If You Buy a Donut, You May Hear From Your Doctor

Cross-posted on LinkedIn

The Health Information Portability and Accountability Act (HIPAA) has fascinated me since it was first passed in 1996. You know HIPAA. It’s the reason you sign a lot of papers when you go to the doctor that allows them to share your private health information with other providers.

To give you a little background, I was fortunate enough to be involved in some early HIPAA analysis for the pharmaceutical industry and, as a result, the whole issue of privacy of patient records has remained on my radar screen. As HIPAA was hammered out, one of the major concerns of our client was that pharmaceutical companies would not have access to individual patient records so they could use it for drug marketing efforts.

So today, when the news hit (see http://mobile.bloomberg.com/news/2014-06-26/hosptials-soon-see-donuts -to-cigarette-charges-for-health.html) that hospitals, doctors and insurance companies may track your private purchases at, say, Dunkin Donuts and pass that information on to your healthcare providers sort of made me wince. No, actually, I think I wanted to scream, “Are you kidding?”

It is nearly impossible to describe the kind of thought and the hours of debate that went into the nitty gritty details of HIPAA to come up with a workable law that protected patient privacy. I wrote a response to the federal regulations for a major pharmaceutical company so I read that law, line-by-line. Don’t ask me now about the details, but in an overarching way I remember that the point was to protect the privacy of individual data in the interest of having access to aggregated, de-identified data to study populations.

For the purposes of research and to derive clinical protocols, this makes a whole bunch of sense. We don’t need to know who you are, individually, but it makes sense for healthcare researchers to have access to everyone’s healthcare data so we know what costs money and what works. Under this scheme, your individual right to consume Boston crème donuts is protected…theoretically. Your private healthcare information collected at the point of care is used to care for you, period.

Now, one of the reasons I reacted strongly to this story today is that – just yesterday – I was exposed to an unintended consequence of HIPAA that has negatively impacted healthcare workers. I spent the day training healthcare providers in a long-term-care facility about how to respond to patient aggression. In the nursing home population of mostly infirm elderly often with dementia, aggression is a fairly common and serious problem. At least 8 workers in this particular facility had incurred injuries this year from bites, scratches, kicks, and so on from agitated patients.

One of the issues is that, due to HIPAA regulations which require the privacy of patient information, patients who are prone to aggression can no longer be identified publicly. That means that the staff can no longer place a little symbol on their door (even something as innocuous as the picture of a small, furry animal or some other clue) to identify that the patient inside may be prone to violence. So, caregivers who are new or occasional cannot immediately identify which patients require special handling or backup.

Which leads me back to the Boston crème  donuts.

HIPAA laws were intended to protect the privacy of patient data especially as electronic patient records were anticipated. It was believed, in the late ’90s, that one of the biggest hurdles to the uptake and full use of electronic patient data was concern for the privacy of patients’ medical information. Once a patient’s private health information was out there in the ether, might someone use it against them? Would it make is harder to get insured? Would their insurance rates rise? Could their health status be used to discriminate against them by their employer? What about a legal case, like a divorce?

It seems that the latest news that our personally identifiable private consumer purchases can be put in the hands of our healthcare providers violates the spirit, if not the letter, of the intent of the HIPAA privacy laws. Should private consumer purchases be subject to HIPAA if they occur outside the protected health records environment but are then entered into the health record? What if those same purchases are inferred – correctly or not – to impact our health? Hmmmm…

At the same time, as evidenced by the injured caregivers at the nursing home yesterday, important information that caregivers need at the point of care is being withheld due to patient privacy concerns.

I wonder if the law of unintended consequences has devolved to its illogical conclusion. What about patient safety? Caregiver safety? Having access to the information  that you need at the point of care?

With the caveat that I am not a lawyer and not current on the latest gyrations in the HIPAA law, I would invite comment from people who are closer to this issue to offer insight. Maybe I’m mixing apples and oranges, but it seems the core issue here (pun intended) is the privacy of our personal information, who legitimately needs access to it and under what circumstances.

Until then, my spidey sense tells me that some things aren’t working out quite the way the framers of the HIPAA law had intended.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>