The Myths and Meaning of HIPAA

When I was a child, the threat “just wait ‘til your father gets home” was enough to make me change my attitude. I wasn’t punished much as a child, and time with my father was far more happy and positive than not, but that phrase still resonated. The Health Insurance Portability and Accountability Act (HIPAA), in many ways, is like that threat.

HIPAA often inspires doom, gloom, and fear. Because of that, it can lead to unintended expectations and behaviors regarding patient information, making effective care coordination a challenge. In reality, HIPAA gives us some guidance about the protection of information and is a very real threat - only if you ignore it. However, it’s not all doom and gloom.

Can vs Can’t

First, let’s take a look at what you can do with patient medical data under HIPAA. You can:

• Connect

• Share

• Cooperate

• Consult

• Question

• Exchange

• Communicate

• Treat

That’s a significant list and it’s all about coordination.  

Now let’s compare that to what you can’t do with this same information under HIPAA. You can’t:

• Ignore

• Distribute

• Expose

• Publish

It’s easy to see how this can be confusing. The security and privacy standards defined by HIPAA combined, with the expanded responsibilities under the Omnibus Rule, have created layers of bureaucracy and whole industries have sprung up to “explain” it. 

Stewardship

So let’s step back for a minute and look at what HIPAA is really supposed to be about, which to me, is stewardship. Stewardship is the responsible overseeing and protection of something considered worth caring for and preserving. On the official Federal site, it says that the HIPAA Privacy Rule “establishes national standards to protect individuals’ medical records and other personal health information.”

Stewardship implies a personal ownership and responsibility.  The word “ethic” implies that very high personal and professional standards should be applied to the responsible management and protection of a patient’s information. So it is really about taking care of the health information entrusted to you.

Perhaps the biggest shift in mindset for physicians in the last several years has been the emergence of patient health information as a valuable component of their practice and to treat it accordingly.  Let me use an analogy and compare money to information. As a person, you don’t carelessly give away your money or leave it lying around. You don’t share your financial account logins with strangers and you certainly wouldn’t want your financial records being released, exposed or published. As part of our upbringing, from our initial allowance to our first job to your career today, we have been learning about money, its value, and the steps we should take to protect it. Being good stewards of money is a role we recognize and understand. Patient health information should be viewed in the same way.

Medical records are filled with personal data, otherwise known as protected health information (PHI).  Once we make the connection that information or data has value and must be treated like money, the standards for HIPAA stop being cumbersome and start being understandable. 

Can and Can’t Revisited

So with good stewardship in mind, let’s go back to the “can I” or “can’t I” question and ask yourself the following:  

•Can I connect with another person about a patient? Yes, just make sure that your method of connection is safe and that you have a valid reason for doing so.

• Can I share a patient’s record with another provider? Absolutely, provided that you take steps to ensure the information is protected.

• Can I cooperate and consult on patients? Of course, but do so in a manner that maintains a patient’s privacy and the protection of the data.

There are a lot of myths around HIPAA, and while the “letter of the law” be confusing at times, “the spirit” and meaning is clear. HIPAA really does not need to be confusing. Be a good steward of the information in your practice of medicine, and you’ll be a long way down the path of complying with HIPAA regulations.

Andy Nieto is the IT Strategist for DataMotion, an experienced email encryption and health information service provider (HISP). DataMotion was founded in 1999, and today, millions of desktop, tablet and mobile users leverage its mature, cloud-based data delivery platform to transmit electronic information to employees, customers and partners in a secure and compliant way.