Cho Sueng-Hui And HIPAA

Back at work today after spending most of yesterday in bed.

The conversation between physicians between patients turned to what happened Monday morning at Virginia Tech.

Recriminations are flying as people try to understand what cannot be understood . . . to assign blame to something or someone other than a deeply troubled college student with a "mean-streak". You can almost smell the lawsuits: Against the university brass (for failing to "lock down" sooner), against law enforcement (ditto . . . and for chasing what turned out to be a bad tip), against anyone who had any medical contact/interaction with this young man. Against the guy who sold him the gun.

One of my colleagues, a warm and gentle and very compassionate soul (who I like very much), expressed dismay that "the shooter" apparently fell through a lot of cracks in the mental health and legal systems. He mirrored my own sympathy for Cho Sueng-Hui's parents and family. I cannot imagine what they're going through . . . and what they will have to live with for the rest of their lives.

My colleague also marvelled that Cho Sueng-Hui was able, with his medical history, to buy a gun. Sueng-Hui apparently passed a back-ground check with flying colors, even though, in 2005 Cho was declared mentally ill by a Virginia special justice, who declared he was "an imminent danger" to himself (albeit not to others), a court document states. This kind of information should be readily accessible to gun dealers, my colleague argued.

I've been watching some of the coverage tonight on the hotel TV. The young man's room mates were apparently unaware of Cho Sueng-Hui's brushes with the mental health system and the law. They were angry. Why weren't they informed?

I believe a good part of the answer (the Second Amendment notwithstanding) lies in the multi-headed-monster known as HIPAA, the Health Insurance Portability and Accountability Act . . . specifically the Privacy Rule. The Privacy Rule took effect April 14, 2003, with a one-year extension for certain "small plans". It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.

A covered entity may disclose PHI to facilitate treatment, payment, or health care operations or if the covered entity has obtained authorization from the individual. However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.

Practically speaking, it's a mess. Generally speaking, a health-care provider cannot talk to another health-care provider about a mutual patient without a signed release. Everything is harder, from simple consults to getting lab results to records transfer.

I expect it's why those court records on Cho Sueng-Hui never got to anyone anywhere who might have been able to prevent what happened from happening.

I'm still sick, and very tired tonight, and the Wikipedia link does a good job of summarizing the problems with HIPAA, so here are some excerpts:

While respect for patient privacy was already informally considered a cornerstone of medical professionalism, the complex legalities and potentially stiff penalties associated with HIPAA, as well as the increase in paperwork and the cost of its implementation, were causes for concern among physicians and medical centers.

HIPAA restrictions on researchers have affected their ability to perform retrospective, chart-based research as well as their ability to prospectively evaluate patients by contacting them for follow-up.

In addition, informed consent forms for research studies now are required to include extensive detail on how the participant's protected health information will be kept private. While such information is important, the addition of a lengthy, legalistic section on privacy may make these already complex documents even more user-unfriendly for patients who are asked to read and sign them.

These data suggest that the HIPAA privacy rule, as currently implemented, may be having negative impacts on the cost and quality of medical research.

The complexity of HIPAA, combined with potentially stiff penalties for violators, can lead physicians and medical centers to withhold information from those who may have a right to it. A review of the implementation of the HIPAA Privacy Rule by the U.S. Government Accountability Office found that health care providers were "uncertain about their [legal] privacy responsibilities and often responded with an overly guarded approach to disclosing information...than necessary to ensure compliance with the Privacy rule."

In the period immediately prior to the enactment of the HIPAA Privacy and Security Acts, medical centers and medical practices were charged with getting "into compliance". With an early emphasis on the potentially severe penalties associated with violation, many practices and centers turned to private, for-profit "HIPAA consultants" who were intimately familiar with the details of the legislation and offered their services to ensure that physicians and medical centers were fully "in compliance". In addition to the costs of developing and revamping systems and practices, the increase in paperwork and staff time necessary to meet the legal requirements of HIPAA may impact the finances of medical centers and practices at a time when insurance company and Medicare reimbursement is also declining.

HIPAA compliance is a major industry. For anyone who wants to rail against getting too little for too much (health-care dollars), just watch the lawyers suck those health-care dollars up.

HIPAA also has considerable bearing on medical peer review. An excellent memo on the case law is here. The essential notion behind the idea of medical peer review is that there is a prevailing public interest in physicians being able to speak freely when reviewing the actions and behavior of other physicians. Peer review is a protected activity and peer review materials are not discoverable in a court proceeding. At least that's the theory I relied upon back in 1998. The thing about those laws and legal theories is they only work if they're enforced.

There are many holes in the argument . . . and many examples of how the laws governing confidentiality and peer review have usurped Constitutional guarantees of due process for doctors (for instance, giving anonymous complaints credence) . . . and have been abused and warped to facilitate less-than-noble motives that have nothing to do with the public's best interests. I have discussed those holes elsewhere and will continue to discuss them in the future. But not tonight.

As for why/how Cho Sueng-Hui fell through every crack and thirty-two innocent lives were snuffed out . . .

. . . take the keeping of secrets up with Congress.

Update: Walter Olson, at Overlawyered, offers more thoughts on the HUGE risk of litigation when people don't want their medical informaton shared. I would expound upon his musings by adding that the problems inherent to privacy laws are not confined to psychiatric issues. Pediatricians, in particular, often walk tight-ropes when dealing with sexually-active teenagers who are pregnant or have STD's and don't want to be honest with their parents.

4/19/07 Update: Apparently this post got tagged by several blogs, namely Overlawyered and Kevin MD. At Kevin's several folks (a few of them apparently lawyers) took issues with my statement about signed releases being required for record exchange - or communication between providers. They seem to have missed the "practically speaking" disclaimer. I posted a rebuttal there and will do so here:

Practically speaking, the "myths" and misconceptions of HIPAA, are EXACTLY the reason that information does not get exchanged properly or well between health-care providers.

Practically speaking, doctors and nurses and office managers worry alot about the paperwork AND the releases . . . and the legal ramifications of saying too much to the wrong person.

Practically speaking, information is generally NOT exchanged between providers as freely or comfortably as it was in the past.

It's about fear of being sued . . . or clipped by Big Brother.

But the lawyers and politicians do not deal in the practical do they?

I'd like to address this comment:"Saving a life is more important than avoiding being sued. When I was a resident, a district judge, shaking his gavel in my face, explained to me that my job is to follow my medical judgement in doing what is right, and if I think that to do so requires me to violate some law, to call him and he will issue a court order ordering me to act accordingly. I have never forgotten that lesson and it has stood me in good stead for 2 decades."

If you visited my blog, you would know that (1) I got fired for saving a child's life and reporting it to hospital peer reveiw, (2) I got sued for reporting - in confidence - what happened to US & NCDHHS, (3) the NC Medical Board did absolutely nothing to protect or defend the duties it requires, and (4) when I finally got to court three years later I was swindled out of a fair settlement by perjury and contempt on the part of hospital administrators.

To date (it's been nearly ten years), I have not found a DA or a judge in North Carolina that will wave his magic gavel and do anything to right those wrongs. You see, I'm not a Dukie.

I agree that saving a life is more important than avoiding being sued. But perhaps you should not be so quick to sniff until you've actually been there.

I've spent over two years in the blogosphere trying to get someone to help me shame law enforcement officials in the state of North Carolina into enforcing the law, and so far have been spat on.

By the way (Mr. Cole), snark is not tolerated at my blog. If someone has a point to make, make it. But you can take the personal stuff and stuff it. It will not be published.

I hope that clears everything up.

4/20/07 Update: More thoughts from Walter Olson at Overlawyered.