Johns Hopkins Magazine
Johns Hopkins Magazine Current Issue Past Issues Search Get In Touch
  HIPAA, Heal Thyself

A sweeping set of patient privacy regulations went into effect last year, complicating life considerably for Medicine's researchers, fundraisers, and archivists. Now many are wondering: Are the intended benefits outweighed by the unintended costs?

By Maria Blackburn
Illustration by Gérard DuBois
Photos by Keith Weller

As a first-year medical student, Lara Devgan quickly grew accustomed to people telling her what to do: Take this class, study these chapters, shadow this attending physician. So when Devgan was told in March 2003 that she'd have to spend two hours of her own time completing an online certification to become compliant with the new federal patient privacy regulations issued under the Health Insurance Portability and Accountability Act (HIPAA) taking effect that April, she didn't ask any questions. She just did it.

Still, she couldn't help but wonder: If everyone at the Johns Hopkins Medical Institutions who was involved in patient care — thousands of staff members ranging from administrative assistants to head nurses and chiefs of surgery — had to become HIPAA-certified, what sort of impact would that have on the hospital?

"I'm a medical student," says Devgan, who is now in her third year. "Two hours of my time isn't worth a lot — maybe one chapter of reading, maybe $20. But to a doctor, two hours might be someone's life. Or to people in [fundraising], two hours might mean a $50,000 donation to the hospital."

Working with the guidance of physician Glenn Treisman of Hopkins' Department of Psychiatry, Devgan and three other first-year medical students decided to study the effect HIPAA would have on Hopkins. The regulations — which lay out how "covered entities" such as hospitals, health plans, pharmacies, and doctor's offices handle patient information — were created to ensure patient privacy. But would HIPAA actually improve patient privacy rights? How much would it cost Hopkins? And would its benefits be worth that cost?

What they found was astounding. Speaking with physicians, legal counsel, administrators, information technology experts, and others, the students determined that the HIPAA privacy regulations added layers of bureaucracy, jeopardized the university's fundraising efforts, and hampered research by restricting access to patient records.

And the price tag was enormous. Although Johns Hopkins has estimated the cost of HIPAA-compliance expenditures in the three years prior to April 2003 at about $4.5 million, the students' analysis found that number to be more like $4.3 million to $7.4 million.

"What started out as a relatively small statement of intent in the law — a couple of paragraphs — grew into 1,400 pages of regulations that have a lot of unintended consequences," says John Zeller, associate vice president of development and alumni relations and director of the Fund for Johns Hopkins Medicine. "It is an unfunded mandate, and it has a real cost to the institution across the board."

Richard Grossi, chief financial officer for Johns Hopkins Medicine, estimates that HIPAA could eventually cost Hopkins $10 million a year in direct and indirect costs as well as lost revenue from activities like fundraising.

That may not sound like much for a place that takes in $3 billion in revenues annually, but it is. "Our operating margin is $30 million a year," Grossi says. "When you put this kind of burden onto an organization like Hopkins, then we have to take that money away from our programs."

What's worse, say critics, is that Maryland already had some of the strictest patient-privacy laws in the country, so HIPAA hasn't increased patient privacy all that much. "I don't think anybody disagrees with the basic premise of HIPAA," says Joanne E. Pollak, vice president and general counsel for Johns Hopkins Medicine and chief HIPAA compliance officer for the university and health system. "[But] the law brings with it a lot of administration and complexity. They've imposed an administrative burden on institutions, and there's no real commensurate benefit to patients."

Treisman, who has directed the AIDS psychiatry clinic at Hopkins since 1988, believes wholeheartedly in the protection of patient privacy. Pointing to the medical students' study, however, he is less than laudatory when it comes to HIPAA, which he likens to the federal government spending $100 million to put up traffic lights in the forest. "Did it work?" he asks. "Sure it worked. The traffic lights are up in the forest. They work. But the question is: Did we need traffic lights in the forest? The answer is no, we didn't."

Even with all the policies that have been drafted and tutorials that have been completed, people still have questions. Lots and lots of questions. Congress passed HIPAA in 1996 to protect workers who lose their jobs. Before HIPAA, if someone with health insurance was laid off, she might be denied new coverage, especially if she or a family member had a serious or chronic illness. Under HIPAA, which is administered by the U.S. Department of Health and Human Services, people in this situation are guaranteed access to new health insurance.

At the same time, as health systems began to computerize medical records and e-mail and Internet use became more common, there was a growing risk that confidential health information could be compromised. The basic HIPAA statute established the principle that electronic transfer of information should be secure and remain confidential. From this grew complex new rules about how patient information is used and disclosed, as well as rules about specific security measures that must be used to protect that information when it is being stored or sent electronically.

Under the HIPAA privacy regulations, various safeguards preserve the privacy of "protected health information," or PHI — a list of 18 identifiers that include names, geographic location, phone numbers and addresses, medical records, and Social Security numbers. PHI encompasses any information that might reveal a person's identity, a diagnosis, or that he or she received medical care. That way, an employer of an employee with cancer couldn't discover that fact from an e-mail or from a phone call the employee had received from his oncologist's office.

To comply with the HIPAA privacy regulations, Hopkins administrators have constructed new policies and procedures, developed systems to keep track of authorizations and manage records, and charged a host of compliance officers with making sure the regulations are followed to the letter. Some 26,000 Hopkins employees, from physicians to lab techs to blood bank employees, took a general HIPAA privacy-training course. Thousands more took specialized training programs in marketing, fundraising, research, and other areas. In the first year, Hopkins spent almost $300,000 to develop a new HIPAA Web site and $650,000 to cover the salaries, benefits, and resources of staffers responsible for HIPAA education and compliance. Another $200,000 went to printing more than 100 new forms and educational materials, including a 16-page booklet, Notice of Privacy Practices for Health Care Providers, that is now issued to every patient seen at Hopkins, whether for a sore throat or for major surgery.

Even with all of the policies that have been drafted, all of the tutorials that have been completed, and all of the pamphlets that have been printed, people still have questions about HIPAA. Lots and lots of questions.

Carol Richardson, Hopkins' chief privacy officer for HIPAA, fields almost all of them. Richardson receives upward of 600 e-mails a week, and her telephone rings constantly with inquiries. Employees want to know what sort of HIPAA training is required for their job. Managers ask whether all of their employees are HIPAA certified. Patients need copies of their medical records. (Now, instead of a letter to their doctor requesting records, patients must fill out a two-page authorization form.) In addition to fielding questions, Richardson investigates complaints about HIPAA compliance and has 10 to 12 cases open at any given time.

"My role is huge," says Richardson, who works long days, weekends, and nights to keep up with her workload. Her job can be overwhelming, but her office has accomplished a lot, she says. "I think there's a tremendous process that's been enhanced. It's made patients more aware of their privacy rights and employees more conscious about information they use on a daily basis."

Joanne Pollak is not hopeful that HIPAA will be eased. When one of Glenn Treisman's psychiatric patients was recently admitted to Johns Hopkins Hospital's emergency room, he was in benzodiapene withdrawal. He told the admitting staff he was under Treisman's care, but he didn't sign the HIPAA release form that would have allowed the emergency staff to share information with his doctor.

"Nobody contacted me, so we didn't collaborate on his care," Treisman says. "As a result, they gave him a bunch of benzos that he shouldn't have gotten, and he went out and started using them again. He relapsed into drinking and then relapsed into using cocaine after being sober for months. And then he had a very serious suicide attempt. Now it's going to cost maybe $10,000 or $15,000 to detoxify him."

Though the HIPAA regulations were designed to ensure that patient information doesn't get into the wrong hands, cases like this — in which patient care suffers because a doctor doesn't know about the care his or her patient is receiving elsewhere — make Treisman think that the regulations are doing more harm than good.

"HIPAA has created all sorts of barriers," Treisman complains.

And it's not just patient care. For clinical investigators, HIPAA has made research considerably more complicated.

Much of the medical research that takes place at Hopkins relies on materials already on hand — blood samples that have already been collected, for example. In the past, patients signed a "blanket consent" document allowing materials to be used for future research. Like a book in a library, investigators could take out those materials when they needed them.

Now researchers must obtain autho-rization from each patient for every research project, Pollak says. "Let's say you come to Hopkins and you have cancer," she says. "After you are cured you say, 'I want Hopkins to be able to use my tissue for cancer research, even though I don't know what those research projects are.' Under the U.S. Department of Health and Human Services' Common Rule, you can do that." But under HIPAA, you can't. "What HIPAA says is that you, the patient, have to be asked every time a doctor submits a new research protocol," Pollak explains. "Every year, every new research project, the patient has to be contacted again."

Hopkins has about 1,000 new research protocols each year and more than 2,000 research projects under way at any given time. That means some patients could be contacted numerous times about participating in various research projects. Pollak worries that such an inundation of authorization requests might discourage patients from participating in research. "It's going to make research subjects feel like, 'I wanted to do this, but why am I being hassled?'" she says.

HIPAA does allow for an exception when a researcher determines that it is not feasible to get authorization from a patient. In such a case, the researcher can apply for a waiver from one of Hopkins' five institutional review boards that oversee research at Johns Hopkins, or the Privacy Board that monitors HIPAA research compliance in the university's medical archives.

Michael Klag, vice dean for clinical investigation at Hopkins, says he's of two minds when it comes to HIPAA. "On the one hand, we want every investigator to stop and think before they do a research project because human subject research is a privilege," he says. "On the other hand, you have to ask if there's a benefit to [the HIPAA requirements]. HIPAA adds work and slows down the process. I don't think at this institution that HIPAA adds protection for research. That protection was already there."

Fundraisers at Johns Hopkins Medicine are facing a troubling statistic: Since 2003 — the year the HIPAA privacy regulations went into effect — donations from individuals have dropped from 70 percent of total gifts to 56 percent. That's a significant decrease, say administrators. And they worry that HIPAA may have something to do with it.

Donations from patients who have been successfully treated at Hopkins and their families — known in fundraising parlance as "grateful patients" — made up about $86 million of the $171 million in fundraising generated for Johns Hopkins Medicine in the last fiscal year, says Cynthia Beach-Smeltzer, director of the Fund for Johns Hopkins Medicine for stewardship and development services. "It's the cutting-edge research where grateful philanthropy really makes a difference," she says. Beach-Smeltzer can cite dozens of examples of medical breakthroughs at Hopkins — ranging from gene therapy to treat cystic fibrosis to genetic detection of colon cancer — made possible through funding from grateful patients. "It really helps the rate at which research progresses at Hopkins. This research is often so new that traditional funding sources such as the National Institutes of Health will not award funds."

Prior to April 2003, fundraisers in each of the clinical departments could freely interact with patients and potential donors. "Before the HIPAA privacy regulations, if a patient indicated they'd like to learn more about how they could help, their physician could call the development office," says the fund's Zeller. Under the new rules, development staff can't contact patients unless the patient has first signed a separate authorization form for philanthropy.

One form, one signature — that doesn't seem like much of a barrier. But, says Alison Traub, director of development for the Brady Urological Institute at Hopkins, presenting all patients with this form upon their admittance to the hospital can be confusing and off-putting, not to mention uncomfortable. "To put the form in front of a patient who is scared, who doesn't know what is going to happen, who hasn't yet had surgery, can be disconcerting," Traub says. "It can make a patient feel like we're only here for their donation, and that's not true. We're concerned with treating the patient first."

"If this is the beginning of a trend, it's likely due to HIPAA, and that would be alarming," says Beach-Smeltzer, referring to the decline in donations. "It will take two to three years to determine the impact [of HIPAA] on fundraising. It's still too new."

Glenn Treisman says HIPAA has "created all sorts of barriers." The Alan Mason Chesney Medical Archives is the storehouse of more than a century's worth of data chronicling the history of Johns Hopkins Hospital and schools of medicine, nursing, and public health. As archivist, Nancy McCall has considered it her mission to make the collection's books, letters, and other research materials available to the 1,200 registered users — Hopkins faculty, staff, students, and outside researchers — who visit the archives annually. But since the HIPAA privacy regulations went into effect, McCall's job has often meant keeping materials away from them.

Privacy laws and regulations used to apply only to specific documents — a patient's hospital chart, for example. HIPAA instead regards information as a general entity, whether written, spoken, or recorded in digital media. The regulations apply to any kind of record or document that contains protected health information and make no distinction for the sensitivity of the information. An ingrown toenail is given the same weight as a sexually transmitted disease.

And unlike most privacy laws, HIPAA applies into perpetuity, covering forever every person, dead or alive.

At the Chesney Archives, nearly every document contains some form of PHI — a note about a worker injured during the hospital's construction, a photograph of medical staff tending to patients. Even a physician's letter to a colleague that mentions his own sprained ankle is considered PHI, says McCall.

Having to regulate access to any PHI in all 25,000 cubic feet of the archives' holdings has proved to be a formidable task for McCall and her staff. In compliance with the HIPAA privacy regulations, there are two ways a patron can access the archives: for research and for reference.

Patrons who wish to conduct extensive research in the Chesney Archives can get permission to use archived material from the person mentioned in the record (or his or her legal representative), or a Hopkins privacy board may grant a waiver to peruse the archives. However, if someone wants to publish historical material that identifies a person in a magazine article, book, or scientific journal, permission must be granted by the person mentioned in the record or his or her legal representative, a potentially daunting task for any researcher. The privacy board cannot grant a waiver to publish such material. The only recourse appears to be seeking approval from a judge.

Having to regulate access to any protected health information in all 25,000 cubic feet of the archives' holdings has proved to be a formidable task for McCall and her staff. Since they began meeting in June 2003, the eight-member Johns Hopkins Medical Institutions' privacy board has reviewed 33 applications for research at the medical archives. They've approved all of them. "Our charge is simply for risk assessment and risk of disclosure of protected health information," says McCall, who serves on the board.

For patrons who want reference information and copies of documents, the staff must first screen the requested materials for PHI. If they find PHI, the archivists then photocopy the document, black out all personal identifying facts, then give the patron the redacted photocopy. "We have to be very careful when providing a copy of a document, even if it's a 19th-century document," says McCall. "Having to screen 19th-century letters for any health reference has added quite a burden to our staff. We have to read every page. Can you imagine how absurd that is?"

It's even more absurd, McCall says, when you consider that the same letter, if provided by the National Library of Medicine in Bethesda (exempt from HIPAA because it's part of the federal government) or the New York Public Library (exempt because it's not a "covered entity"), could be shared in its complete form. "In the health archive world, there is this fundamental inequity," says McCall. "Some of us have to deal with HIPAA and some don't."

Brigid Lusk, a nursing historian and associate professor at the Northern Illinois School of Nursing in DeKalb, Illinois, discovered the inequity of HIPAA firsthand last fall when she was researching a project on the nursing care of cancer patients from 1880 to 1950.

At Hopkins, Lusk had to have her research request approved by Hopkins' privacy board, but at the University of Virginia she was able to peruse non-redacted patient records without any privacy board review. The Memorial Sloan Kettering Center Archives staff in New York didn't allow Lusk to have any copies of photographs with patients in them, even ones the center's publications had published previously. But the Chicago Historical Society allowed her full access to their archives containing medical information.

For researchers enduring limited access to information, going through the extra step to have one's research approved can be frustrating. "HIPAA just emphasizes what we should all be doing anyway," Lusk says. "Good historical writing should never reveal the identity of a patient. But sometimes you need to know about what patients were doing to make a story better."

Nancy McCall: a "fundamental inequity" in health archives.

Administrators at medical centers and other "covered entities" across the nation are still wading through the sea of pages that comprise the HIPAA privacy rules, figuring out what the three-inch-thick binder of regulations means and how to best carry the regulations out. "The interpretation of the regulations is still up to debate," says Pollak. "It isn't always easy to ferret out the meaning or determine the best strategy for compliance."

It is somewhat unclear what is meant by "diagnosis" or "medical information" she says. It is also unclear if mentioning a clinical department or specific doctor in a fundraising letter violates HIPAA privacy rules.

When there are questions about compliance, Health and Human Services has addressed issues in general through published questions and answers. "If a more formal amendment process is needed, this could take years, and the Office of Civil Rights has shown no appetite at this time to entertain amendments to the process," Pollak says.

McCall and others are hopeful that HIPAA rules may be relaxed in time, or interpreted by Health and Human Services in a way that is less restrictive for medical archives and philanthropy. In July, Zeller testified before a privacy panel of the National Committee of Vital Health Statistics in favor of easing rules for responsible fundraising.

Pollak isn't optimistic. "We think it's unlikely that they're going to open up the HIPAA regulations because it could involve a flood of changes," she says.

And so in the meantime, Pollak says Johns Hopkins Medicine will continue to operate under the HIPAA privacy regulations and see what happens. "We must learn to live with it and see what the government takes seriously and what they don't take seriously. We're not as hopeful as we once were that [Health and Human Services] might amend these regulations to correct some of the problems that we're seeing."

Maria Blackburn is a senior writer at Johns Hopkins Magazine. Freelancer Bruce Goldfarb contributed to this story.

Return to November 2004 Table of Contents

  The Johns Hopkins Magazine | 901 S. Bond St. | Suite 540 | Baltimore, MD 21231
Phone 443-287-9900 | Fax 443-287-9898 | E-mail