I am on a mission to put "portability" back into HIPAA, the 1996 law that protects patients' private health information (PHI) from being shared inappropriately. In the almost 20 years since HIPAA was signed into law, there have been increasing barriers on physicians who need to share (and obtain) PHI for patients. This fear and misunderstanding of the law has led medical practices to a place where physicians and administrators now hesitate to share information for legitimate and legal purposes, wasting time and money as well as putting patients and the public at risk.
Here is a common scenario in our pediatric practice: A parent switches jobs and the new employer has a different insurance plan than the family had previously. The children in the family see a pediatrician not in network with the new insurance plan, so to control out-of-pocket costs, the family must switch to our practice. I call the old practice to obtain the "minimum necessary" records to continue care for the patient and am told the parent must complete a form and possibly submit some payment to the past provider in order to obtain the records.
I gently (sometimes) explain to the other practice that HIPAA "allows covered healthcare providers to share protected health information for treatment purposes without patient authorization." In spite of this, I am told the form is the practice's policy and they won't budge.
Here is another: A baby is born prematurely at the hospital where she undergoes a number of lab tests. A few weeks later, the baby is now being treated at our office. Prior to the exam, we contact the hospital seeking lab results that would be relevant to the baby's current care needs. We are told by the hospital's medical records department that they won't share information with us without the parent's signature on their completed form.
Clearly there needs to be better education and communication on this subject. I have asked the Massachusetts Medical Society (MMS), a few times and to date without a reply, what their recommended best practices are in facilitating provider-to-provider communication of PHI. Interestingly, though, the MMS promoted, for a fee, a webinar to explain "new complex patient privacy requirements" to providers. Oh good; more fear and loathing in sharing PHI.
I'll end with my own family's example. In 2008, my husband and I adopted our son, Andrew, from foster care. Like many foster children, Andrew's medical records were spread around at different doctors' offices, social workers' desks and various foster parents' files. No one person knew exactly which vaccines Andrew had received to date; and we were under a lot of pressure from Andrew's preschool to submit a complete and up-to-date vaccine record (no doubt, the preschool was under significant pressure from the state, as well). We did try calling the clinics we knew he had been treated at, but the paperwork hoops we'd have to jump through to obtain the records were too time-consuming (and no guarantee).
And so, we had Andrew's current pediatrician vaccinate him on everything he needed if we didn't have a written record of past vaccination. Clinically, there is no more risk to doing this than giving any other vaccine; however, the financial conservative in me was furious. The State of Massachusetts potentially paid twice for expensive vaccines my son may (or may not) have already received.
I can't help wondering, how many other cases like Andrew's are there in Massachusetts (and other states for that matter)? And how much was spent to revaccinate them? Or worse, assumed vaccines were given and then not vaccinated them at all putting the child and the community at risk?
As a patient and a parent, I value the parts of HIPAA that keep PHI out of the hands of marketers or other groups that would use the information for illegitimate purposes. That said, our legislators — on both the state and federal level — need to do a better job clarifying and educating the public and the provider community as to what legitimate and legal sharing of information looks like to increase both individual and public health status.
And if the current law is too restrictive for provider-to-provider communications, our lawmakers need to put the "portability" back into HIPAA, stat.
Leann DiDomenico McAllister, MBA is the administrative director and co-founder of Performance Pediatrics, a primary-care pediatric "micro practice" in Plymouth, Mass. She also serves on the operations committee of the Pediatric Physician’s Association at Boston Children’s Hospital. Contact Leann via LinkedIn.