The Health Insurance Portability and Accountability Act of 1996 (HIPAA) stands perhaps as the next most influential guide for how physicians must treat patient information and health with a foundational emphasis on privacy and health safety standards.28 This governmental policy originated from changes made to the Internal Revenue Code of 1986,29 the Employee Retirement
Income Security Act of 1974 (ERISA), and the Public Health Service Act (PHS Act), which dates all the way back to July 1, 1944.30 Framed as a fundamental health security law, it
emphasizes the enforcement of privacy rules (as outlined by the Office of Civil Rights); involves physicians, hospitals, and healthcare providers; ensures protection of all identifiable health information within medical records, billing, and patient accounts; and requires consistent standards of documentation, handling and privacy when dealing with records and communication with patients.
respect the rights and privacy of the patient and must assure all possible and reasonable means of helping that
patient. Certainly, when the Hippocratic Oath was first written, the notion of electronic messaging was nonexistent. However, evident of the timelessness of this oath, the idea that whatever is shared with a physician must stay within the boundaries of that relationship indeed is particularly relevant to the online interactions and security issues of today and for this very reason, this discussion begins with this most fundamental “law” of medicine.
28 For a copy of the HIPAA Act of 1996 go to https://www.cms.gov/Regulations-and-Guidance/HIPAA-
Administrative-Simplification/HIPAAGenInfo/downloads/HIPAALaw.pdf
From the patient perspective HIPAA grants federal protection of personal health documents, which can only be shared with those who have direct health-related need for that information. This regulation on behalf of patients ensures that they are safeguarded from outside sources such as insurance companies, employers, and family members who do not have legal rights to this information. HIPAA provides the standards and rules that maintain privacy of all medical records while also outlining the initial procedures necessary for legal recourse upon violation of these laws.
From a communication perspective, the 1996 HIPAA law also assures that information exchange mediums clearly maintain the standards set forth by the Hippocratic Oath; but now these standards are formulated into a law that must be upheld by all who practice medicine. In fact, not upholding this law would risk the loss of medical licensure and result in fines and judicial actions against the violating party. In a sense, HIPAA became the governmental standard of the privacy portion of the Hippocratic Oath.31
By 2008, as the Internet, emailing, and texting became more common place in the public sphere, the healthcare industry for the most part lagged behind by resisting the use of such technology and arguing that security, time restraints, and money made the use of technology in medicine inappropriate, risky, and too time consuming. Although relatively few physicians chose early adoption of electronic health records and electronic messaging through emails, the government appeared to view this transition as a potential impetus towards growth in a waning economy laden with rising healthcare costs, insurance restrictions on coverage, and massive
31 The focus on security here is not meant to imply that this topic is the only standard of care discussed in the
Hippocratic Oath. Privacy and security are, however, key for HIPAA, though healthcare efficiency and simplification of healthcare insurance procedures are also central. Even so, both the oath and the policy contain a
litigation cases that all promised to weigh heavily on the advancement of a healthcare industry seeming to spiral out of control.
In response, lawmakers not only anticipated change, they forced it. Well in advance of the enactment of The American Recovery and Reinvestment Act of 2009, HIPAA regulations were being reviewed and the outcome of this review lead to significant revisions in safety standards and security regulations that articulated online communication privacy issues, Electronic Health Record (EHR)32 development, and general security issues for storing medical data involving Patient Health Information (PHI) on paper or electronic charts. In so doing, an updated version of HIPAA regulations was produced with The Patient Safety and Quality Improvement Act of 2005 (PSQIA) Patient Safety Rule. It was later published in the Federal Register in 2008 and enacted into law by January of 2009, just in time for the HITECH Act to be set into law in February of that very same year—seemingly no coincidence.33 In short this revised regulatory Act created a system for providers to share sensitive information within a secured format.
Even though online communication within healthcare was still edging into popularity, some proactive physicians began to adopt online mediums, anticipating public demand. Those preparing the new HIPAA regulations also anticipated change. Regulations reassessed potential pitfalls of new technologies and included language that accommodated future safety and security issues. The 2005 HIPAA document states, “The proposed rule sought to implement the Patient Safety Act to create a voluntary system through which providers could share sensitive
32 The terms Electronic Medical Records (EMR) and Electronic Health Records (EHR) continue to be used
interchangeably by many. EMRs typically refer to the individual records kept on each patient at physician offices and the EHR refers to the larger scope of medical records maintained by healthcare systems. Both seek interoperability of data and both represent the electronic availability and exchange of data. This document will use EHR as the preferred term for simplicity sake.
information relating to patient safety events without fear of liability, which should lead to improvements in patient safety and in the quality of patient care” (Agency for Healthcare Research and Quality, Office for Civil Rights, Department of Health and Human Services, 2008, p. 70732). The stage was set for change.
Changes to HIPAA regulations continue as new advancements are made. Appearing in the Federal Register: The Daily Journal of the United States Government on January 25, 2013, the Health and Human Services Department (HHS) presented a document titled, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” (Human Health and Human Services Department, 2013). This lengthy report documented newly specified security standards with additional revisions relating to electronic data. Security Standards General Rule Section 164.306 states that all covered entities and business associates must “ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.”
In short, three areas of HIPAA compliance have affected how communication must be managed: (a) Administrative Safeguards, which require security compliance teams; (2) Physical Safeguards, which protect the electronic systems themselves from theft of equipment or data; and (3) Technical Safeguards, which authenticate and encrypt all accessible data. Hardware firewalls and encryption of electronic messages must be monitored for upholding these standards (HIPAA 101: Guide to Compliance Rules and Laws, 2013). This is to say that HIPAA revisions go well beyond the earlier regulations by including important rules about technology, a change that those
graduating from medical schools at an earlier date may not have been trained in without post graduate education coursework.
At this time it is important to note that Communication and Humanities Education in general continue to increase their influence on medical school and post graduate education today. Within medical interviewing classes, in particular, students acknowledge the skill of communication in its effect on patient participation and health outcome. In residency programs across the country, communication has become a standard requirement as outlined by the national Accreditation Council for Graduate Medical Education (ACGME). 34 Many state boards of medicine including the American Board of Family Practice acknowledge the importance of communication through CME requirements. More specifically, the state of Pennsylvania requires "safety hours" that include communication as a subcategory designated to help guarantee that physicians engage in safer, more effective medical interactions and overall care. Education on communication through HIPAA certified regulations is indeed part of such training.35 These continued changes in medical education increase the visibility of
communication training and reinforce the relevance of such interdisciplinary research and ongoing study.
34 For detailed accreditation requirements for individual medical programs, see http://www.acgme.org/acgmeweb/. 35 To exemplify this process, it is to be noted that several presentations have been made by this author on multiple
occasions on this topic for Continuing Medical Education (CME) for physicians and ancillary professionals. Recently, “Maintaining Patient Confidentiality and Security in an On-Line World” was presented on February 27, 2013 at the 33rd Annual Conference at the Slopes, Respiratory Care Conference at Seven Springs Mountain Resort,
Champion, PA. for the Cambria-Somerset Council for Education of Health Professionals Incorporated (academic service). Also, “Professionalism in an On-Line World” was presented on June 23, 2013 as Basic (Medical) Humanities Education (BHE) for the Department of Surgery, West Virginia University. Each of these talks discussed the relationship between medical communication, safety, and policy; and each provided CME credits for
In short, although the newest HIPAA revision contains a plethora of details well beyond the scope of this document, the key point is that such ongoing regulations and revisions concerning security continue to be made into law with the motivation of maintaining high standards of privacy and healthcare reform throughout the entire process of electronic communication and record-keeping adoption. As change in physician/patient medical care (and education) continues, so do the laws regulating these changes.