Risk managers and compliance officers have heard the same complaint from so many clinicians: Complying with HIPAA gets in the way of interacting well with patients. And they’re right.
There is evidence to back up their complaints, but it doesn’t have to be that way, says Ameet Sarpatwari, JD, PhD, instructor in medicine at Harvard Medical School and assistant director of the Program on Regulation, Therapeutics, and Law in the Division of Pharmacoepidemiology and Pharmacoeconomics at Brigham and Women’s Hospital in Boston. Misinterpreting HIPAA as inflexible is a key problem, he says.
HIPAA often prevents providers from properly engaging patients, according to a recent report in The New England Journal of Medicine by Sarpatwari et al. (An abstract of the study is available online at http://bit.ly/2m0ZF4B.)
Covered entities and business associates are so afraid of HIPAA noncompliance penalties that they have “understandably interpreted HIPAA conservatively,” the report says.
Conservative interpretations often mean saying no when someone requests information, which can stifle communication and hamper patient engagement, Sarpatwari says.
“It is easy to establish blanket policies from an administrative perspective because it requires fewer resources to comply and monitor compliance,” Sarpatwari says. “But that fails to capitalize on approaches that could foster patient engagement but also be HIPAA-compliant.”
The use of encryption, while highly touted for improved security, can be detrimental to patient engagement. When a patient receives an encrypted message on a patient portal, the content of the message may be mundane but may require more effort and time than the patient is willing to take, he says.
“It might just be a notification that a prescription is ready, or it could be something more significant, but the steps necessary to read that message are often a bit of a hassle,” he explains. “That can discourage engagement in the health system, but that encryption is an addressable issue. There is discretion as to whether it is necessary, but there is a misnomer that HIPAA is inflexible. It’s actually quite flexible.”
Healthcare providers are not capitalizing on that flexibility, he says. There are ways to improve patient engagement without violating HIPAA, he notes, including the more strategic use of patient portals, Bluetooth-enabled biometric devices, smartphone applications, and text messages, which all can help improve patient engagement.
In addition, clinicians should be given some leeway to use common sense with individual patients, Sarpatwari says. The clinician can ask the patient if anyone else has access to the email address on file, and if the answer is no, there may be no need for encryption, he says.
“You can craft a more tailored policy that is still HIPAA-compliant but encourages more patient engagement,” he says. “The trouble comes when you try to impose one blanket policy that takes the most conservative approach so that you can be assured every single encounter is HIPAA-compliant even if it means you’re inconveniencing people and discouraging the patient engagement that is so important to providing good care.”
Another possible solution is for providers to let patients opt into a system that allows sharing of protected health information, Sarpatwari says. That could require amending current HIPAA laws, but would it improve patient engagement for many people, he asks.
“There can be a greater discussion in the industry about steps that could be taken to make sure patients are aware of the risks and can give informed consent to have their information shared without encryption and without some of the other impediments to patient engagement,” he says. “Those are the areas where you can craft more tailored policies that don’t come in a one-size-fits-all approach.”
- Ameet Sarpatwari, JD, PhD, Instructor in Medicine, Harvard Medical School; Assistant Director, Program on Regulation, Therapeutics, and Law, Division of Pharmacoepidemiology and Pharmacoeconomics, Brigham and Women’s Hospital, Boston. Phone: (617) 278-0930. Email: firstname.lastname@example.org.