Recently, Brian Murphy, analyst for Chilmark Research, released a post titled “HIPAA Must Die” pertaining to the complex nexus of federal and state HIPAA healthcare regulations for patient privacy and security.
Murphy states “the time has come for healthcare providers and other stakeholders to call for a harmonized regulatory regime for a tangle of issues in healthcare.” I am a major fan of the work Chilmark publishes, but had questions arise soon after a review of Murphy’s statements.
Are the differences between federal and state HIPAA regulations affecting the quality of patient privacy and security?
Initially, we at Catalyze are inclined to concur with Murphy that different federal and state laws only blur the already skewed lines of HIPAA even further, resulting a diminished level of privacy and security applied to PHI. After extended thought, however, I asked myself:
How would the quality care of PHI be adversely affected if privacy and security precedence is set by whichever is more stringent — state or HIPAA?
For example, HIPAA grants access to records for patients with the exception of psychotherapy notes, but in Vermont patients can access their psychotherapy notes under state law. Since Vermont law provides greater rights from the patient’s standpoint, state law takes the forefront to federal HIPAA regulations. I do not see where a diminished quality of patient privacy and security is taking place.
There are many other examples that show the difference between federal and state HIPAA laws. Why is there a need for an administrative standard of regulations especially when HIPAA does not impair states to enact laws that serve to enhance patient privacy and when clinicians are assumed to know the workings of federal and state HIPAA provisions? As the old saying goes, if it’s not broken, don’t fix it.
We do agree with Murphy in that there are complexities that arise with various interpretations of HIPAA. For example, on September 1, 2012, Texas enacted the Texas Medical Records Privacy Act which mandates healthcare providers (including mental health) provide additional auspices to consumers. This Act applies a more extensive scope than HIPAA as it appertains to not only healthcare providers, health plans, and other insurance claim related entities, but also any individual, organization, or business that obtains, stores, or has control of PHI as well as their emissaries and staff members if they produce, acquire, or transmit PHI. Under this Act, individuals, businesses, and entities must adhere to several extensive requirements that could produce an administrator’s most inimical nightmare. Because of such harsh regulations in place, most businesses will avoid Texas resulting in a lack of immediate healthcare innovation for the state among other ramifications.
In this instance, an industry-backed approach like HITRUST could be seen as an efficient alternative as it is modeled after PCI and is written by a private sector and non-government entities.
Between Vermont and Texas on opposite sides of the spectrum, it is shown there is room for argument that while creating a single standard could reduce complexity, it could also reduce iteration by the states towards better policies related to core patient values—privacy and security.
What do you think?
HIPAA is not perfect, nor a golden standard, so changes will need to be made to avoid inefficiencies. In my opinion, a one-size-fits-all solution that will not allow for customization or flexibility has its drawbacks that should be acknowledged and discussed before any sort of implementation is enacted. HIPAA is largely enforced by Covered Entities, not HHS or the states, so we already have a complicated framework that will need to be adjusted.