by Brian L. Grant MD
That HIPAA is misunderstood is an understatement. As this article in The New York Times describes, HIPAA is used as an excuse for absurd interpretations and ultimately a denial of rights to communicate by non-covered entities, a refusal to receive information from family members, churches who erroneously believe they can no longer share the fact that a congregant may be ailing, and other forms of nonsense.
If I had a quarter for every person who made declarative but incorrect statements about HIPAA, it would buy a lot of coffee, and some pastries to boot!
The goal of HIPAA is to maintain the privacy of medical information. But many questions remain. For example, why is unencrypted email apparently unacceptable but a fax is OK, though many senders or recipients of faxes send the faxed documents as Internet attachments? Is an email less secure than the US mail, which could result in a piece of paper lying on a desk in plain sight of the wrong people? I imagine that if the NSA or North Korea has an interest in the files of a medical practice, they may view them with minor effort. But does encrypting email actually solve a problem of files being compromised? The reality is that unencrypted email use is not prohibited. What is prohibited is accessing and reading such information by an individual or more who are not authorized. That raises the theoretical concern that people with time on their hands at Yahoo or Google are opening and viewing emails containing PHI (protected health information).
Protecting medical privacy is important and HIPAA is well-intended and to the degree it compels the profession to establish guidelines, training and evaluating of who and how one shares medical information, it is a good thing. But we have a ways to go to achieve clarity, reduce barriers to good care, and maintain compassion along with common sense.