How Privacy Policies Impair Patient Care and Medical Progress

The Health Insurance Portability and Accountability Act (HIPAA) has had a positive impact on the day-to-day practice of medicine — it has also had a major negative impact. Although designed to protect patient privacy and confidentiality in a digital world, it was never intended to interfere with the ability of health care providers to deliver necessary and timely care, or medical researchers to share discoveries. Unfortunately, hospital and institutional privacy policies based on this law have done just that.

Hospitals have created privacy rules that are far more limiting that the law requires. For example, contrary to common belief, there is no provision in HIPAA that requires a physician who is caring for a patient to have that patient sign a release of information form in order to obtain the patient’s outside medical records. It is not uncommon that a patient is undergoing a procedure when it is determined that additional outside information, such as a prior operative report, would be helpful in the care of that patient. Inevitably, efforts to obtain critical information are often thwarted by someone from the outside institution on the other end of the phone insisting that a signed release of information be sent — signed by the same patient who is obviously under anesthesia. Strict privacy policies such as this go beyond what the law requires, are based on either a misunderstanding of the privacy laws or overzealous compliance efforts, are a result of conservative attorney counsel rather than the judgment of health care professionals, defies common sense, and are not in the best interest of patients.

Privacy laws were also never intended to obstruct medical research, but institutional policies and procedures are also doing just that. Medical research and quality improvement efforts take advantage of large patient registries. Institutional Review Boards (IRBs) permit collection of this type of patient data in electronic databases for internal use provided that the data is deidentified and secure, and that the information is not published. However, if an investigator chooses to publish some interesting observations from such a deidentified database, permission must be obtained from the IRB. It is not clear what the purpose of such a control mechanism is. Dissemination of knowledge is one of the most important missions of medical research. If the information from patient databases can be used for internal use, then why place additional hurdles in front of those trying to share the information?

To add to the confusion, these research-related privacy rules are not consistently applied to all parties involved in research. Take the ACC-NCDR^® National ICD Registry, for example. Extensive amounts of information are collected on every patient who undergoes implantation of a defibrillator in the United States. This data is centralized and kept confidential. Reimbursement by Medicare is actually contingent upon its collection and submission. Fortunately, data from this registry is being published. It wouldn’t make sense to not share this information — and yet patients consent to none of it. Why are some investigators required to get IRB approval before publishing studies using their own deidentified patient databases, while other investigators are publishing studies using national databases that contain confidential information taken from thousands of patients without their consent?

Other inconsistencies in health care privacy laws abound. At the time every pacemaker and defibrillator is implanted in the United States, patient information is collected by the manufacturer of the device. This registration information is entered into a database at the company and is clearly not deidentified. However, collection of this information is invaluable. At any time, a nurse in the device clinic can call a pacemaker company with the patient’s name and date of birth, and get information regarding the device that the patient has. This same information is used by the major device manufacturers to generate annual device and lead performance reports, and to notify patients who have undergone implantation of a recalled device. The FDA has encouraged long-term analyses of medical device performance using this type of data. Patients sign nothing.

Privacy laws are important. No one believes that patients should not be protected against unauthorized release of sensitive health information. Hospital employees now know better than to snoop in a VIP’s hospital chart. However, the pendulum has swung way too far. Overreaching privacy rules interfere with effective and efficient patient care, and hobble dissemination of important medical information. Institutions should reexamine privacy policies that do more to interfere with good patient care than protect patient privacy, and that hold individual medical investigators to a different standard than companies and large organizations.