Health Affairs, 24, no. 3 (2005): 832-842
doi: 10.1377/hlthaff.24.3.832
© 2005 by Project HOPE
 
New Online
 * Getting Health Reform Done
 * After the State of the Union
 * Incremental Reform
 * E-Health in Developing World
 * Most-Read Articles in 2009
This Article
* Abstract Freely available
* Reprint (PDF)
* Submit a response to this article
* Comments: View responses
* Alert me when this article is cited
* Alert me when Comments are posted
* Alert me if a correction is posted
Services
* E-mail this article to a friend
* Similar articles in this journal
* Similar articles in Web of Science
* Similar articles in PubMed
* Alert me to new issues of the journal
* Add to My Personal Archive
* Download to Citation Manager
*Reprints & Permissions
Citing Articles
* Citing Articles via HighWire
* Citing Articles via Web of Science (3)
* Citing Articles via Google Scholar
Google Scholar
* Articles by Slutsman, J.
* Articles by Wynia, M.
* Search for Related Content
PubMed
* PubMed Citation
* Articles by Slutsman, J.
* Articles by Wynia, M.
Related Collections
* Ethical Issues
* Health Reform
* Legal/Regulatory Issues
* Physicians
* Public Opinion
* Consumer Issues

DataWatch

Health Information, The HIPAA Privacy Rule, And Health Care: What Do Physicians Think?

Julia Slutsman, Nancy Kass, John McGready and Matthew Wynia

   Abstract
 
This study examines physicians’ attitudes toward key Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requirements and assesses the effects of their implementation. We found that despite physicians’ generally negative views toward the Privacy Rule, they rated organizations implementing more rule requirements better at protecting the privacy of patient records than organizations that have not implemented the requirements. The policy implications of the findings are discussed.

The privacy rule of the Health Insurance Portability and Accountability Act (HIPAA) imposes a minimum, uniform set of privacy protections on public and private health care providers, health care organizations, and others.1 Before the rule went into effect, many expressed concern that it would impede the sharing of patient information and thus have a negative effect on patient care, that its implementation would be prohibitively costly, and that compliance would be difficult to achieve and would unduly burden the health care system.2

Recent data suggest that some of these fears have not been borne out. One recent industry survey indicated that about 80 percent of health care providers characterize themselves as compliant, although some gaps in implementing specific HIPAA requirements remain even among self-reported compliant providers.3 The U.S. Government Accountability Office (GAO) has published a report summarizing the experiences of key stakeholders during their first year of Privacy Rule compliance.4 Among its findings is that Privacy Rule implementation proceeded "more smoothly than expected" and that it increased "awareness...of privacy issues." Interestingly, although the report discusses several difficulties in implementing particular requirements, it found no impediments to patient care.

Nevertheless, questions remain about whether the Privacy Rule has achieved its goal of improving privacy protection. One way to approach this inquiry is to systematically assess the experiences of individual clinicians. This is important for several reasons. First, empirical studies suggest that physicians will ignore or not fully implement legal requirements that they do not agree with.5 Second, evidence suggests that physicians resent market, regulatory, and other forces that they perceive as limiting their autonomy.6 Diminished autonomy, in turn, is strongly associated with professional dissatisfaction, and there are data suggesting that dissatisfaction is associated with decreased quality of care.7 Finally, prior research has shown that physicians’ views and practices with respect to health information disclosure differ by specialty and demographic characteristics.8 Physicians may be more likely to share patient data for the core functions of treatment, payment, and health care operations with organizations that they perceive as being better at maintaining privacy.

We surveyed 2,000 U.S. physicians during the six-month period prior to 14 April 2003, when most organizations were required to comply with the Privacy Rule. After this deadline, breaching rule requirements became illegal, and physicians might have become more reluctant to report noncompliance. The goals of this study were to (1) provide a reliable baseline on physicians’ views and experiences with the Privacy Rule; and (2) provide an early assessment of the expected effects of these provisions on relevant practice outcomes.

   Study Data And Methods
Top
 Study Data And Methods
Study Results
 Discussion
 NOTES
 
Study sample. This cross-sectional study used an original survey instrument to survey a random sample of 2,000 physicians drawn from the American Medical Association (AMA) Physician Masterfile. Physicians were eligible for inclusion in the study if they were actively practicing clinical medicine. We excluded 176 physicians who were deceased, retired, not seeing patients, in training, or for whom no current mailing address was available. Of the 1,824 eligible physicians, 933 completed the survey—for a response rate of 51.2 percent.

Data collection. Data collection began in October 2002 and continued through early 2003. The initial mailing of the survey included a financial incentive of one dollar. Physicians not responding to the first survey received up to three subsequent mailings but no additional money. We excluded surveys postmarked after the Privacy Rule implementation deadline of 14 April 2003.

Human subjects approval and survey development. The data collection methodology was reviewed and approved by the Johns Hopkins Bloomberg School of Public Health Committee on Human Research.

Survey items were organized into the following domains: (1) physician characteristics, (2) organizational characteristics, (3) patient-physician communication about confidentiality, (4) physician disclosures of identifiable patient information to third parties, (5) physicians’ views of the Privacy Rule, (6) organizational readiness for the Privacy Rule, (7) organizational training on privacy policies, (8) organizational releases of identifiable patient information to third parties, and (9) security practices for paper and electronic medical records (PMRs and EMRs). Items addressing privacy issues not covered by the Privacy Rule were based on standards articulated by the AMA’s Ethical Force Program.9 Items pertaining to organizational Privacy Rule preparedness, physicians’ attitudes toward the rule, and patient-physician communication about confidentiality were newly developed for this study. One item about the violation of the privacy of medical records was adapted from a question in a Louis Harris Associates 1993 survey of Health Information Privacy.10 The survey instrument underwent two rounds of cognitive pretesting and was piloted with a multispecialty physician group employing seventy-five physicians.

Variables. Dependent variables. The first dependent variable measured physicians’ general attitude toward the HIPAA Privacy Rule. Physicians were asked to express their degree of agreement with the following statement: "The HIPAA privacy regulation will greatly help physicians in their efforts to maintain the confidentiality of patients’ medical records."

Next, we measured physicians’ views regarding the effects of the following five Privacy Rule requirements on patient confidentiality: written authorization, special psychotherapy notes protections, "chain of trust" agreements, designation of a privacy officer, and provision of a notice of privacy practices. Finally, we asked the physicians to identify and report on the privacy practices of the one health care organization with which they were most familiar and with which they maintained an affiliation. In this area, the primary dependent variables were ratings of this organization’s ability to (1) protect the confidentiality of patients’ medical records, (2) ensure that HIPAA readiness efforts do not interfere with physicians’ ability to do what is best for patients, and (3) ensure that readiness efforts do not interfere with physicians’ ability to consult with colleagues.

Independent variables. Independent variables included physicians’ demographic characteristics (age, race, years in practice, and practice volume) and organizational demographics (organization size, type, and tax status). In addition, physicians’ general level of concern about privacy protection was measured by their degree of agreement with the statement, "The violation of the privacy of medical records is a very serious problem today."

Organizational implementation of Privacy Rule protections was assessed using two summary items addressing different aspects of compliance. The administrative practices summary score represented the number of the following three Privacy Rule requirements that respondents reported to be in place at their health care organization: presence of a privacy officer, security audits, and a complaint mechanism. The procedural summary score indicated the number of the following three requirements that respondents reported their health care organization to be "good" or "very good" at implementing. The requirements included privacy training for physicians, explanation of penalties for breaches of privacy, and linking the extent of employees’ access to patient information to their job duties.

In addition, a summary scale assessing the number of the following four common PMR security practices (not specified in the Privacy Rule) was created: locking medical records not in use, tracking the location of medical records, ensuring that medical records are not visible in public areas, and keeping track of when medical records are copied. Finally, a summary score for privacy training was created that tallied the number of the following six topic areas that might be covered in physicians’ privacy training: (1) who has access to medical records , (2) security measures used to protect PMRs and EMRs, (3) when information in medical records may be used without patients’ specific consent, (4) how patients may obtain copies of their records, (5) how patients may amend their records, and (6) how long medical records are held by the organization.

Analyses. Bivariate associations between the dependent and independent variables were assessed using the chi-square test of association. Multinomial logistic regression was used for the multivariate analyses because each of the outcome variables had three distinct response categories. For each outcome variable, "don’t know" was a third response category; because this analysis did not focus on the parts of each model that compared "don’t know" responses with the reference group, the odds ratios for those comparisons are not shown.

The statistical significance of the covariates was evaluated using p values obtained from Wald tests of each coefficient or coefficient grouping.11 Based on the Wald test results, covariates were removed from the model in backward stepwise fashion, in order of decreasing significance, until the model contained only those covariates significantly related to the outcome (while controlling for the remaining variables). This procedure was conducted for each outcome variable.

   Study Results
Top
 Study Data And Methods
 Study Results
Discussion
 NOTES
 
Respondents’ personal characteristics. The average age of the 933 physician respondents was fifty, and the majority were male, were white, and had graduated from a U.S. medical school (Exhibit 1Go). Most worked as specialists and maintained an active clinical practice (seeing an average of seventy-eight patients per week). Respondents had been with the organization they reported on for an average of 12.6 years. Compared with nonrespondents, respondents were younger by an average of one year, had been in practice for an average of 1.2 fewer years, and were much more likely to have attended medical school in the United States (Exhibit 1Go).


View this table:
[in this window]
[in a new window]
  		EXHIBIT 1 Demographic And Organizational Characteristics Of Respondents To The Survey Of Physicians’ Attitudes On The HIPAA Privacy Rule, 2002–03

 
Compared with all U.S. physicians, survey respondents were younger (69.4 percent versus 65.9 percent under age fifty-five, p < .001), and whites were slightly overrepresented (78.9 percent versus 75.0 percent, p < .001) as were physicians who attended U.S. medical schools (80.0 percent versus 73.8 percent, p < .001) (data not shown).12

Respondents’ professional organization type. When asked to report on the performance of the organization with which they had the closest affiliation, 43.6 percent of respondents reported on a group practice, 21.4 percent reported on a solo practice, and smaller proportions reported on hospitals and other practice settings (Exhibit 1Go). More than half of physicians reported on for-profit organizations.

Anticipated effects of the HIPAA Privacy Rule. Most physicians classified themselves as "somewhat" or "very familiar" with the HIPAA Privacy Rule and with their organization’s privacy polices (Exhibit 2Go). Only one out of four physicians agreed with the statement, "The violation of the privacy of medical records is a very serious problem today." A minority of physicians agreed that the Privacy Rule would help them "maintain the confidentiality of patients’ medical records," while 45.4 percent disagreed and 31.8 percent were uncertain. Meanwhile, about one-third agreed with the statement, "The HIPAA privacy regulation will greatly impede the conduct of medical research," and almost half reported that they were uncertain.


View this table:
[in this window]
[in a new window]
  		EXHIBIT 2 Physicians’ Knowledge Of And Attitudes Toward Privacy And The HIPAA Privacy Rule, 2002–03

 
With regard to five key Privacy Rule requirements, majorities of physicians reported that three of the five would "somewhat or greatly" improve privacy protections (Exhibit 3Go). For instance, two-thirds reported that written patient authorization for nonroutine uses of confidential patient information (for uses other than treatment, payment, and "health care operations") will "greatly" or "somewhat" improve privacy protection. The requirement viewed as least useful for privacy protection was the provision of a written Notice of Privacy Practices (NPP) to patients.


View this table:
[in this window]
[in a new window]
  		EXHIBIT 3 Physicians’ Attitudes About The Potential Of Specific Provisions Of The HIPAA Privacy Rule To Improve Protection Of Health Information Privacy

 
Organizational performance regarding privacy. Most of the physician respondents reported that their hospital or practice was "good" or "very good" at protecting the confidentiality of medical records (73.0 percent), ensuring that privacy practices did not interfere with physicians’ ability to care for patients (65.5 percent), and ensuring that privacy practices did not interfere with physicians’ ability to consult with colleagues about patients (65.3 percent) (data not shown).

Effects of privacy protections on organizational performance. Exhibit 4Go presents multinomial regression models for the three organizational outcomes measured. The odds ratio for a given independent variable in the model compares physicians’ probability of characterizing organizational performance as "very good" or "good" (combined) on a given outcome with that of assessing performance on that outcome as "fair," "poor," or "very poor" (combined).


View this table:
[in this window]
[in a new window]
  		EXHIBIT 4 Associations Between Health Care Organizations’ (HCOs’) Implementation Of HIPAA Privacy Rule Requirements And Three Organizational Performance Outcomes, 2002–03

 
After all other covariates were adjusted for, organizations with more procedural privacy practices in place (which include privacy training, clear explanations of penalties for breaches of confidentiality, and linking employees’ level of access to information to their job responsibilities) were rated 6.8 times more likely than those with fewer such practices in place to be doing a "good" or "very good" job of protecting medical privacy, 5.3 times more likely to not interfere with physicians’ ability to care for patients, and 4.9 times more likely to not interfere with physicians’ ability to consult with colleagues (Exhibit 4Go). Similarly, better training on privacy policies was correlated with doing a "good" or "very good" job on each of the three outcomes. Implementation of administrative practices (designation of a privacy officer, conducting security audits, and providing a complaint mechanism) was not associated with performance on any of the three outcomes.

   Discussion
Top
 Study Data And Methods
 Study Results
 Discussion
NOTES
 
Privacy and quality. Initially, the findings we have presented appear to be contradictory. On the one hand, most physicians believe that the Privacy Rule as a whole and a few of its key provisions do not improve the protection of confidential health information, and some worry that compliance with the rule might hinder medical research. On the other hand, many physicians report that several specific Privacy Rule requirements will improve privacy protection, and they rate organizations that meet a greater number of these requirements more positively. Most importantly, the physicians gave the organizations that are meeting more Privacy Rule requirements higher ratings in terms of one key area of concern: physicians’ ability to interact with colleagues to provide high-quality care.

There are at least three possible explanations for this tension in our findings. First, while we asked physicians about the level of implementation of Privacy Rule practices within their practice settings, we did not ask whether these practices were implemented in direct response to the rule. Physicians may be skeptical of the benefits to be gained from implementation of the Privacy Rule because the procedures required by most of its effective provisions were already in place or because physicians perceived them to be in place.

It is worth noting that the impetus for the Privacy Rule was a concern that electronic health information would not be adequately protected, given the call for increasing computerization of health information in HIPAA’s administrative simplification provision. Only a third of physicians in this sample reported using EMRs, so the majority of physicians could be underestimating the potential of the rule to increase privacy protection for electronic health information. However, because physicians believe that the Privacy Rule contains both effective and ineffective provisions, interpretation of an overall rating is more complex.

The second explanation has to do with some physicians’ general attitudes toward medical privacy, the Privacy Rule, or the regulation of health care. Physicians’ perception that the Privacy Rule will not greatly improve privacy protections may stem from a belief that their ethical and professional obligations, not regulatory mandates, assure patients’ privacy and confidentiality. Indeed, some physicians might not object to the rule’s contents so much as its manifestation of regulatory intervention in the practice of medicine. For the nearly half of physicians who do not perceive violations of medical privacy to be a major problem, even modest burdens to improve privacy protection might seem excessive. Some physicians may also have misperceptions about the rule’s requirements and believe them to be more draconian or expensive to implement than they really are.

Third, the correlation between the implementation of privacy practices required by the Privacy Rule and improved quality of care might reflect unmeasured intermediary characteristics of the organizations. That it, those organizations positioned to readily comply with rule requirements might also be capable of meeting many other standards for quality of care, perhaps because of an organizational culture that takes both patients’ privacy and quality of care very seriously. While our analyses accounted for some organizational characteristics, measuring organizational culture is difficult. Compliance with the rule could be a marker of organizations’ overall capacity to provide high-quality care.

Study limitations. Our study should be interpreted in light of several important limitations. First, the study population is not representative of the total population of U.S. physicians. Our sample was younger and included higher proportions of whites and U.S. medical school graduates than the total U.S. physician population. Despite the statistical significance of these differences, however, their magnitude was small, and these variables were not significant in our multivariate models. Second, it is possible that respondents had stronger feelings than nonrespondents about the subject matter. However, given the small percentage of respondents (25 percent) who were very concerned about privacy violations, it is unlikely that the majority of respondents hold extreme views about privacy.

Third, our results could reflect a degree of social desirability bias. For instance, physicians were asked to characterize their knowledge of organizational policies and of the Privacy Rule. If physicians overstated their knowledge, we may have seen inflated estimates of the effect size of this variable in our multivariable model. However, it is unclear what the direction of this potential source of bias might be with regard to our outcome variables. If the extent of organizational performance were overstated, for example, differences based on Privacy Rule compliance would have been more difficult to detect.

Finally, the survey followed closely upon the publication of the last set of revisions to the Privacy Rule in August 2002. Physicians could have based their knowledge of the rule on its penultimate version, which was much more burdensome than the final one. This may partly account for the negative attitudes toward the Privacy Rule as well as for some of the disparity observed between these attitudes and physicians’ positive assessments of the rule’s functioning.

Policy implications. Our data are consistent with the GAO’s conclusion that Privacy Rule implementation has not hindered the provision of health care. Moreover, our finding that Privacy Rule compliance is associated with better medical record privacy protection suggests that the rule may facilitate confidentiality and privacy protection. In view of these results, the time is right to begin to move beyond assessments of Privacy Rule compliance toward a focus on the effects of the rule on privacy protection and quality of care. The GAO has begun to do this by examining the numbers of formal complaints of privacy violations filed with the Office for Civil Rights at the U.S. Department of Health and Human Services as a measure of the rule’s functioning. Industry surveys also report on the numbers of privacy breaches. However, such statistics are difficult to interpret because there is no baseline measure to act as a comparison. There is a need for the development of reliable indicators of the effects of compliance on quality of care, conduct of medical research, and practitioners’ work patterns.

Our finding that physicians view the Privacy Rule and some of its provisions negatively is troubling. Physicians may be less likely to share health information if they perceive privacy protections to be inadequate. They may also be less willing to implement requirements that they perceive as ineffective. Increased attention to the training, engagement, and participation of individual physicians and professional organizations in Privacy Rule implementation efforts is necessary to ensure meaningful protections for the privacy of health information.

   Editor's Notes
 
Julia Slutsman (slutsmaj{at}mail.nih.gov) is a cancer prevention fellow at the National Cancer Institute in Bethesda, Maryland. Nancy Kass is a professor in the Phoebe R. Berman Bioethics Institute, Johns Hopkins Bloomberg School of Public Health, in Baltimore, Maryland. John McGready is an instructor in the Bloomberg School’s Department of Biostatistics. Matthew Wynia is director of the Institute for Ethics at the American Medical Association in Chicago, Illinois.

This research was supported by the American Medical Association and the Johns Hopkins University Phoebe R. Berman Bioethics Institute and Johns Hopkins Institute for Information Security. The authors gratefully acknowledge the help of Kelsey Brodsho and Jeanne Uehling with survey administration and thank Ezekiel Emanuel and David Buchanan for their insightful comments on earlier drafts. The opinions expressed here are those of the authors and do not represent the positions or policies of the organizations with which they are affiliated.

   NOTES
Top
 Study Data And Methods
 Study Results
 Discussion
 NOTES
 

  1. U.S. Department of Health and Human Services, "Standards for Individually Identifiable Health Information," 45 CFR, Parts 160–164, 14 April 2001.
  2. L. Meckler, "New Patient Privacy Rules Take Effect," Boston Globe, 24 April 2003; L. Landro, "Health-Privacy Act Poses Problems," Wall Street Journal, 24 April 2003; S. Lewis, "Patient Care Suffers under Privacy Law," Detroit News, 29 March 2004; M. Kissinger, "Fears over Privacy Law Compromising Care," Milwaukee Journal Sentinel, 9 November 2003; R. Stein, "Patient Privacy Rule Brings Wide Confusion," Washington Post, 18 April 2003; and M. Sorkin, "Privacy Law Has Unforeseen Implications," St. Louis Post-Dispatch, 29 June 2003.
  3. HIMSS/Phoenix Health Systems, "U.S. Healthcare Industry HIPAA Compliance Survey Results: Winter 2005," www.hipaadvisory.com/action/surveynew/winter2005.htm (28 March 2005).
  4. U.S. Government Accountability Office, Health Information: First-Year Experiences under the Federal Privacy Rule, September 2004, www.gao.gov/cgi-bin/getrpt?GAO-04-965 (10 December 2004).
  5. G. Siegal, N. Siegal, and Y. Weisman, "Physicians’ Attitudes toward Patients’ Rights Legislation," Medicine and Law 20, no. 1 (2001): 63–78[Medline]; and A.R. Van Haeringen, M. Dadds, and K.L. Armstrong, "The Child Abuse Lottery—Will the Doctor Suspect and Report? Physicians Attitudes towards and Reporting of Suspected Child Abuse and Neglect," Child Abuse and Neglect 22, no. 3 (1998): 159–169.[CrossRef][Web of Science][Medline]
  6. D. Mechanic, "Physician Discontent: Challenges and Opportunities," Journal of the American Medical Association 290, no. 7 (2003): 941–946.[Abstract/Free Full Text]
  7. M.M. Mello et al., "Caring for Patients in a Malpractice Crisis: Physician Satisfaction and Quality of Care," Health Affairs 23, no. 4 (2004): 42–53.[Abstract/Free Full Text]
  8. J.J. Lindenthal and C.S. Thomas, "A Comparative Study of the Handling of Confidentiality," Journal of Nervous and Mental Disease 168, no. 6 (1980): 361–369[Medline]; and D.H. Novack et al., "Physicians’ Attitudes toward Using Deception to Resolve Difficult Ethical Problems," Journal of the American Medical Association 261, no. 20 (1989): 2980–2985.[Abstract/Free Full Text]
  9. American Medical Association Ethical Force Program, The Domain of Health Care Information Privacy—Protecting Identifiable Health Care Informational Privacy: A Consensus Report on Eight Content Areas for Performance Measure Development, December 2000, www.ama-assn.org/ama/upload/mm/369/ef_privacy_rpt.pdf (19 January 2005).
  10. Louis Harris Associates, "Health Information Privacy Survey" (New York: Harris/Equifax, 1993).
  11. D. Hosmer and S. Lemeshow, Applied Logistic Regression, 2d ed. (New York: John Wiley and Sons, 2000), 321.
  12. American Medical Association, Physician Characteristics and Distribution in the U.S., 2004 Edition (Chicago: AMA, 2004).


Add to CiteULike   Add to Complore   Add to Connotea   Add to Del.icio.us   Add to Digg   Add to Reddit   Add to Technorati    What's this?


This article has been cited by other articles:


Home page
 ANN INTERN MEDHome page
J. Fisher Wilson
Health Insurance Portability and Accountability Act Privacy Rule Causes Ongoing Concerns among Clinicians and Researchers
Ann Intern Med, August 15, 2006; 145(4): 313 - 316.
[Full Text] [PDF]

Comments:

Read all Comments

HIPAA and Family Caregivers: When Information Is Withheld
Carol Levine
Health Affairs, 2 Jun 2005 [Full text]