Has this ever happened to you: You have a patient who is seen by a consultant at another office or institution and subsequently you receive in your email a “secure” message that presumably has the consultant's report. You try to open it. It asks you to set up an account. You try to do this. Turns out you already had an account but you can't remember the password. You try a few times and then it rejects you. Or how about this: You can't even get this started because your own institution's firewall won't let you open this kind of message. Yep, it's secure all right!
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was well intentioned. People have a right to privacy and confidentiality, and this law was designed to protect that. We don't want unauthorized intrusions in our electronic medical records for any reason. It protects us all against everything from the nosy staff clerk who wants to know why a patient was admitted to the wholesale theft of identity. But was it supposed to prevent facile communication between doctors? I don't think so. How did that go wrong?
In the age of electronic information, systematic protection of files has become paramount. So an army of people has emerged to help us get this right. Attorneys help us “interpret” HIPAA regulations. Informatics and software experts have built businesses to accommodate our need for compliance. We now get scary emails about how we will be fined enormous sums or go to jail if we leak information, even to other doctors participating in the care of our patients. Really?
Recently, I was at a meeting with a colleague from an institution down the road (you can guess which one), and he said his institution told him he can't send an email or text that refers to a patient, for instance, by their initials. What??? Recently the Feds had to go to great lengths (maybe to Israel) to find someone who could crack open an iPhone belonging to the San Bernardino terrorist. So it seems like some texts are pretty darn safe. Another colleague told me that her institution prohibits her from handing a patient their own laboratory or imaging results. She's supposed to send them to medical records so they can formally request it. That sounds like a lot of fun after you've just spent a few hours getting your chemotherapy.
So I guess the solution is for us all to play phone tag with each other updating our colleagues on the progress or problems of our mutual patients. How efficient!
As you can see, I'm a little worked up over this. I know the folks who cared enough about privacy to enact a law like HIPAA never intended to make it difficult for doctors to communicate about their patients. Personally, I blame the profiteers who make a living interpreting law and developing costly and cumbersome procedures for providers to enforce compliance. I also blame us a bit for putting up with this so long and letting it get this bad.
I'm not sure what the solution is, but the next time you see one of my patients and want to let me know the outcome, send me a text or email. I promise not to tell.
What do you think? Please e-mail correspondence (include contact information) to JNCCN@nccn.org.
