Online Doctors, Privacy, and the Almighty Dollar

Posted on by

Last month a
slew of media outlets caught wind of Jay Parkinson, a 31 year old
Brooklyn-based M.D. who provides care for his patients through the Internet.
Here’s how it works: you get an initial in-person consultation at your home or
office. After that, you can ask Parkinson questions online through instant
message or video chat; e-mail him digital images of minor wounds, rashes, etc.,
that he can then diagnose; have him help contact, call ahead, and inform
specialists when you need their help; and generally fulfill most basic medical
consultation functions online.

Parkinson’s work raises a lot of questions, but first among them may be
this: how come my doctor isn’t
utilizing virtual communication to its fullest potential?

Part of doctors’ technophobia stems from their lack of incentives to engage
with the virtual world: they’re not reimbursed for virtual consultations that
may be deemed “self-management support activities,” or good old fashioned advice
about do-it-yourself care. As little as eight
percent of patients communicate with their doctors via e-mail—a shame,
considering in the latest issue of JAMA, Tom Delbanco from Harvard Medical
School estimated that 50 percent of visits to the physician are unnecessary and
could probably be dealt with online.

But there are other reasons why doctors are reluctant to take their practice
online. For most doctors, communicating sensitive patient information without
special, government-approved secure platforms is illegal under the Health
Insurance Portability and Accountability Act (HIPAA). HIPAA, originally passed
in 1996, was revised in 2002 by the Bush Administration to incorporate a
privacy rule that came into effect in 2003. The privacy rule regulates the use
and disclosure of private health information (PHI),
which is information about “health status, provision of health care, or payment
for health care that can be linked to an individual.” It’s this privacy rule
that makes so many doctors computer-shy.

Earlier this week on his blog, Parkinson gave an example of how a computer-savvy doc could get into
trouble for communicating PHI: “John Smith
is telling me about his seasonal allergy symptoms via AIM [America Online Instant Messenger]. Under HIPAA, if I were [instant messaging]
with a patient using an unsecure chat application like AIM,
I could face thousands of dollars in fines. If I revealed this health
information with criminal intent, I could face up to $250,000 in fines and 10
years in prison.” Since Parkinson doesn’t accept insurance, he is not beholden
to HIPAA; but for doctors who are partnered with health plans, online
communication is a big no-no so long as there is the potential for hackers to
swipe information transmitted in communication.

At times it seems that the government is serious about privacy. Parkinson
asserts that “I can’t tell you how many phone and email solicitations I get
from CEO’s of HIPAA compliance companies, warning me of the years I’ll spend in
prison for HIPAA violations if I don’t purchase their $5,000 secure email
application.” But that’s all Parkinson ever gets—a warning.

In fact, that’s all
any doctors, including those actually
bound by HIPAA, ever get. As of October of last year, 22,664 HIPAA
privacy-related complaints had been filed since the privacy rule took
effect—with not a single institution fined for its lapses. Kate Borton, former
head of security at Massachusetts General Hospital in Boston,
told MSNBC last
fall that "enforcement [of HIPAA] is a farce… There is no funding
for what we call the HIPAA police. It’s a joke because there aren’t any HIPAA
police." To date the worst punishment has been a stern phone call from
regulators.

So if they’re not enforced, what is the point of HIPAA’s privacy
stipulations? Parkinson and others have an idea: the creation of new market
opportunities for potential profiteers. Instituting PHI measures makes compliance a huge problem (at least on paper) in need of new
solutions—i.e. new technologies, consultation, and contracts.

Spend some time Googling HIPAA compliance and you’ll find that indeed, a
universe of market opportunities has sprung up around the law. Back in 2002,
consultants were already advising
each other to “help see that your firm will receive its share of HIPAA
compliance contracts by educating potential clients now.” In 2003, the state of
Nevada awarded a $61 million
dollar HIPAA compliance
contract to First Health Services Inc. In 2005 California
contracted with EpiForce
to make sure its public servers were secure. Other companies looking to profit from
HIPAA include LogLogic,
“the log management & intelligence leader,” and companies offering compliance courses.

As a 2005
article in The Journal of
Gastroenterology noted, the privacy rule creates a “dizzying set of
health-care administrative activities and new work for legal consultants.” This
in part due to the fact that, beyond the vague goal of “privacy protection,” no
one is sure what actually constitutes compliance with HIPAA—and so everyone is
desperate to get help.

Earlier this year the Health Information Security and Privacy Collaboration
(HISPC), a 33-state initiative created by the non-profit RTI International in order “to identify best practices in privacy protection
efforts as well as variances in laws and business practices that pose barriers
to nationwide sharing of electronic health information” had
some bad news about HIPAA.

According to the HISPC report, “many healthcare
practitioners across the country are still unsure of what the law requires and
how its provisions interact with other state and federal privacy laws.” Another
group of researchers found an
“astounding array of different ways of interpreting these privacy laws.”
Various organizations used HIPAA rules to inform a “set of practices that were
seen as barriers to health information exchange, or had no effect on it, or
indeed, might encourage it.” This is a broad spectrum of outcomes, to say the
least.

HIPAA’s vague requirements not only affect the online sphere, but also some
of the most commonplace medical practices. A health care
organization that lists the ten worst ways a medical worker can compromise
his or her patient’s privacy under HIPAA includes such offenses as posting
pictures of newborns on the hospital bulletin board, using sign-in sheets, and
leaving appointment reminders on peoples’ answering machines.

It’s clear that the scope of HIPAA has not been thought out—it’s more of a
sketchy principle than an actual policy. But is this vagueness due to the greed
of those who wanted to give birth to a compliance industry, or to a lack of
foresight?

Consider this: in the U.S. we’ve been slowly opening up to electronic health care. We’re committed to
giving most Americans medical records by 2014, and just last month, the U.S.
Department of Health and Human Services granted over $22 million in contracts to nine companies
in order to start regional networks of electronic health information.
Eventually, these networks will merge into a “network of networks,” thus
working toward national compatibility and moving toward nationwide electronic
health records.

If we’re so open to electronic records, why the hesitation when it comes to
electronic communication (not to mention reminder voicemails)? HIPAA supporters
would claim privacy protection is their goal. But given how lax enforcement has
been, the counter-productivity of HIPAA-induced confusion, and the many parties
looking to profit from the policy, this is unconvincing. More plausible is the
idea that someone, somewhere, saw the chance to manufacture a compliance industry
and ran with it—at the expense of cost, efficiency, and consistency.

12 thoughts on “Online Doctors, Privacy, and the Almighty Dollar

  1. Niko,
    First about HIPPA, nice piece, I remember thinking when it first came out “Has there been a rash of misuse of private health care information? Are people buying other people’s health information on the black market?” I couldn’t understand the need for a new law to protect privacy when the medical profession has been doing it for centuries. You should also mention that when someone has HIV or a history of drug or alcohol abuse they have to sign different forms, “double secret privacy” (reminds me of “Animal House”.
    Online communication. It is the business of medicine more than anything else, I think, that limits this. You dont get compensated for non face to face interaction. I dont know about a 50% decrease in office visits, but for a PCP that would equal 50% decrease in an ever shrinking income. I remember trying to explain it to my patients when they were frustrated with having to come to the office for something, I would say, “you wouldnt call your plumber and just ask him to direct you over the phone on how to fix the sink?” Personally, I would love to save people the trip and time, I truly believe that health care knowlege belongs to all of us, I am just a repository. But, I must feed my family.

  2. Kyrie Karvouni,
    Excellent post.
    Get a good lawyer into my corner and I’ll be glad to try something new.
    It ain’t JUST HIPAA. It’s the basic liability questions that make people nervous. Most small businesses like to see someone else take a chance first; there is already so much risk involved. Who is crazy enough to try providing personalized health information and advice without the expected examination and laboratory back-up? A paradigm shift, privacy concerns, and medical malpractice have killed the video star.
    Enjoy the radio.

  3. Dr. Matt,
    If physicians were on salary, substituting email communication for face time when appropriate wouldn’t be a problem.

  4. When appropriate being the key sentiment. We manage many a disease after hours over the phone without face time, the difference being if you call a large clinic during the day the doc is busy and you get a non medically trained person answering the phone, thus making appointments (with pressure to keep the schedule full for financial reasons). I have seen many a patient in my clinics that I immediately thought “you didn’t need to come in for this”. But, during what portion of a 10-12hr packed clinic day when would I call, or answer emails for that matter? Again, the incentive is to fill the clinic for financial viability, there is no incentive to “not waste people’s time”. Personally I wouldn’t want to substitute email for face time, but if it is safe, and feasable it sure would open up a lot of clinic time that is sorely needed for people who end up sent to the ER to be evaluated by a doctor that doesn’t know them

  5. So there are fines for discussing health information with a patient because there is some possibility that the conversation could be monitored, and privacy could be breached.
    Meanwhile, the very same administration goes out of its way to monitor conversations, and argues that there is no expectation of privacy to begin with.
    So. I guess never mind any advances in distance-medicine. We’ll all meet secretly in dark, anechoic chambers and speak in whispers.
    This is dumb.

  6. One more impediment in the CURE FOR CANCER: Information
    Good news is eventually policy makers will become informed and understand the short-sightedness of many current policies and regulations. Interesting piece! and feeback from Dr.Matt
    From PC of a non medical professional

  7. DrMatt, Merrill, Rob, Zagreus, and Geof,
    Thanks for your comments. DrMatt and Merrill, the issue of how compensation is related to patient-doctor communication is a really big one, and I think that one really can’t go off on a “doctors should be online!” rant (which I hope I haven’t done!) without taking into account how that would factor into the business of medicine and the livelihood of medical professionals. I’ll have to give this some thought, but there is definitely much to be said on reconfiguring physician compensation for the Internet age. It will also be interesting to see how Parkinson’s practice progresses.
    I thought you might all be interested to know another seedy detail about this whole affair. The 2002 revision of HIPAA’s privacy stipulations not only made things more complicated, thus creating a compliance industry; they also compromised privacy in order to let institutions commercialize patient information more easily.
    A summary of the reforms makes this clear. http://www.dlapiper.com/global/publications/Detail.aspx?ref=rv&pub=928
    Note especially how the definition of marketing is diluted so that privacy is no longer essential when doctors communicate to patients about “(1) the participating providers and plans in a network, the services offered by a provider, or the benefits covered by a health plan; (2) the individual’s treatment; or (3) case management for the individual, or recommendations for alternative treatments, therapies, health care providers, or settings of care.” Marketing is “defined down” so that it can slip through the PHI cracks more easily.
    A 2003 editorial notes that its not just that organizations can get away with marketing without calling it such; but also that the universe of exemptions–when its OK to share patient information–has been expanded to an almost absurd degree, all to give maximum wiggle room to the profit crowd.
    http://www.patientprivacyrights.org/site/News2?page=NewsArticle&id=5075
    The 2002 revision that most clearly shows the extent to which rules were changed to make a buck is this: the original HIPAA privacy rule protected “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated’.”
    But the amended rule, post-2002, revoked that right:”The consent provisions (in the Original Rule)…are replaced with a new provision…that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, and health care operations.” Treatment, health care, and operations–this pretty much covers anything related to medicine!
    You can see that the 2002 revisions aren’t just confusing for those trying to be compliant, but also easily manipulable by those looking to exploit them for profit.

  8. Hello,
    I just wanted to let you know that we featured this post on The Issue, a blog newspaper that pulls the best blog posts from across internet. This was a wonderful post that we decided to feature in today’s Business section. You can see it by going to http://www.TheIssue.com. Keep up the great work!
    Matt

  9. Niko,
    I didn’t think that you were on a “doctors should be on line rant” I just wanted to point out that as long as we dont reward efficiency it will be a long road to attain it. I would also like to note in regards to information trade. The new EMR systems allow the owners to “wash” the information and sell it like mailing lists. In my community the hosptial owns about 80% of the healthcare market, they use one EMR and the info is sold to offset costs. It would be nice (though pollyanna) to think it was sold to researches to improve overall health, but my guess is that it is sold to pharmacuetical co, DME co and the like such that they may target thier marketing more efficiently.

Comments are closed.