Confidentiality, Privacy & Security Workgroup: June 2007 Meeting Materials

In general, I feel that HIPAA is a good set of laws to use as a minimum standard for patient privacy and confidentiality. In particular, the security portion of the law should be used to govern any electronic information exchange.

1) Enforceable mechanisms: This area poses great challenges. In my work, I encounter different levels of compliance to the HIPAA laws. Hospital personnel seem to follow the law very well. Of the 16,000 employees in our hospital system, I experience a very low number of infractions. I believe that this is due to a constant offering of educational materials that deal with various aspects of the law as it pertains to everyday tasks. In physician offices, however, it is a very different story. Hospital personnel who work with physician office staff report a much more lackadaisical attitude toward patient privacy, with some office staff members freely sharing information among themselves that was obtained by inappropriate access to patient data. Also, physicians seem to opt for convenience of obtaining data, rather than the observance of privacy laws. Some readily share passwords or other means of gaining access to data systems. Therefore, enforcement measures and punitive sanctions should perhaps be stronger than HIPAA. I fear that with a national information exchange system, the temptation will be great for office staff to obtain information about people that they know. I feel that accountability should lie with the physician. The physician should be responsible for sanctioning office staff very seriously for any infractions. Also, because of this risk, I feel that the information available should be limited. Rather than have a large amount of health information available through the exchange, I feel that it should be limited to a patient’s “basic health profile”. This profile should include basic information only about the patient. I thought perhaps that if more information is wanted by a physician, then the patient could allow further levels of his/her information to be tapped as needed. However, I also believe that if the information is in the system at all, then someone will be able to gain access to it inappropriately. I don’t think that even many levels of security can stop individuals from obtaining information if they want to get it. If they do breach, then they should be dealt with in a very serious manner by the physician.

4) A) In the state of Florida, there would be problems because of this. Privacy laws are generally more strict for hospitals than HIPAA, and less strict for physician offices than for hospitals. There are already problems with the sharing of information between hospitals and physician offices. With other entities involved nationwide, there would be hindrances in the ability to share information. A solution to this is the ability of all entities to easily obtain patient permission to share information. This could be in the form of a patient authorization obtained upon issuance of a card, password, etc., This would enable the entity to obtain permission to share data as soon as the card/password is presented by the patient. This solution, however, does not preclude laws of certain states. Some states would have to modify privacy laws to allow for this type of “instant authorization”. I still hold fears regarding this solution. As is evident today with credit card fraud, there will most assuredly be “health card fraud”. What safeguards can be taken to avoid this? Absolute identification of the holder through multiple levels of ID, and/or through biometric methods may be the solution. One problem that also must be solved: the people who visit physicians and hospitals the most, and for whom information sharing would be the most advantageous, is the elderly. How do you propose to identify caregivers and/or “authorized representatives”? This will be an operational nightmare for large hospital systems. It should be for physician offices also, but I sense that many will not care as much what type of identification is presented for a patient. This last statement is an opinion offered from personal experience.

Thank you,

Cathy duTreil

Florida Hospital Director of Privacy