Lack of HIPAA enforcement prompts fear of privacy erosion
An article (subscribers only) by Theo Francis in the last month's Wall Street Journal, tells the story of a 51-year-old lawyer who has unsuccessfully fought to keep her psychotherapist’s notes from companies such as the health insurance carrier at her job. She was turned down for disability benefits based on these notes which he therapist assured her would remain confidential. Unfortunately, some of these notes were entered into her general electronic medical record, and despite her requests, will still remain there.
When HIPAA was written, it stipulated that psyche records should be kept separate and protected from access unlike the general medical record.
This article reports on the track record of enforcement of HIPAA complaints. While there has been a rising trend of medical-privacy complaints received by the Department of Health and Human Services (HHS), averaging about 600 per month in 2006, “it has not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations.” There have been about 24,000 privacy complaints since April 2003, with three-quarters dismissed, either because no violation was found or the situation was resolved with “informal guidance.”
MedInformaticsMD, a blogger at Health Care Renewal, responded with a letter to the WSJ, pointing out that clinical computing needs to be treated differently than business computing in order to preserve doctor-patient confidentiality; suggesting that an advocacy movement is needed here in the US, much like the one (The Big Opt Out) in the UK; and, warning "if you want to keep information secure, don't put it on a computer." This last point refers to the types of clinical data such as psychotherapy notes which need special consideration of privacy, security and confidentiality. He calls on the Office of the National Coordinator for Health IT (ONCHIT) in the Dept. of Health and Human Services to spearhead this strategy.