The Real Reason Physicians Must Comply With HIPAA

There are two sides to every conflict. The first step toward resolution is convincing people they are on the same side, or at least pulling in the same direction. When it comes to conveying an understanding of why we need HIPAA compliance, government regulators are camped on one side of a very wide river, and physicians are scattered individually, or in groups, on the opposite shore.

Doctors don’t like HIPAA. Mostly, doctors don’t understand why we need a big, giant federal bureaucracy issuing fines and punishment over a simple thing like patient privacy. 

In my opinion, that’s the government’s fault. The government’s main website on the subject is titled, “Health Information Privacy,” and speaks about safety and privacy. Reading this, the government seems to be solely concerned with physician-patient confidentiality obligations, the kind expressed in AMA Ethics Opinion 5.05.

Patient confidentiality is not why HIPAA exists.  Confidentiality is common sense. It is a duty owed by the physician to the patient. It is insulting to doctors to be saddled with a federal bureaucracy just for that, and doctors are right. Lack of confidentiality owed to the patient isn’t the problem. Never was. 

The real issue, and the reason HIPAA exists is simply this: Criminals may take advantage of your failure to protect financial data, and the consequences of your carelessness may fall on someone else. Of course you have a duty to your patient. Absent HIPAA, there really isn’t any national law creating a duty on your part to act prudently for the protection of the financial system as a whole.

The government is trying to prevent criminals from perpetrating massive, highly-organized, financial thievery. Although the government really needs your help, it doesn't explain this to you, nor does it ask politely.

Protected health information (PHI) is valued by criminals. PHI theft is harder to detect. It takes longer to cancel stolen health identity than it does stolen credit cards. 

The patient doesn’t think twice about trusting you with insurance information, personal identification, social security number, address, and credit card information. The patient trusts that you know how to protect the data.

Many of you don’t. That’s why HIPAA exists. The physician’s office combines financial information with patient health information and diagnosis codes, and many of you store this data, unprotected, in computers, laptops, smartphones and iPads. You send it over the Internet, unencrypted. That is the problem HIPAA is trying to correct.  

Consider the following example: Three months after a patient visits his doctor, he applies for a job, and is turned down.  He has $250,000 in debt, and has no idea why. He can only recall giving personal information to one person: his doctor. His doctor, when questioned, explains that the office building experienced a break in, and some computers were stolen.

The doctor’s office did not protect the computers, laptops, iPads, and portable devices, and that is how the information was obtained. The practice could cost the financial system hundreds of thousands of dollars in unrecoverable losses. This is an interest worth protecting.

AMA Ethics Opinion 5.07  Confidentiality: Computers, addresses this concern in a very detailed manner. But again, ethics violations are enforced by a patchwork of state licensing boards.

That’s why the federal government is so serious about HIPAA compliance.  I can’t explain why the government is so reluctant to explain this to you on its website. Perhaps talking about the real problem would actually attract more criminals. Instead, you are insultingly led to believe that the problem is that you simply can’t be trusted with AMA Opinion 5.05 confidentiality duties owed to the patient.

Understand, you can be investigated by the federal government for disclosing simple patient confidences. When that happens, you will be asked by the Office for Civil Rights (OCR) to produce all of your documents showing full HIPAA compliance. HIPAA and HITECH were implemented in stages. The OCR will ask you to prove you met each deadline along the way. A very good checklist can be found here. 

The takeaway is this: The government isn’t trying to insult you over patient safety or individual privacy, or simply make work for you. The government needs your help in preventing theft. Stop fighting and get yourself compliant. Hire a consultant who can help you implement a plan tailored to your practice.

Next week, I will explain Business Associates Agreements, what they are, and why they are also necessary.