Following is a piece I submitted to the Chicago Tribune as an op-ed in response to an article on the first anniversary of the HIPAA privacy rule. It has been two weeks since I wrote it and I have not heard from the Trib, so I figured I would publish it here. Sorry, but i do not have the Trib article that prompted this letter.

Your comments are welcome at nversel@rcn.com. – NV

By Neil Versel

Judith Graham’s story on the first anniversary of the medical privacy regulations under the Health Insurance Portability and Accountability Act, or HIPAA (“Privacy law a bitter pill,” April 13), leads the public to believe that the rules are hampering the ability of doctors and hospitals to provide proper care.

In reality, the article highlights a glaring lack of education among a large segment of the health care community, shows just how antiquated health care information management truly is and illustrates how simple misunderstandings can have dire consequences.

The survey Graham cited by the Council of State and Territorial Epidemiologists suggesting that more than a third of the nation’s public health officers label HIPAA a “major obstruction” in accessing information on publicly reportable diseases is a case in point. HIPAA itself is not preventing these public health professionals from doing their jobs; the greater culprit is serious case of ignorance among a sizable portion of the health care community.

As Graham correctly points out, each of the horror stories outlined in the article was entirely preventable.

The report in Graham’s story of a Department of Veterans Affairs doctor in San Francisco not being able to get information on a one of his own patients who had recently visited a hospital emergency room illustrates the lack of education — and perhaps unnecessary fear — about the HIPAA privacy regulations.

In August 2002 — eight months before the privacy safeguards took effect — the Department of Health and Human Services responded to criticisms that the rules were overly restrictive by explicitly stating that health care providers, insurance companies, pharmacists and others covered by HIPAA can share individual patient information for the purposes of treatment, payment and other operations related to care delivery.

These modifications also defined a “limited data set” of protected health information that can be disclosed without patient permission for the purpose of research, public health or healthcare operations.

According to the HHS ruling, it is perfectly legal for doctors and hospitals to report signs of certain diseases as long as health providers withhold patient-specific identifiers such as street addresses (city and state are OK), telephone numbers, full-face photos and vehicle license numbers. Indeed, common sense — not to mention ethical duty — pretty much requires care providers to inform public health officials of potential outbreaks.

Of course, we are not always dealing in common sense, as demonstrated by the tragic news of the suicide death of Charlie Blumberg after he was discharged from a Denver hospital into the care of a person not related to him. There seems to be an epidemic of fear within the health care community that some sort of HIPAA police force will start hauling doctors away in handcuffs should any hint of a medical record leak through a hospital’s walls.

Contrary to a widely held belief, the HHS Office of Civil Rights, which is charged with enforcing the privacy regulations, will not be going out of its way to hunt down and penalize healthcare organizations. The office’s director, Richard Campanelli, said so in March 2003 at a national, public conference in Rosemont on the HIPAA privacy rule.

“OCR’s goal is not to maximize enforcement. Our goal is to protect personal health information,” Campanelli said to a gathering of nearly 1,200 health care professionals.

Or as OCR privacy program policy specialist Christina Heide said at the same conference, “The privacy rule is not intended to impede treatment.”

The people from Carle Foundation Hospital in Urbana know this. A compliance officer from the affiliated Carle Clinic Association sat next to me at lunch that day. Unfortunately, the nearby hospital that, according to the April 13 Tribune story, would not release laboratory results did not get the message.

Unfortunately, the Carle physician who had to perform emergency heart surgery with an incomplete picture of his patient’s health is far from alone. Thousands of times every day across America, conditions are misdiagnosed, patients are given drugs they may be allergic to and pricey diagnostic tests are repeated simply because health care providers are missing major pieces of patient records.

HIPAA, for the first time, makes clear that patients, not hospitals, health insurers or physician offices, own their medical records. This represents a sea change from the doctor-centric view of health care that had long been the custom.

A select few in the rarified world of medical informatics understand that electronic connectivity and interoperability — backed up by the proper network security — would solve this serious problem of physicians practicing with incomplete patient information, while simultaneously ensuring privacy.

For example, Crusader Clinic in Rockford, or any other medical practice, for that matter, could do away with the inconvenience of requiring patients to come in to view lab results by adopting online clinical messaging. More secure than regular e-mail because users must enter a unique ID and password at an Internet portal, clinical messaging facilitates the safe exchange of sensitive personal medical information.

Technology such as this not only helps medical facilities comply with HIPAA requirements, it helps improve customer service by letting patients see their lab results at their leisure. And, as an added bonus, it gets doctors and nurses off the phone and back in the exam rooms so they actually can care for patients rather than shuffling paper.

If only the health care community would open its collective eyes, they would see that the year-old HIPAA privacy safeguards present not an insurmountable roadblock, but truly a wonderful opportunity to improve care by encouraging the adoption of information technology.

Neil Versel is a health care journalist in Chicago.