HIPAA may protect patient information, but it has come at the cost of direct patient care.
A torrent of laws and regulations affecting healthcare has been unleashed since HIPAA was established in 1996. Compliance has commanded much of the typical healthcare organization's budget, staff, and attention not already devoted to direct patient care. There is little evidence to suggest that these regulations have dramatically helped patient care. For me, it is the patient who should command my attention; this shift in emphasis makes me concerned for the patients.
Here is an example. As you know, teaching hospitals are subject to regulations regarding resident work hours. The residents are reduced to being production-line shift workers. They have precious few hours that are not occupied by teaching conferences, rounds, meals, looking up lab results on archaic computers, typing notes, etc., to actually see patients. The combination of these time pressures and the odd schedules that result from the work-hour restrictions limit the resident’s ability to communicate face-to-face about their patients.
Bucking the trend, the residents (bless their idealism) still seem to think that patient care comes first. In this situation, communication is the problem and some residents have found readily available and effective solutions: Facebook, Twitter, and text messages.
You can imagine the reaction when the administrators discovered what was going on. A directive immediately went out to all service chiefs instructing them to chastise the residents and admonish them "not to do it again." What about the obvious need? What about the patients? Forget that stuff, the top priority is to avoid a HIPAA violation.
My first reaction was different. I saw in this example a new and important requirement that could be satisfied by a bit of technology and simultaneously reinforce the resident's comprehension of HIPAA. I started searching for ready-made solutions.
I found several. The first, the organization already has available: the Cisco Registered Envelope Service (CRES). This service allows businesses to send HIPAA-compliant encrypted messages by simply inserting "[SECURE]" at the beginning of an e-mail subject line. If the recipient is a member of the organization, reading the encrypted mail is transparent. If the recipient is external, they get a link to CRES, where they can read (and reply to) the message.
So why didn't the residents use this encrypted e-mail instead of resorting to Facebook? Answer: They are not given organizational e-mail accounts. There are over 1000 residents, rotators, and volunteer attendings and no doubt the management overhead is considered to be prohibitive. Frustrated, and with no approved method available, residents will do what needs to be done - "damn the torpedoes."
The second solution that I found is called Hushmail. It is similar to CRES, but it is free (or inexpensive). It's even easier to use with new or occasional recipients since it requires no registration on their part, it merely asks them a secret question. You can provide the answer, or a clue, in a separate message before sending the encrypted material.
Hushmail is slick and the provider is very responsive. You might find it useful at your medical practice, either on a regular basis or as a gentle on-ramp to exchanging e-mail with patients and colleagues - just remember to check the encrypted checkbox when you reply to a reply until they get that automated.
This simple example illustrates that complying with regulations has come to take precedence over the patient. Perhaps my emphasis on the patient is quaintly outdated. Samuel Shem may have been prescient in 1978 when he wrote, in "The House of God":
"Sit down!" said Fats. "What are you talking about, chart rack?"
"Aren't we going on work rounds?" asked the BMS.
"We are, right here."
"But… but we're not going to see the patients?"
"In internal medicine, there is virtually no need to see patients. Almost all patients are better off unseen. See these fingers?"
We looked carefully at the Fat Man's stubby fingers.
"These fingers do not touch bodies unless they have to... I've seen enough [patients…], to last me the rest of my life."
If this is a more correct view, it's convenient because, as things are going, after complying with all the regulations there will be no time left in which to see or touch the patients anyway.
Got to go now… they tell me I've already kept the next patient waiting too long.