Overview • Dean's Message • A Piece of the Pie Urban Issues • April 14: A HIPAA Retrospective Faculty Perspective: Public-Use Limitations and Natural Property Rights

April 14: A HIPAA Retrospective

By Joan B. Killgore, '00

Mention April 14 to most people, and you send them into a frenzy over taxes that are due on April 15. Mention April 14 to a health care attorney or any other person involved in counseling entities regarding health care compliance, and I assure you the same frenzied look will appear - but not because of the IRS. For health care attorneys, April 14 is "a date that will live in infamy," being the date in 2003 that certain "covered entities" in the HIPAA regulations were required to comply with the federal regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (known to most as HIPAA) which govern the privacy, security and transmission of health information. Just for the record, "covered entity" is one of over seventy-five defined terms sprinkled throughout the HIPAA regulations.

Unless you have been living in a cave for the past two years (or, similarly, if you are a law student), you probably have encountered HIPAA. The most pervasive aspect of HIPAA is the "Notice of Privacy Practices" that are handed out at every physician office, pharmacy and hospital (not to mention inclusion on every health care provider Web page). I have made a hobby of collecting various "Notice of Privacy Practices" forms and am astounded at the number of ways there are to say exactly the same thing about how "protected health information" is used and disclosed. I shudder to think how many trees have been felled in the name of HIPAA privacy. I would think that people would be pretty well informed by now.

I was "lucky" enough to ride the crest of HIPAA, being an incoming health care associate at a local law firm in 2000 when the final HIPAA privacy regulations were published. While I waded into HIPAA by drafting a summary of the regulations in December of 2000, over the next three years I was swimming (maybe "drowning" would be a more appropriate term) in HIPAA executive summaries, outlines, power point presentations, manuals, policies and procedures and educational in-services. During that time, I began to be known as a "HIPAA expert" (which basically means that I am the first person called when the word HIPAA appears in a document). HIPAA has been very good to me as far as work is concerned, as I am sure it has been to many health care attorneys. In fact, most health care providers swear that HIPAA is short for "Health Industry Paying All Attorneys" (although I prefer to think of it as "Highly Intricate Paperwork in Abundant Amounts").

I viewed April 14, 2003 the same way many viewed the January 1, 2000 Y2K scare. I distinctly recall instructing my assistant to keep my calendar clear for April 14, anticipating that I would need to be "on call" for the inevitable HIPAA emergencies. Funny thing, the day ended up being calmer and less stressful than most. Although most health care providers found that there were some wrinkles to iron out, it was pretty much business as usual. Turns out that most hospitals and physician offices were protecting the privacy of patient information long before HIPAA required it. The difference was that now they had the HIPAA required policies, procedures, forms and manuals to "prove" it.

By many accounts, HIPAA headaches have lessened over the past two years. However, HIPAA rears its ugly head every once in a while. One of my favorite "amazing but true" HIPAA stories involves a friend who was informed by her local pharmacy that a prescription was ready for pick-up. This was news to her, as she had not been to the doctor recently, nor was she taking any medicine. The pharmacy refused to provide her with the prescription or any details regarding the prescription unless she acknowledged in writing that she had received a copy of the pharmacy's Notice of Privacy Practices, which (of course) the pharmacy could not produce for her to acknowledge. Sensing a mounting "Catch-22," the parties compromised and the pharmacy told her the prescription was for "Charlie." Ends up that Charlie is a dog and the prescription was for some ailment poor Charlie suffered years ago. While I would categorize my friend's experience as a case of mistaken HIPAA identity, it seems that Charlie isn't the only animal to reap the benefits of privacy protection. According to a May 6, 2002 Washington Post article by James V. Grimaldi (a full year prior to HIPAA's compliance date), the Smithsonian Institution's National Zoo "has taken the position that viewing animal medical records would violate the animal's right to privacy and be an intrusion into the zookeeper-animal relationship."

Obviously the National Zoo takes its HIPPO privacy very seriously.