Milton Chen is CEO and founder of VSee, which develops video chat and screen share tools for remote work and telehealth, and co-author of the XMPP video standard. He contributed this article to BusinessNewsDaily's Expert Voices: Op-Ed & Insights.
I admit, I’ve been completely obsessed lately with the Health Insurance Portability and Accountability Act (HIPAA). The point of HIPAA is to protect your health information while allowing doctors, hospitals, health plan providers and others to do their jobs effectively. With the HIPAA Final Rule going into effect last week, there is now a real possibility that health providers and others who break it could get a $1.5 million fine, leading to plenty of debate about whether Skype, VSee and other video conference systems are allowed for telehealth — so I’ve been doing my homework.
The research recently led me to a protection that caught my eye. It gives us the right to opt out of having a medical procedure reported to your insurance company if you’ve paid all your expenses out-of-pocket. This new protection is great because it means insurance companies have less dirt on you so you can keep a good health insurance deal. The problem is how on earth are they going to put this protection into practice?
First, there is the technical aspect. Health entities are going to need a way to earmark health information we restrict from disclosure so those elements don't get sent to an insurance plan.
For example, suppose your doctor generates an e-prescription for a medication you want to pay for out-of-pocket. The way many systems are automated, the pharmacy may have already billed the health plan before you even arrive. The HIPAA Final Rule workaround for this problem (p. 248) is to have your doctor give you a handwritten prescription, giving you a chance to request a privacy restriction and pay for the medication before any bill goes out. Unfortunately, this defeats the whole purpose of having e-prescriptions and electronic health records.
Here’s another example from John Halamka, chief information officer and dean for technology at Harvard Medical School. Suppose an inpatient hospitalization is paid for out-of-pocket. How can you flag data so that a nurse case-manager working for a payer doesn’t see any data related to that hospitalization, but the health provider can still see it? Halamka suggests that health data needs to travel with metadata so that information can be "selectively restricted.”
To make things more confusing, there are times when the request for a privacy restriction cannot be honored, such as when the procedure is part of a bundle and can’t be separated out, or when the procedure must be reported by law (for example, a Medicare/Medicaid audit). Furthermore, as this HIPAA Survival Guide stresses, in cases of follow-up procedures, it is your responsibility — not your doctor’s responsibility — to let downstream health providers know if you want to keep information restricted. So for instance, if your primary care doctor sends you to a specialist, then you’re the one who needs to let the specialist know about the disclosure restriction (and make sure you pay for the specialist out-of-pocket, too!).
While I’m excited about my new right, I’m also concerned about whether health entities can really follow through with the details. The HIPAA Final Rule highly encourages health entities “to engage in open dialogue with individuals” to make sure we understand the caveats of a restricted information request. In that case, it seems to me we’d better know just how our rights work up front if we really want to protect our privacy.
Read Chen's most recent Op-Eds: 3 Golden Rules for Remote Work: Advice for Yahoo’s Marissa Mayer and Ensuring Healthcare Privacy in the Cloud, Before the HIPAA Fines Hit.
The views expressed are those of the author and do not necessarily reflect the views of the publisher.