Home > Business of Medicine, Cost of Healthcare, Rants and Raves > Why American Healthcare is So Expensive Part 4 – HIPAA and Healthcare Regulation

Why American Healthcare is So Expensive Part 4 – HIPAA and Healthcare Regulation

It is said that the road to hell is paved with good intentions.   I didn’t know what that meant when I was younger, but one day in my second year of residency I found out.

We were told one that all our clinics would be cancelled on a friday the following week and we were would be required to go to a mandatory meeting to learn about new government regulations that would be impacting the waimages.jpegy e delivered care.   We all thought this would be boring and didn’t like it, but nonetheless we all gathered together in the auditorium.

In that meeting we were taught about a new law coming down the pike called HIPAA.  Basically, this law was being put into place to fix a few perceived problems in healthcare.  Some of these issues made a lot of sense, like creating national identifiers for physicians so that different insurers could identify providers across multiple policies.  It also created a national coding system for insurance claims, and that made some sense.

And then the real shit began.  They explained the HIPAA Privacy Rule.
I remembered sitting there as they explained HIPAA Privacy and feeling a chill go down my spine.  You would not believe the reaction in the room.  There was a deep anger.  There were people literally standing up and yelling at the presenter.  I remember one resident standing up and saying in a very angry voice “We can’t possibly do our job under these rules!  You have to be joking!”

HIPAA Privacy made so much sense the people outside of medicine who wrote the law.  Basically it said that we have to protect patients’ medical information and not reveal it without their permission.  Of course that made a lot of sense in theory, but in practice it turned out to be a nightmare that has continuously driven up the cost of care in this country with no appreciable benefit to patients.  As a side effect, it also had tremendous negative impact on medical education and healthcare delivery.

What was wrong with HIPAA is that it tried to make regulation out of something we were already naturally doing.  HIPAA codified the medical tradition that we keep patient’s information private.  Nobody needed to tell us to do that.  It was part of medical culture.   We didn’t share people’s private information and medical history with other people, and that culture worked fine.  Did very rare breaches of privacy occur?  Sure of course they did occasionally, but it was extremely rare and the impact of these breaches was either nonexistent or minimal.  But somewhere along the way the congress got a bug up its butt about it and decided these very rare breaches of privacy were worth creating a protean mass of regulation that would start to strangle the very system of healthcare they wanted to fix.   Sometimes the cure is much worse than the problem.  The path the hell was being paved.

When I started in healthcare, we had paper charts in these wall mounted boxes outside each inpatient’s room.  When you made rounds you pulled open the box, pulled out the chart, reviewed whatever needed to be reviewed, and wrote brief notes in the chart as needed.  It was extraordinarily efficient.

Part of HIPAA meant that we couldn’t do this anymore.  The reason is that anybody can open that box and look at that chart, and that changed from being something we would rather not happen to a federal offense with a 10k or more fine, possibly a lot more.  HIPAA, and later HITECH, a HIPAA add-on law to apply to medical information technology, made it so that every time medical information is accessed there had to a information trail of who looked at it and what they looked at. So it just wasn’t going to fly that anybody could just open a chart and look at it, even if that person had every legitimate reason to be doing so.

This all sounds good, but it came at extraordinary cost, and terrible side effects.  One effect is that it was part of a huge push into EMR systems (electronic medical records), which to date haven’t made healthcare much better and have been incredibly expensive so deploy and maintain.  The insidious next effect is that it pushed doctors away from the bedside to computers.  We used to go to patient’s bedside all the time, because the chart was outside their door and you had to visit there often to write down what you were doing.  But once HIPAA pushed the charts out of the doors and into the computers, physician life changed.   Now you visited the patient rarely, and spent a tremendous amount of time at a central bank of computers documenting what you were doing.  Living through this transition during my formative years as a physician, I was shocked and appalled at the change.   In just a few years we had changed from a culture of physicians that spent a tremendous amount of time actually doing patient care, to a culture that spent most of its time in front of computers away from the patient, documenting what they had done.  Notes went from being beautiful 6 line summaries of what was truly important to three page masses of information, cut and paste from note to note.  This happened because it was noticed that it was very cumbersome to go back and look at old notes in the EMR, so naturally cut and paste was used to move the entire medical encounter forward into every single note.  Efficient charting was over.

During my first academic post at University of Hawai’i, post HIPAA, I remember seeing six or seven residents siting in front of a bank of 8 computer terminals for nearly their entire labor and delivery shift.  They occasionally got up to see a patient or deliver a baby, but as soon as that was over they sprang back to the computers, like that location was their center.   I remember when the patient’s room or the operating room was my center, not a computer.

Of course this wasn’t all HIPAA, but HIPAA contributed greatly.  Because how were we to comply with the privacy rule if we didn’t keep all the information under lock and key, in a way were we could track everybody that looked at it?  You had to do it all in a computer, and that took people away from the patients, and it made us worse at being doctors.

From a pure financial perspective it was great for technology companies.  Medical information technology was in its infancy when HIPAA started, and HIPAA was a beautiful reset for them.  As soon as the law came out, everything wasn’t HIPAA compliant, so they could force every client to buy new HIPAA compliant product.  And every time regulation was revised it forced a new deployment of software.   All at tremendous cost with no clear patient benefit.

Bedside documentation wasn’t the only thing HIPAA changed.   All you have to do to see another change is look in the jacket pockets of medical students and residents.  That is, look at what you don’t see in those pockets.   Sure you see a stethoscope and other medical stuff, but what you don’t see is notes about patients.

When I was a medical student and resident, I had a system for keeping track off all my patients.  I took blank 8.5 x 11 pieces of paper and folded them lengthwise, and then nested them all together, one piece for each patient I had.  I wrote their summary at the top of the fold, and then each time there was something important that occurred I wrote it chronologically down the paper.  When we made rounds it was very easy to pull out my stack and efficiently deliver information to my team.  It was extremely efficient and effective.

But HIPPA changed that in a few ways.  1. we couldn’t write any patient information down on a piece of paper anymore.  That was unsecured medical information that if misplaced could violate a patient’s privacy.  So no more of that.  And 2. We basically stopped making rounds, because to do so would be to talk about a patient in the unsecured environment of the hallway, where someone who wasn’t supposed to hear their private medical information might hear it.   So now we made rounds in a closed door back room, without paper notes.  So again, people were in front of computers instead of patients, and the long history of making actual rounds as a team was being eroded because of government mandated concerns for patient privacy.

These paper notes became a subject of great consternation.  One time during my second faculty post a resident had some of these illegal paper notes (because despite their illegality there was always a necessity for it).   This resident accidentally left their notes in their backpack, which was left in a taxicab or something like this.  This created an ungodly stir.   Because in HIPAA fantasyland, somebody was going to find this backpack, find the scrawlings of blood pressure and labs on these papers, and somehow this was going to actually affect the patients that were involved.  So by law this had to be reported to the Feds, and per HIPAA it resulted in tens of thousands of dollars in fines.  And then the crackdown really began – a big to do about how we can’t put any medical information on things that could be lost, everything had to be encrypted to the 9th degree, and so on.   But in reality land, all that had happened is the tragedy of a resident losing his backpack.  The medical information on that paper was meaningless – because the chance the whoever found it gave two shits about the issues of the random patients on those papers was so close to zero as to be impossible.

At some point the classic labor and delivery “board” was moved from the L and D hall crammed into a back room, because it had medical information on it.  The result was that the board was only updated right before “board checkout”, and ceased to be a useful and quick way for physicians and students to communicate with each other.  So now it served no purpose and created a new job for somebody – update the board before board checkout, a rather painful task that served little purpose since the board would again be useless as soon as board checkout was over.  The truth to anybody that cared to look at reality is that the board was always full of abbreviation, jargon, and shorthand, such that any non-ob person wasn’t going to know what the heck it said anyway.  Moving it in the back really didn’t protect anybody’s privacy – it was effectively already encrypted with the very language it was written in.

But this is what we have done.  We have decided that protecting patient’s medical privacy is of so utmost importance that we will completely disrupt our ability to efficiently deliver medical care to achieve it.  Because this is what the federal disaster that is the HIPAA Privacy Rule demands.

So inevitably this has driven up costs in a big way.  Before HIPAA, we just kept patient’s information as private as we reasonably could as part of our culture.  After HIPAA, there were entire hospital departments devoted to “Compliance.”  Compliance is something that every young doctor just thinks is part of medicine, but it didn’t exist before HIPAA.  These compliance officers are full time salaried and benefited employees who have an incredible amount of power, like legal counsel in a large organization.  They have the ability to cause incredible havoc in healthcare delivery if they ever believe that a HIPAA violation might possibly occur.   And furthermore, they are held responsible for an institutions compliance, with potential civil or even criminal penalties if violations occur, so they are like Gestapo searching and searching for potential violations.   And in my experience, Compliance officers get so focused on their narrow little focus that they lose perspective on the entire system.   And because Compliance has so much power and so little perspective, it starts to seem that the entire system is about complying with HIPAA rather than actually taking care of patients.  For example, I have heard Compliance officers actually suggest that a hospital invest in a  security provisions that were so tight that they would keep out a high level hacker.   Seriously.  Because the best hackers in the world really care about what Julie’s admission diagnosis was.   But Compliance believed that this level of security was required, and their had a lot of power, so the money was spent and the screws were tightened down even further.

HIPAA also leads to a lot of medical waste.  Before HIPAA it was pretty easy to get records from another doctor.  You just called them and said you were doctor so and so or nurse so and so and you needed records on Jane and they sent them.  Now you need a signed note from Jane saying you are you who say you are and it has to be faxed and verified and double signed and maybe 1-2 days later you get your records.  It makes all the sense in the world but in reality its incredibly inefficient.   Sure, its possible that in the old system someone could misrepresent who they were and get inappropriate access to someone’s information, but let’s be real – this isn’t happening very much, and if somebody really wanted to do that they could just forge a HIPAA release and no-one would be the wiser.  So its just more work for no benefit, and it made things really difficult sometimes.  When I was in training, we often just reordered imaging studies because it was too difficult to get the outside records.  We said it was because we liked to have our own radiologists read things, but in reality if had easy access to outside records we wouldn’t have done it nearly as much.   I bet we spent hundreds of thousands a year in my area alone on this kind of thing, so that’s hundreds of millions or more on a nationwide.

So compliance costs a lot of money.  Its a hundreds of millions if not billions of dollars a year kind of line item, both through the employment of “compliance” people that wouldn’t exist without HIPAA, or through medical waste driven by the inefficiencies that HIPAA created.  And in the end, I don’t think it helps patients one bit.  I think actually it has been really bad for doctoring and for patient care, and for the medical education system as well.

But how do we go back?  It seems almost impossible to deregulate.  I really hate Trump, but he does seem to be the kind of guy that would just throw HIPAA out, so maybe he will.  I think that would be a good thing actually.

In the end, I think that Congress needs to get the hell out of healthcare regulation.  Well let me take that back.  They either need to completely take over and make a socialized healthcare system, and hopefully get some really smart people to run it well, or they need to stay the hell out and let the medical societies regulate things.   Complex regulation with good intentions gets out of hand.  It drives up costs and has unintended consequences, and may hurt things more than it helps.  HIPAA is a prime example.   I truly believe that a less regulated healthcare system would be a less expensive one.




Dr. Fogelson is a gynecologic surgeon and endometriosis specialist who practices at Northwest Endometriosis and Pelvic Surgery in Portland, OR.  Call 503-715-1377 for clinical consultation.  http://www.nwendometriosis.com


  1. Nicky
    May 8, 2017 at 1:47 am

    Do you honestly believe that EMR’s haven’t improved patient outcomes? What about when a physician accidentally prescribes a drug that interferes with something else the patient is taking? I can understand your point that you spend less time with patients, and that is unfortunate. I feel like there has to be a solution somewhere between too much regulation and none at all.


    • May 8, 2017 at 5:06 am

      Everything is complex and there are positives and negatives to everything. On the whole, I believe that EMRs have damaged the quality of care we deliver. There are many theoretical benefits that have yet to be realized. They aren’t compatible with each other, so we still send pieces of paper between offices via fax or actual mail, and on the other end they just become scanned in images. Interaction checking is so broken as to not be useful. I often see six different interactions pop up with some drugs, and I just click through them because I know that they are theoretical but not clinically important.

      Of course there is a middle ground, but we are so far past that middle ground right now.

      I think we need to have a single EMR for all healthcare in this country. That would be heavily regulated, but I think it would be a good thing. CPRS at the VAMC system works extremely well and all care at every VAMC in the world is on the same system. I’d be for CPRS for all medical care throughout the country personally.


  2. May 11, 2017 at 2:48 am

    Amen! [Except the part about socialized medicine…. 🙂 ]


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: