I never imagined I’d write a post about HIPAA. I feel compelled after recent experiences that have confused me more about the subject. I also want to make clear that I think personal health information should be protected as long as those protections are not so restrictive as to cause people to find workarounds for them that only make matters worse.
I know HIPAA in several different contexts. Before medical school, I worked as a consultant and actually performed several HIPAA audits (payers and providers). These were more network security audits with some added content (mostly boilerplate) related to HIPAA and healthcare. The ironic part is that our consulting team knew nothing about HIPAA — not even how to spell it — when we started working on these assessments. Several reports required the use of Find and Replace to change HIPPA to HIPAA.
Next, in medical school, I endured endless educational modules and quizzes related to protected health information (PHI) in clinical, educational, and research settings. Most of it was so convoluted and overly extensive (not relevant) that the main thing I retained was that disclosing health information was a very bad thing. Maybe that was the most important lesson and the purpose of the training. I didn’t recall the details about what was and wasn’t PHI, or in what circumstances it could be disclosed.
Then there is the experience of my friends as residents and students. They all seem to know that PHI needs to be protected. They’ve built up pretty massive collections of photos on smartphones for fear of moving the photos to Dropbox. Most that I know, in the spirit of patient care or education, share content over MMS and SMS that could be considered PHI. Students and residents also take smarthphone photos of medical labels for logging procedures.
I’ve been involved in several academic research projects. In thinking back now, I recall we openly shared data in spreadsheets with patient information using Google Docs, Dropbox, and over Gmail (because enterprise Outlook is horrible once you’ve experienced something better). Research projects can heavily lean on tools such as SurveyMonkey, which openly acknowledges that it does not support the collection of PHI.
The problem doesn’t end with electronic PHI, though this is what gets all the attention (at least in my world). I remember med student friends that would have paper notes, usually photocopied from the chart or handwritten, strewn about their cars or homes. I’m not sure how else they are supposed to treat these papers — maybe leave them at the facility?
That brings me to where I am today. I understand specific HIPAA security rules more deeply than I ever did before. I certainly educate most of my resident friends about it when they ask or it comes up in discussion. I’ve taken the time to read the actual federal regulations, not the interpretation that I was given before.
The key thing I’ve learned is that HIPAA provides some flexibility in approach. It’s not one size fits all. Furthermore, it does not preclude the use of hosted services or mobile access to those hosted environments (NEJM had a great commentary on that topic).
This isn’t revolutionary. Plenty of new and old HIT vendors, though not usually EMR vendors, are working with PHI and have 100 percent hosted environments on Amazon or Rackspace. Many of them have contracts with health systems and payers, so some health systems get this as well.
On the hand, I’ve recently been frustrated when I was told by multiple compliance officers at multiple healthcare systems that a technology platform doesn’t meet security requirements solely because the application is hosted on a dedicated Amazon server. Are there people at health systems that can weigh in on whether they will work with companies that store HIPAA using shared hosted services like Amazon? I’m curious to get a sense of what is the norm since I’ve seen both recently.
The problem with HIPAA ultimately lies with the fear associated with a breach. The frustration is that this risk, whether perceived or real, sometimes seems to be a one-size-fits-all approach to health technology security. I’m not sure how you fix this.
The other big problem is that the clinicians that work with PHI all day generally don’t understand HIPAA or don’t have the tools available to them to follow HIPAA. Their options are to not share/store anything at all or to use something that isn’t HIPAA-compliant (Dropbox, MMS, SMS, Gmail, etc). I know compliance and risk officers are trying to minimize the risk to the organization, which makes sense. The problem is that clinicians are focused on their clinical duties, and following HIPAA rules is only one of them. IT is focused on IT, and risk / compliance is focused on risk / compliance.
If I’m going to answer my own question, HIPAA means fear, inconvenience, and expense. I don’t think that has to be the case. Can’t we take a reasonable approach to securing data, make it easy for clinicians to follow HIPAA, and document the heck out of all of it? From a legal perspective, the whole thing is probably gray enough that no matter the approach taken, lots of legal fees and potentially lots of HIPAA penalties can result.