family.

Fortunately, that proved easier than it could have been, due to the graciousness of the family with whom I was speaking. They even expressed their gratitude that my patient was doing well, and I wished them the best with their outcome. It could have been far, far worse.

It is not entirely farfetched that the wrong family could have gotten some very bad news not meant for them, which could have triggered difficult or dangerous actions: calls to other family members, decisions to fly from afar, hasty financial decisions, or at the very least a great deal of emotional trauma–not to mention legal implications, as lawsuits have been filed–and won–for less emotional trauma than this.

This is an excellent example of the Law of Rules: rules and laws passed to solve one problem have unintended consequences, which are not infrequently worse than the problem being solved. In this case, the problem solved was minor and infrequent: the possibility that someone might recognize another patient, or overhear some relatively sensitive health information. In my experience, most physicians were careful about such disclosure prior to HIPAA (although there were no doubt exceptions), and even should such disclosure occur, it would be hard to prove that harm comes from the majority of such breeches. The solution to what in my experience was a very minor problem has, and will continue to have, some very serious consequences.

The alias system which most health care facilities have implemented to comply with this law significantly increases the risk of patient identification errors, in my view. In the hospitals in which I work, patient names are no longer posted on a central board at the nursing station–only their initials. Consider the tired, busy nurse giving a medication to the patient in bed 102, Carrie Fisher (initials CF), who is a few rooms away from Carl Foobar (initials CF). Granted, checks and balances are in place–double checking patient, chart, medication, and patient’s armband, which has their name–but one simple and important check has been removed: the easy ability to identify a patient by name. Names are no longer posted on surgery schedule boards as well–it is not hard to imagine the disastrous outcome of an ID mishap here.

I am not dismissing the importance of patient privacy and the privacy of sensitive health information by any means; if anything, the importance of such protections has been underemphasized greatly in the past, and HIPAA addresses some serious issues. But far more detailed and sensitive information is allowed to flow freely under the same law: to your insurance carrier.

Both federal and private health insurers generally require a release of information to verify that services billed by providers have been appropriate and accurate. This means they may access, not just detailed diagnosis and service codes, but also the release of physician notes, operative reports, lab and pathology results–virtually everything about you in your health record, identified by name, SSN, birthdate, and other personal details. Insurance carriers are also required to protect this information, and no doubt make good efforts to comply–but they large bureaucracies, staffed by fallible–and occasionally nefarious–employees. I don’t know about you, but I’d rather have my neighbor accidentally overhear about my surgery results than to have every sensitive demographic and medical tidbit I own pass through the caring hands of the friendly insurance clerk who just loves to chat around the water cooler, and later tell her boyfriend about the fascinating patient she read about today.

So what’s the answer? I suspect we’re just going to have to live with this flawed legislation, since laws of this nature always get more detailed (laws to handle the problems the laws themselves created), rather than simpler with time. But if I were king (a scary thought, that), here’s what I would do:

  • Dump the silly requirements that patients and their families be anonymous, unless they specifically request it; the risks outweigh the benefits. Move back to common sense, use patients’ names, perhaps leaving some censure for egregious violation of patient privacy.
  • Require that all information passed to government and insurance companies be identified by a unique ID only, with no other patient identifying information. Insurance company employees could access personal data only on a “need to know” basis, with careful logging of all such access.

As for me, I’m going to make darn sure I know which family I’m reporting to.

UPDATE: Courtesy of a reader, I am alerted to my dysfunctional acronymania: Changed from HIPPA to HIPAA. Thanks.

Print Friendly, PDF & Email

13 thoughts on “HIPAA-titis

  1. When I read this post earlier I sat here nodding my head in sad agreement because I also work in a healthcare environment. I remember an old saw that “three can keep a secret if two are dead,” and remembered years in the food business being told “we don’t give out our recipes!”
    So how many cooks did we lose this year? Or LPN’s? Or Bank tellers? Or secretaries at the three big credit reporting companies?

    “Confidential information?” Gimme a break. Sensitive, maybe, but anything but confidential. I have a jaundiced view that it has more to do with lawyers than principles.

    But that’s not why I comment. I am here to be among the first to congratulate and give you a heads-up about Vanderleun’s mention of you at American Digest. I want to add my compliments to his and encourage you to change nothing about the way you are headed with your blog. It is a sterling example of how a good man with every reason to be proud quietly and humbly moves through life, in the same way that an accomplished professional walks into a high-school auditorium to address a student assembley.

  2. Those rules have done absolutely nothing to protect me. They have done a lot to complicate my life. I use the health care industry to help my health, not my privacy. There were a lot of things in place to protect privacy before HIPAA … and they didn’t complicate the lives of everyone involved.

    It is absurd. Just absurd.

  3. I couldn’t have said it any better.

    Many times have family members called to inquire about there loved ones but no information could be given out because the patient could not give consent.

    Moreover, many emergency rooms are so busy and overcrowded that they have stretchers packed together. It is a common occurrence that a patient adjacent to the patient I’m interviewing would pipe in and offer an uninvited Spanish translation service. “Doc, he said he’s never had any STD’s!” How this is not a HIPAA violation is beyond me.

  4. Well said. Remember what Reagan said? (paraphrasing): The most frightening words in the English language: “We’re from the government, and we’re here to help you.”

    HIPAA is a farce, which in addition to complicating the practice of medicine enormously, probably doesn’t even accomplish the privacy protections it purports to offer.


  5. Your problem with HIPAA seems to be that you, and the rest of the staff at your local hospital, now have to verbally confirm who you’re speaking to, or operating on, instead of just looking up their names on a chart, and imparting information.

    The mistake you made, talking to the wrong set of relatives, could just as easily been made by picking up the wrong chart, or in a dozen other bureaucratic foul ups.

  6. My hospital has those “coaster pagers” that one sees at Olive Garden or Outback Steakhouse. They give them to families as they check into the waiting area. Works well so far.

  7. As with all such rules, legislation meant “for our own good” usually causes problems worse than what it was meant to address. This law of unintended consequences is what Bastiat meant when speaking of the failure to anticipate “what is not seen”.

    It is unclear what egregious violations of privacy were extant prior to HIPAA that warranted such a busybodied behemoth. But you can be sure the tortured responses to it, such as you so well describe, do not help patients one bit. Instead, HIPAA endangers patients (although they’ll readily blame you for that as well).

    To so readily submit in servility to “the caprice of a clerk” (as de Tocqueville described Europeans) turns us all into subjects, not citizens.

  8. I always tell my clients that before they even think about supporting new regulatory schemes, they need to sit back, close their eyes and imagine a horde of suited lawyers standing in the halls of Congress holding homemade cardboard signs that say “Will Work for Laws.”

    HIPAA is just a boondoggle that makes lawyers and compliance consulting companies rich. It is also my opinion that In-House Counsel are going overboard in compliance–far beyond what the rules require on their face. I don’t really blame them because you never can tell how individuals with the OCR will enforce them.

  9. In our institution, HIPAA has already invited several lawsuits involving violations of HIPAA.

  10. “Many times have family members called to inquire about there loved ones but no information could be given out because the patient could not give consent.”

    I don’t know if it has been “fixed”, but I remember a case…
    A man went out to buy something at a local mom-and-pop, a five minute walk. After about an hour his family contacted police: had he been mugged or in an accidemt??? As time went on, they frantically kept at the police, clinics, hospitals…
    Four days later, they got a notice in the mail – his body was in the morgue, what disposition did they want to make?
    Seems he had been taken to a local hospital after collapsing. Once in, the hospital administration interpreted HIPAA as meaning they could not only not contact anyone (family), but could not say he was there or turn over his personal effects (like ID) to police without a warrant.

    A single incident? Anecdotal? Yeah – but…

Comments are closed.