« Previous Post | Main | Next Post »

November 08, 2007

Online Doctors, Privacy, and the Almighty Dollar

Last month a slew of media outlets caught wind of Jay Parkinson, a 31 year old Brooklyn-based M.D. who provides care for his patients through the Internet. Here’s how it works: you get an initial in-person consultation at your home or office. After that, you can ask Parkinson questions online through instant message or video chat; e-mail him digital images of minor wounds, rashes, etc., that he can then diagnose; have him help contact, call ahead, and inform specialists when you need their help; and generally fulfill most basic medical consultation functions online.

Parkinson’s work raises a lot of questions, but first among them may be this: how come my doctor isn’t utilizing virtual communication to its fullest potential?

Part of doctors’ technophobia stems from their lack of incentives to engage with the virtual world: they’re not reimbursed for virtual consultations that may be deemed “self-management support activities,” or good old fashioned advice about do-it-yourself care. As little as eight percent of patients communicate with their doctors via e-mail—a shame, considering in the latest issue of JAMA, Tom Delbanco from Harvard Medical School estimated that 50 percent of visits to the physician are unnecessary and could probably be dealt with online.

But there are other reasons why doctors are reluctant to take their practice online. For most doctors, communicating sensitive patient information without special, government-approved secure platforms is illegal under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA, originally passed in 1996, was revised in 2002 by the Bush Administration to incorporate a privacy rule that came into effect in 2003. The privacy rule regulates the use and disclosure of private health information (PHI), which is information about “health status, provision of health care, or payment for health care that can be linked to an individual.” It’s this privacy rule that makes so many doctors computer-shy.

Earlier this week on his blog, Parkinson gave an example of how a computer-savvy doc could get into trouble for communicating PHI: “John Smith is telling me about his seasonal allergy symptoms via AIM [America Online Instant Messenger]. Under HIPAA, if I were [instant messaging] with a patient using an unsecure chat application like AIM, I could face thousands of dollars in fines. If I revealed this health information with criminal intent, I could face up to $250,000 in fines and 10 years in prison.” Since Parkinson doesn’t accept insurance, he is not beholden to HIPAA; but for doctors who are partnered with health plans, online communication is a big no-no so long as there is the potential for hackers to swipe information transmitted in communication.

At times it seems that the government is serious about privacy. Parkinson asserts that “I can’t tell you how many phone and email solicitations I get from CEO’s of HIPAA compliance companies, warning me of the years I’ll spend in prison for HIPAA violations if I don’t purchase their $5,000 secure email application.” But that’s all Parkinson ever gets—a warning.

In fact, that’s all any doctors, including those actually bound by HIPAA, ever get. As of October of last year, 22,664 HIPAA privacy-related complaints had been filed since the privacy rule took effect—with not a single institution fined for its lapses. Kate Borton, former head of security at Massachusetts General Hospital in Boston, told MSNBC last fall that "enforcement [of HIPAA] is a farce... There is no funding for what we call the HIPAA police. It's a joke because there aren't any HIPAA police." To date the worst punishment has been a stern phone call from regulators.

So if they’re not enforced, what is the point of HIPAA’s privacy stipulations? Parkinson and others have an idea: the creation of new market opportunities for potential profiteers. Instituting PHI measures makes compliance a huge problem (at least on paper) in need of new solutions—i.e. new technologies, consultation, and contracts.

Spend some time Googling HIPAA compliance and you’ll find that indeed, a universe of market opportunities has sprung up around the law. Back in 2002, consultants were already advising each other to “help see that your firm will receive its share of HIPAA compliance contracts by educating potential clients now.” In 2003, the state of Nevada awarded a $61 million dollar HIPAA compliance contract to First Health Services Inc. In 2005 California contracted with EpiForce to make sure its public servers were secure. Other companies looking to profit from HIPAA include LogLogic, “the log management & intelligence leader,” and companies offering compliance courses.

As a 2005 article in The Journal of Gastroenterology noted, the privacy rule creates a “dizzying set of health-care administrative activities and new work for legal consultants.” This in part due to the fact that, beyond the vague goal of “privacy protection,” no one is sure what actually constitutes compliance with HIPAA—and so everyone is desperate to get help.

Earlier this year the Health Information Security and Privacy Collaboration (HISPC), a 33-state initiative created by the non-profit RTI International in order “to identify best practices in privacy protection efforts as well as variances in laws and business practices that pose barriers to nationwide sharing of electronic health information” had some bad news about HIPAA.

According to the HISPC report, “many healthcare practitioners across the country are still unsure of what the law requires and how its provisions interact with other state and federal privacy laws.” Another group of researchers found an “astounding array of different ways of interpreting these privacy laws.” Various organizations used HIPAA rules to inform a “set of practices that were seen as barriers to health information exchange, or had no effect on it, or indeed, might encourage it.” This is a broad spectrum of outcomes, to say the least.

HIPAA’s vague requirements not only affect the online sphere, but also some of the most commonplace medical practices. A health care organization that lists the ten worst ways a medical worker can compromise his or her patient’s privacy under HIPAA includes such offenses as posting pictures of newborns on the hospital bulletin board, using sign-in sheets, and leaving appointment reminders on peoples’ answering machines.

It’s clear that the scope of HIPAA has not been thought out—it’s more of a sketchy principle than an actual policy. But is this vagueness due to the greed of those who wanted to give birth to a compliance industry, or to a lack of foresight?

Consider this: in the U.S. we’ve been slowly opening up to electronic health care. We’re committed to giving most Americans medical records by 2014, and just last month, the U.S. Department of Health and Human Services granted over $22 million in contracts to nine companies in order to start regional networks of electronic health information. Eventually, these networks will merge into a “network of networks,” thus working toward national compatibility and moving toward nationwide electronic health records.

If we’re so open to electronic records, why the hesitation when it comes to electronic communication (not to mention reminder voicemails)? HIPAA supporters would claim privacy protection is their goal. But given how lax enforcement has been, the counter-productivity of HIPAA-induced confusion, and the many parties looking to profit from the policy, this is unconvincing. More plausible is the idea that someone, somewhere, saw the chance to manufacture a compliance industry and ran with it—at the expense of cost, efficiency, and consistency.

Posted by Niko Karvounis on November 8, 2007 | Email this post

Comments

Niko,
I didn't think that you were on a "doctors should be on line rant" I just wanted to point out that as long as we dont reward efficiency it will be a long road to attain it. I would also like to note in regards to information trade. The new EMR systems allow the owners to "wash" the information and sell it like mailing lists. In my community the hosptial owns about 80% of the healthcare market, they use one EMR and the info is sold to offset costs. It would be nice (though pollyanna) to think it was sold to researches to improve overall health, but my guess is that it is sold to pharmacuetical co, DME co and the like such that they may target thier marketing more efficiently.

Posted by: drmatt | November 13, 2007 at 04:26 AM

Hello,

I just wanted to let you know that we featured this post on The Issue, a blog newspaper that pulls the best blog posts from across internet. This was a wonderful post that we decided to feature in today's Business section. You can see it by going to www.TheIssue.com. Keep up the great work!

Matt

Posted by: Matt | November 12, 2007 at 10:22 AM

DrMatt, Merrill, Rob, Zagreus, and Geof,

Thanks for your comments. DrMatt and Merrill, the issue of how compensation is related to patient-doctor communication is a really big one, and I think that one really can't go off on a "doctors should be online!" rant (which I hope I haven't done!) without taking into account how that would factor into the business of medicine and the livelihood of medical professionals. I'll have to give this some thought, but there is definitely much to be said on reconfiguring physician compensation for the Internet age. It will also be interesting to see how Parkinson's practice progresses.

I thought you might all be interested to know another seedy detail about this whole affair. The 2002 revision of HIPAA's privacy stipulations not only made things more complicated, thus creating a compliance industry; they also compromised privacy in order to let institutions commercialize patient information more easily.

A summary of the reforms makes this clear. http://www.dlapiper.com/global/publications/Detail.aspx?ref=rv&pub=928
Note especially how the definition of marketing is diluted so that privacy is no longer essential when doctors communicate to patients about "(1) the participating providers and plans in a network, the services offered by a provider, or the benefits covered by a health plan; (2) the individual's treatment; or (3) case management for the individual, or recommendations for alternative treatments, therapies, health care providers, or settings of care." Marketing is "defined down" so that it can slip through the PHI cracks more easily.

A 2003 editorial notes that its not just that organizations can get away with marketing without calling it such; but also that the universe of exemptions--when its OK to share patient information--has been expanded to an almost absurd degree, all to give maximum wiggle room to the profit crowd.
http://www.patientprivacyrights.org/site/News2?page=NewsArticle&id=5075

The 2002 revision that most clearly shows the extent to which rules were changed to make a buck is this: the original HIPAA privacy rule protected "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated'."

But the amended rule, post-2002, revoked that right:"The consent provisions (in the Original Rule)...are replaced with a new provision...that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, and health care operations." Treatment, health care, and operations--this pretty much covers anything related to medicine!

You can see that the 2002 revisions aren't just confusing for those trying to be compliant, but also easily manipulable by those looking to exploit them for profit.

Posted by: Niko Karvounis | November 10, 2007 at 09:42 PM

One more impediment in the CURE FOR CANCER: Information

Good news is eventually policy makers will become informed and understand the short-sightedness of many current policies and regulations. Interesting piece! and feeback from Dr.Matt

From PC of a non medical professional

Posted by: Geof | November 10, 2007 at 11:54 AM

So there are fines for discussing health information with a patient because there is some possibility that the conversation could be monitored, and privacy could be breached.

Meanwhile, the very same administration goes out of its way to monitor conversations, and argues that there is no expectation of privacy to begin with.

So. I guess never mind any advances in distance-medicine. We'll all meet secretly in dark, anechoic chambers and speak in whispers.

This is dumb.

Posted by: Rob | November 09, 2007 at 11:19 AM

When appropriate being the key sentiment. We manage many a disease after hours over the phone without face time, the difference being if you call a large clinic during the day the doc is busy and you get a non medically trained person answering the phone, thus making appointments (with pressure to keep the schedule full for financial reasons). I have seen many a patient in my clinics that I immediately thought "you didn't need to come in for this". But, during what portion of a 10-12hr packed clinic day when would I call, or answer emails for that matter? Again, the incentive is to fill the clinic for financial viability, there is no incentive to "not waste people's time". Personally I wouldn't want to substitute email for face time, but if it is safe, and feasable it sure would open up a lot of clinic time that is sorely needed for people who end up sent to the ER to be evaluated by a doctor that doesn't know them

Posted by: drmatt | November 09, 2007 at 08:46 AM

Dr. Matt,
If physicians were on salary, substituting email communication for face time when appropriate wouldn't be a problem.

Posted by: Merrill | November 09, 2007 at 08:11 AM

Kyrie Karvouni,

Excellent post.

Get a good lawyer into my corner and I'll be glad to try something new.

It ain't JUST HIPAA. It's the basic liability questions that make people nervous. Most small businesses like to see someone else take a chance first; there is already so much risk involved. Who is crazy enough to try providing personalized health information and advice without the expected examination and laboratory back-up? A paradigm shift, privacy concerns, and medical malpractice have killed the video star.

Enjoy the radio.

Posted by: Zagreus Ammon | November 09, 2007 at 07:43 AM

Niko,
First about HIPPA, nice piece, I remember thinking when it first came out "Has there been a rash of misuse of private health care information? Are people buying other people's health information on the black market?" I couldn't understand the need for a new law to protect privacy when the medical profession has been doing it for centuries. You should also mention that when someone has HIV or a history of drug or alcohol abuse they have to sign different forms, "double secret privacy" (reminds me of "Animal House".

Online communication. It is the business of medicine more than anything else, I think, that limits this. You dont get compensated for non face to face interaction. I dont know about a 50% decrease in office visits, but for a PCP that would equal 50% decrease in an ever shrinking income. I remember trying to explain it to my patients when they were frustrated with having to come to the office for something, I would say, "you wouldnt call your plumber and just ask him to direct you over the phone on how to fix the sink?" Personally, I would love to save people the trip and time, I truly believe that health care knowlege belongs to all of us, I am just a repository. But, I must feed my family.

Posted by: drmatt | November 09, 2007 at 04:07 AM

Post a comment

If you have a TypeKey or TypePad account, please Sign In