Most people, even those not in a medical profession, have heard of HIPAA, although most people do not actually know how it is spelled or what it stands for.

It was created in 1996 as the Health Insurance Portability and Accountability Act to protect privacy of health information. As the information increasingly became electronic, in 2003 the security rule was added on and is more important than ever in this new era of cyber attacks. Healthcare organizations and payers subject to HIPAA, known as Covered Entities, and anyone they contract with access to protected health information, known as Business Associates, are required to adhere to the standards set forth in order prevent breaches of information, both, as it exists within their organizations, as well as in motion between organizations. As organizations continue to work with reduced budgets and leaner teams, meticulous oversight requiring highly skilled resources becomes difficult and costly.

Provided the mechanism for delivering information has been made secure, the next challenge comes with an inconsistency between laws. HIPAA applies to all protected health information but there is another law, CFR 42 Part 2, that provides additional protections for substance abuse records. With HIPAA, information may be shared for treatment, payment, and healthcare operations without patient consent. However, CFR 42 Part 2 does not allow sharing of information without explicit patient consent. Therefore, a provider in possession of a patient’s substance abuse records could not send them on a non-responsive patient to an emergency department. This poses a threat to patient safety and optimum treatment outcomes.

The good news is, there are bills currently in the House (H.R.3545 – Indiana Reps Brooks and Banks are c-sponsors) and Senate (S.1850 – Indiana Senator Joe Donnelly is a co-sponsor) to allow for the sharing in those scenarios and align the two laws. Another area that sometimes finds misalignment is that each state also has its own laws governing medical records, with some being more stringent than HIPAA. Each state also holds its own rules as to whether a patient has to provide explicit consent for his or her information to be shared with a health information exchange, which is very difficult to manage from a healthcare provider technical and operational standpoint, especially for organizations serving patients in more than one state.

Healthcare organizations walk a high-flying tight rope in trying to perfectly balance the highest level of protections for patient health information with delivering the right information at the right time to provide the most appropriate clinical care. Sometimes regulations created to be in the best interest of the public become a barrier when the needs of the healthcare landscape evolve over time. The way to attack these barriers, and not fall off the tight rope, is to inform legislators where the issues exist and share our patients’ stories with them.  If you would like to know more about your rights regarding health information, this is a great page for the general public from Health and Human Services .

‍