| HIPAA Sucks |
[Aug. 15th, 2008|11:50 am] |
I have been a paralegal for the same personal injury law firm for more than 11 years. The job requires a great deal of communication with health care providers – doctors, physical therapists, hospitals, etc. When our clients are injured, they turn to these providers for treatment. We turn to them for their reports and bills, to substantiate our clients' injury claims and to quantify their economic losses.
That job became much more difficult when the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) went into effect.
Some background: before HIPAA, clients merely signed a blank, simple form authorizing us to obtain copies of their medical records. We never abused the practice. If sensitive, irrelevant medical information was contained in any of the records, the records were quickly destroyed. We have no motive to mishandle sensitive medical information and every motive to maintain our clients' confidence in our privacy practices.
When HIPAA went into effect, the authorization from changed. It morphed from a simple, single paragraph form with two blank spaces to fill in to what is sometimes a multiple page document. It's more cumbersome in this form, but that's not the biggest problem.
The problem is that these forms expire or are lost, and that medical providers are handcuffed by the law and sworn to secrecy once they do. That includes expired authorizations even for information we already have.
An illustration: We have a client who was mauled by a strange dog about 18 months ago. He went to the emergency room and then back to the hospital twice more for rabies shots. An older gentleman, our client is insured through Medicare. The wheels at Medicare turn slowly, so over the past year, I've been calling the hospital every 60 days or so to see if payment has been made, since we can't really settle a case if we don't know how much the unpaid medical bills will be.
For months and months, we have had copies of the hospital bills and records on file. I've spoken about the accounts with four different billing representatives at the hospital. The even faxed a new statement upon receiving a payment on one of the accounts a few weeks ago. The point is that we have all of the health information and the hospital knows that our client authorized us to get it. If we were going to do anything malicious with the information we have everything we need and would have done so already. There's nothing about a medical balance that we could exploit even if we wanted to.
When I called this morning, I was informed that our authorization had expired in March 2008 and they could not give us any additional information without a new one (this apparently was not an issue when I called for balances in April and June). Simply to find out if a bill that we already have a copy of has been paid, I have to send a new authorization. I have to grab the authorization out of the file, make a copy, fill it in, fax it to the hospital, wait for them to update their system and then finally get the simple information I need.*
It's not the most difficult thing in the world, but it turns a 30 second job into a 15 minute job. Multiplied hundreds of times a year, it sucks up a lot of time. Moreover, it's aggravating, unnecessary and nonsensical and I hate being made to do busywork.
I understand the need to protect sensitive health information. I understand the need to hold accountable those who handle health information irresponsibly or maliciously. I certainly wouldn't want my own private medical history broadcast to the world. The spirit of the law is to protect people against unethical insurers and employers, etc., and I get that and support it fully.
However, I can't imagine that the spirit of the law requires that I go through all of this bureaucratic nonsense over simple information that the patient clearly authorized me to have. Especially in this case, when all I'm trying to do is get information from the hospital in order to get their bills paid. To give them money. To mail them a big check. To help make up for some of the low reimbursement rates they get from insurance companies by paying them the full value of their balances. By helping me, they can only help themselves.
The law needs to be changed. In situations such as ours in which a patient has issued clear consent, I don't see why a doctor's office or a hospital should be barred from discussing things they had already discussed with us at length absent a new authorization.
Now, if you'll excuse me, I have to call the hospital back because they don't call me after they got my fax as promised. What could have taken 30 seconds has now taken an hour.
* There's an example of how airtight and secure the HIPPA law really is. We have clients sign a blank authorization at the beginning of the case. In theory, I could use it to get ANY medical record for ANY client at ANY time as long as I fill it in properly. There is no limit to the information I could obtain and distribute. But, to get an updated balance, I have to go through all these motions. |
|
|
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
captfabulous's journal
