HIPAA: Then and now

The Health Insurance Portability and Accountability Act (HIPAA), the landmark federal law that protects the confidentiality of patients' health information, turns 20 years old in August.

Doctors of optometry have a healthy, though guarded, respect for HIPAA after two decades under its influence. The act, they agree, has profoundly changed how they practice. Empowered patients have greater access to their own medical records and control over who sees them. But sometimes the regulations—and the threat of being audited by the U.S. Department of Health & Human Services' Office of Civil Rights (OCR)—hang in the air like smoke from just-snuffed-out birthday candles.

"In a country where identity breaches are headline news, I believe there are many doctors of optometry who would champion HIPAA's enactment," says Samantha Slotnick, O.D., who practices in Scarsdale, New York.

On this 20th anniversary of HIPAA, AOA members took a brief look back, and ahead, at how the law transformed how doctors manage their practices.

Before HIPAA

Patient privacy was largely covered by a hodgepodge of state laws, company policies, professional ethics and perhaps a little personal preference before HIPAA. Douglas Totten, O.D., chair of AOA's Ethics and Values Committee, says, "Optometrists would have had the AOA Code of Ethics and the AOA Standards of Professional Conduct to provide guidance on these matters."

Dr. Totten adds, "The AOA Optometric Oath also contains this statement: 'I WILL hold as privileged and inviolable all information entrusted to me in confidence by my patients.' I would think nearly all doctors of optometry would have stated these words before entering practice over the past decades."

Stevin Minie, O.D., who practices in Canoga Park, California, graduated from optometry school in the mid-1980s. Then and now, his practice philosophy centered on what is best for his patients. "Privacy then was mostly common sense and medical practice tradition," Dr. Minie says.

A changing patient culture

About the time HIPAA was signed, Clifford Scott, O.D., was starting a teaching position at the New

England College of Optometry (NECO). Dr. Scott, who also holds a master's degree in public health, says a course he taught on ethical behaviors then contained a relatively small module on privacy.

"There wasn't a whole lot being taught in the school then about HIPAA," says Dr. Scott, now NECO president. "Professional behavior—the doctor-patient relationship—dictated it."

Today, patient privacy is taught at NECO in an introduction to optometry class and a robust, yearlong ophthalmic business course, Dr. Scott says.

By the time Dr. Slotnick graduated in 2004 from the State University of New York College of Optometry, the subject of patient privacy was standard. "We were inculcated in a culture of HIPAA sensitivity," Dr. Slotnick says. "It was part of taking good care of patients."

Compliance as a service industry

More than the number of regulations have multiplied since HIPAA's passage. So has anxiety and the demand for services to help groups comply with privacy regulations.

"Believe it or not, this explosion of services that relate to compliance is a relatively new phenomena," says Marc Haskelson, president and CEO of The Compliancy Group. An AOAExcel^® endorsed business partner, The Compliancy Group launched in 2005 and created a web-based compliance solution called "The Guard." Among its services are free educational seminars, compliance coaches and employee training and certification.

"We had attempted to delegate a person or persons at each of our offices to be the HIPAA compliance officer and, frankly, the task was overwhelming along with the usual day-to-day workload," says Joe

Ellis, O.D., chair of the AOAExcel board whose practice in Benton, Kentucky, has five locations and about 75 employees.

Dr. Ellis hired The Compliancy Group about a year ago. Doctors of optometry, he says, have a "sacred trust" with their patients to protect their medical information. "It's like the sacred scrolls," Dr. Ellis adds. "I'm not going to willy-nilly send their records out to everybody."

Drs. Ellis, Minie and Slotnick say they have found "peace of mind" with the tools and resources available from AOAExcel. Their anxiety is down; their knowledge of HIPAA up.

And what does the future hold for HIPAA?

Says Haskelson: "With ransomware attacks, data breaches, and OCR's new Phase 2 audits all becoming hot-button issues, 2016 might shape up to be a real turning point for the future of HIPAA compliance. I wouldn't be surprised if this year's total fines outrank last year's as the most in the history of enforcement. Additionally, I think OCR is going to stress cyber and digital security."