Reader's advisory: Wired News has been unable to confirm some sources for a number of stories written by this author. If you have any information about sources cited in this article, please send an e-mail to sourceinfo[AT]wired.com.
April 15 is a national day of angst in the United States. But for many this year, the government-provoked pain arrived one day early.
The Health Insurance Portability and Accountability Act, a broad and complex set of federal privacy rules, went into effect Monday. HIPAA regulations are intended to give people more control over how their medical information is used. They affect anyone who works with or has access to medical information, from huge scientific research centers and big city hospitals to rural one-physician practices or any business that offers health insurance to employees.
Under the new rules, failure to properly protect medical information could result in fines of up to $250,000 and prison terms up to 10 years.
Technical support people and systems administrators who have to ensure that medical data is gathered, stored and transmitted securely said they were hit hardest by the demands of HIPAA.
"Tax filing on Tuesday, HIPAA deadline on Monday -- you bet I'm stressing," said Mike Jones, a computer support worker for a large upstate New York research and medical facility. "Every time I figure I have one issue solved, I look at the rules and find a half-dozen other new problems I need to deal with."
Jones isn't the only one struggling to make sense of the 600-plus pages of HIPAA regulations.
The vast majority of health-care providers say they support increased privacy for patients, but also admit they don't fully understand what is required by the new rules.
"There is an extremely high level of confusion, misunderstanding, frustration, anxiety, fear and anger throughout the health-care industry regarding HIPAA," said John R. Lumpkin, M.D., chairman of the National Committee on Vital and Health Statistics, in a statement. The NCVHS serves as the public advisory body on health data and statistics to the Secretary of Health and Human Services.
People have had seven years to gear up for the new regulations since HIPAA was passed in 1996, but many health-industry tech workers said the rules weren't finalized until recently, and in some cases still don't take the problems posed by modern technology into account.
"As I understand HIPAA, doctors can no longer e-mail medical information amongst staff or to patients unless it's encrypted," said Jones, who asked that the name of the facility he works for be withheld.
"And our staff, like staff in many health facilities, uses wireless PDAs to communicate with each other -- and so the wireless systems within the hospital need to be secure. Frankly I don't know if any wireless system can ever be truly secure, so can we still use wireless? I don't know. I've spent a lot of time scrounging through the rules trying to make sense of it all."
But the government agency in charge of HIPAA said it did a good job of providing compliance information.
"Over the past two years, we've worked aggressively to provide doctors, hospitals and others with the information that they need to comply with the rules," Tommy G. Thompson, Secretary of Health and Human Services, said in a statement.
"We've held a series of regional conferences on the privacy regulations and participated in hundreds of other conferences and meetings with those affected by the regulations. We've provided extensive guidance and other technical-assistance materials that clarify key provisions of the rules, so those affected take the right steps, but don't go overboard at the expense of the quality of their patients' care.
"Many of these materials, including an extensive collection of frequently asked questions, are on our website."
In some cases technology that is used to store, access and transmit health information had to be upgraded or altered to accomodate the new rules. And people who handle medical data had to learn entirely new ways of working.
Nadine Notelli, a pharmacist assistant in a Rite-Aid drugstore in Manhattan, said she can no longer allow people to pick up prescription drugs without having them sign a privacy rights form.
She also can no longer call out the names of patients when their prescription is ready.
"Now I sort of have to catch their eye and nod knowingly at them," Notelli said. "The pharmacy computer system was always pretty private and secure, but we needed to put in stronger protections like encrypting stored customer records." Notelli added. "It means I no longer have instant access to the records when doctors or patients call in for information."
Companies with health insurance plans also have to comply with the new rules. Employers with a health insurance plan with more than $5 million in annual receipts should have been in full compliance on Monday. Smaller firms have until next April 14.
"Our tech guy will have to be the person in charge of all this," said Sam Howell, head of a New York graphics design firm that employs 16 people.
"As I understand the new rules, we're required to ensure that no one but the HIPAA privacy officer sees medical data, and our tech guy sees everything. So pretty soon he'll have a new job -- filling out privacy forms and maintaining the insurance database. He's not real happy about it."
Attorneys who handle personal injury or insurance claims cases are also required to adhere to HIPAA guidelines.
"HIPAA is ushering an end of an era of relatively free-flowing medical information," said Rob Hoffman, an attorney with Dallas' law firm Gardere Wynne Sewell. "We heard so much on POW Jessica Lynch's condition, but from here on out hospitals are going to have to be much more wary in giving out information about patients, whether they be military, celebrities or a neighbor, without proper authorization."
According to information provided by the U.S. Department of Health and Human Services, whose Office of Civil Rights will handle enforcement of HIPAA, the agency will not aggressively hunt down HIPAA violators.
Enforcement will be limited to following up on consumer complaints, at least for the next year or two.
Bar-Code Tech Drives Nurses Nuts
Can Software Improve GIs' Health?
Abortion Rule May Hinder AIDS Aid
