Health Information, The HIPAA Privacy Rule, And ... - Health Affairs

4 downloads 12167 Views 121KB Size Report
HIPAA requirements remain even among self-reported compliant providers.3 The .... security measures used to protect PMRs and EMRs, (3) when information in.
D ata Wat c h

Health Information, The HIPAA Privacy Rule, And Health Care: What Do Physicians Think? Most physicians in this survey believe that the Privacy Rule does not improve the protection of confidential health information. by Julia Slutsman, Nancy Kass, John McGready, and Matthew Wynia ABSTRACT: This study examines physicians’ attitudes toward key Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requirements and assesses the effects of their implementation. We found that despite physicians’ generally negative views toward the Privacy Rule, they rated organizations implementing more rule requirements better at protecting the privacy of patient records than organizations that have not implemented the requirements. The policy implications of the findings are discussed.

T

h e p r i vac y ru l e o f t h e Health Insurance Portability and Accountability Act (HIPAA) imposes a minimum, uniform set of privacy protections on public and private health care providers, health care organizations, and others.1 Before the rule went into effect, many expressed concern that it would impede the sharing of patient information and thus have a negative effect on patient care, that its implementation would be prohibitively costly, and that compliance would be difficult to achieve and would unduly burden the health care system.2 Recent data suggest that some of these fears have not been borne out. One recent industry survey indicated that about 80 percent of health care providers characterize themselves as compliant, although some gaps in implementing specific HIPAA requirements remain even among self-reported compliant providers.3 The U.S. Government Accountability Office (GAO) has published a report summarizing the experiences of key stakeholders during their first year of Privacy Rule compliance.4 Among its findings is that Privacy Rule implementation proceeded “more smoothly than expected” and that it increased “awareness…of privacy issues.” Interestingly, although the report discusses several difficulties in implementing particular requirements, it found no impediments to patient care.

Julia Slutsman ([email protected]) is a cancer prevention fellow at the National Cancer Institute in Bethesda, Maryland. Nancy Kass is a professor in the Phoebe R. Berman Bioethics Institute, Johns Hopkins Bloomberg School of Public Health, in Baltimore, Maryland. John McGready is an instructor in the Bloomberg School’s Department of Biostatistics. Matthew Wynia is director of the Institute for Ethics at the American Medical Association in Chicago, Illinois.

832 DOI 10.1377/hlthaff.24.3.832 ©2005 Project HOPE–The People-to-People Health Foundation, Inc.

May/ June 2005

P r i vac y

Ru le

Nevertheless, questions remain about whether the Privacy Rule has achieved its goal of improving privacy protection. One way to approach this inquiry is to systematically assess the experiences of individual clinicians. This is important for several reasons. First, empirical studies suggest that physicians will ignore or not fully implement legal requirements that they do not agree with.5 Second, evidence suggests that physicians resent market, regulatory, and other forces that they perceive as limiting their autonomy.6 Diminished autonomy, in turn, is strongly associated with professional dissatisfaction, and there are data suggesting that dissatisfaction is associated with decreased quality of care.7 Finally, prior research has shown that physicians’ views and practices with respect to health information disclosure differ by specialty and demographic characteristics.8 Physicians may be more likely to share patient data for the core functions of treatment, payment, and health care operations with organizations that they perceive as being better at maintaining privacy. We surveyed 2,000 U.S. physicians during the six-month period prior to 14 April 2003, when most organizations were required to comply with the Privacy Rule. After this deadline, breaching rule requirements became illegal, and physicians might have become more reluctant to report noncompliance. The goals of this study were to (1) provide a reliable baseline on physicians’ views and experiences with the Privacy Rule; and (2) provide an early assessment of the expected effects of these provisions on relevant practice outcomes.

Study Data And Methods n

Study sample. This cross-sectional study used an original survey instrument to survey a random sample of 2,000 physicians drawn from the American Medical Association (AMA) Physician Masterfile. Physicians were eligible for inclusion in the study if they were actively practicing clinical medicine. We excluded 176 physicians who were deceased, retired, not seeing patients, in training, or for whom no current mailing address was available. Of the 1,824 eligible physicians, 933 completed the survey—for a response rate of 51.2 percent. n Data collection. Data collection began in October 2002 and continued through early 2003. The initial mailing of the survey included a financial incentive of one dollar. Physicians not responding to the first survey received up to three subsequent mailings but no additional money. We excluded surveys postmarked after the Privacy Rule implementation deadline of 14 April 2003. n Human subjects approval and survey development. The data collection methodology was reviewed and approved by the Johns Hopkins Bloomberg School of Public Health Committee on Human Research. Survey items were organized into the following domains: (1) physician characteristics, (2) organizational characteristics, (3) patient-physician communication about confidentiality, (4) physician disclosures of identifiable patient information to third parties, (5) physicians’ views of the Privacy Rule, (6) organizational readi-

H E A L T H A F F A I R S ~ Vo l u m e 2 4 , N u m b e r 3

833

D ata Wat c h

ness for the Privacy Rule, (7) organizational training on privacy policies, (8) organizational releases of identifiable patient information to third parties, and (9) security practices for paper and electronic medical records (PMRs and EMRs). Items addressing privacy issues not covered by the Privacy Rule were based on standards articulated by the AMA’s Ethical Force Program.9 Items pertaining to organizational Privacy Rule preparedness, physicians’ attitudes toward the rule, and patient-physician communication about confidentiality were newly developed for this study. One item about the violation of the privacy of medical records was adapted from a question in a Louis Harris Associates 1993 survey of Health Information Privacy.10 The survey instrument underwent two rounds of cognitive pretesting and was piloted with a multispecialty physician group employing seventy-five physicians. n Variables. Dependent variables. The first dependent variable measured physicians’ general attitude toward the HIPAA Privacy Rule. Physicians were asked to express their degree of agreement with the following statement: “The HIPAA privacy regulation will greatly help physicians in their efforts to maintain the confidentiality of patients’ medical records.” Next, we measured physicians’ views regarding the effects of the following five Privacy Rule requirements on patient confidentiality: written authorization, special psychotherapy notes protections, “chain of trust” agreements, designation of a privacy officer, and provision of a notice of privacy practices. Finally, we asked the physicians to identify and report on the privacy practices of the one health care organization with which they were most familiar and with which they maintained an affiliation. In this area, the primary dependent variables were ratings of this organization’s ability to (1) protect the confidentiality of patients’ medical records, (2) ensure that HIPAA readiness efforts do not interfere with physicians’ ability to do what is best for patients, and (3) ensure that readiness efforts do not interfere with physicians’ ability to consult with colleagues. Independent variables. Independent variables included physicians’ demographic characteristics (age, race, years in practice, and practice volume) and organizational demographics (organization size, type, and tax status). In addition, physicians’ general level of concern about privacy protection was measured by their degree of agreement with the statement, “The violation of the privacy of medical records is a very serious problem today.” Organizational implementation of Privacy Rule protections was assessed using two summary items addressing different aspects of compliance. The administrative practices summary score represented the number of the following three Privacy Rule requirements that respondents reported to be in place at their health care organization: presence of a privacy officer, security audits, and a complaint mechanism. The procedural summary score indicated the number of the following three requirements that respondents reported their health care organization to be “good” or “very good” at implementing. The requirements included privacy train-

834

May/ June 2005

P r i vac y

Ru le

ing for physicians, explanation of penalties for breaches of privacy, and linking the extent of employees’ access to patient information to their job duties. In addition, a summary scale assessing the number of the following four common PMR security practices (not specified in the Privacy Rule) was created: locking medical records not in use, tracking the location of medical records, ensuring that medical records are not visible in public areas, and keeping track of when medical records are copied. Finally, a summary score for privacy training was created that tallied the number of the following six topic areas that might be covered in physicians’ privacy training: (1) who has access to medical records , (2) security measures used to protect PMRs and EMRs, (3) when information in medical records may be used without patients’ specific consent, (4) how patients may obtain copies of their records, (5) how patients may amend their records, and (6) how long medical records are held by the organization. n Analyses. Bivariate associations between the dependent and independent variables were assessed using the chi-square test of association. Multinomial logistic regression was used for the multivariate analyses because each of the outcome variables had three distinct response categories. For each outcome variable, “don’t know” was a third response category; because this analysis did not focus on the parts of each model that compared “don’t know” responses with the reference group, the odds ratios for those comparisons are not shown. The statistical significance of the covariates was evaluated using p values obtained from Wald tests of each coefficient or coefficient grouping.11 Based on the Wald test results, covariates were removed from the model in backward stepwise fashion, in order of decreasing significance, until the model contained only those covariates significantly related to the outcome (while controlling for the remaining variables). This procedure was conducted for each outcome variable.

Study Results n

Respondents’ personal characteristics. The average age of the 933 physician respondents was fifty, and the majority were male, were white, and had graduated from a U.S. medical school (Exhibit 1). Most worked as specialists and maintained an active clinical practice (seeing an average of seventy-eight patients per week). Respondents had been with the organization they reported on for an average of 12.6 years. Compared with nonrespondents, respondents were younger by an average of one year, had been in practice for an average of 1.2 fewer years, and were much more likely to have attended medical school in the United States (Exhibit 1). Compared with all U.S. physicians, survey respondents were younger (69.4 percent versus 65.9 percent under age fifty-five, p < .001), and whites were slightly overrepresented (78.9 percent versus 75.0 percent, p < .001) as were physicians who attended U.S. medical schools (80.0 percent versus 73.8 percent, p < .001) (data not shown).12 n Respondents’ professional organization type. When asked to report on the

H E A L T H A F F A I R S ~ Vo l u m e 2 4 , N u m b e r 3

835

D ata Wat c h

EXHIBIT 1 Demographic And Organizational Characteristics Of Respondents To The Survey Of Physicians’ Attitudes On The HIPAA Privacy Rule, 2002–03 Respondents (N = 933) Physician demographics

Numbera

Percentb

Sex (male) Age (years), mean Year in practice, mean AMA membership (member) U.S. medical school graduate (yes)

701 49.8 (SD = 10.3) 22.7 (SD = 10.9) 187 739

75.1

Specialtyc Primary care Subspecialist

366 560

39.2 60.8

Self-reported race White Black Asian Hispanic Other

723 25 106 51 28

78.9 2.7 11.6 5.6 3.0

Years with organization, mean Patients seen per week, mean

20.0 80.0

12.6 (SD = 10.0) 78.0 (SD = 61.2)

Organizational characteristics Organizational structure Managed care organization Physician group practice Solo practice Hospital Academic medical center Physician-hospital organization Community health clinic Other

30 395 194 94 110 23 33 28

3.3 43.6 21.4 10.4 12.1 2.5 3.6 3.1

Organization size (number of physicians) 1–5 6–25 26–100 Over 100

422 208 110 182

45.8 22.6 11.9 19.7

Tax status Private for-profit Private nonprofit Public Don’t know

605 202 93 23

64.8 21.6 10.0 2.5

SOURCES: American Medical Association (AMA) Physician Masterfile, 2002; and authors’ survey of physicians’ views on the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. NOTES: There were 892 nonresponders, of whom 702 were male, 151 had AMA membership, and 650 were graduates of U.S. medical schools (significantly different from respondents at the .001 level). The mean age of nonresponders was 50.8 (SD = 11.8; significantly different from responders at the .05 level), and mean years of practice were 23.9 (SD = 12; significantly different from responders at the .05 level). a Frequency does not add up to 933 on certain characteristics because of missing data. b Percentages may not add up to 100 percent because of rounding. c Although specialty information is available in the AMA Masterfile, this data field is not considered to be highly reliable. See J. Shea et al., “Self-Reported Physician Specialties and the Primary Care Content of Medical Practice: A Study of the AMA Physician Masterfile,” Medical Care 37, no. 4 (1999): 333–338. Therefore, we did not compare specialty data for nonrespondents (obtained from the Physician Masterfile) to respondents’ self-reported specialty data.

836

May/ June 2005

P r i vac y

Ru le

performance of the organization with which they had the closest affiliation, 43.6 percent of respondents reported on a group practice, 21.4 percent reported on a solo practice, and smaller proportions reported on hospitals and other practice settings (Exhibit 1). More than half of physicians reported on for-profit organizations. n Anticipated effects of the HIPAA Privacy Rule. Most physicians classified themselves as “somewhat” or “very familiar” with the HIPAA Privacy Rule and with their organization’s privacy polices (Exhibit 2). Only one out of four physicians agreed with the statement, “The violation of the privacy of medical records is a very serious problem today.” A minority of physicians agreed that the Privacy Rule would help them “maintain the confidentiality of patients’ medical records,” while 45.4 percent disagreed and 31.8 percent were uncertain. Meanwhile, about one-third agreed with the statement, “The HIPAA privacy regulation will greatly impede the conduct of medical research,” and almost half reported that they were uncertain. With regard to five key Privacy Rule requirements, majorities of physicians reported that three of the five would “somewhat or greatly” improve privacy protections (Exhibit 3). For instance, two-thirds reported that written patient authorization for nonroutine uses of confidential patient information (for uses EXHIBIT 2 Physicians’ Knowledge Of And Attitudes Toward Privacy And The HIPAA Privacy Rule, 2002–03 Variable

Number

Percent

Familiarity with organizational privacy policies Very familiar Somewhat familiar Not very familiar Unfamiliar

448 320 74 23

51.8 37.0 8.5 2.7

Familiarity with Privacy Rule Very Somewhat familiar Aware but unfamiliar Unaware

146 507 226 41

15.9 55.1 24.6 4.4

Agreement with statement, “The violation of the privacy of medical records is a very serious problem today” Strongly agree/agree Strongly disagree/disagree Uncertain

230 230 263

25.0 46.4 28.6

Agreement with statement, “The HIPAA privacy regulation will greatly help physicians in their efforts to maintain the confidentiality of patients’ medical records” Strongly agree/agree Strongly disagree/disagree Uncertain

209 417 292

22.8 45.4 31.8

Agreement with statement, “The HIPAA privacy regulation will greatly impede the conduct of medical research” Strongly agree/agree Strongly disagree/disagree Uncertain

330 171 416

36.0 18.6 45.4

SOURCE: Authors’ survey of physicians’ views on the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. NOTE: N = 933.

H E A L T H A F F A I R S ~ Vo l u m e 2 4 , N u m b e r 3

837

D ata Wat c h

EXHIBIT 3 Physicians’ Attitudes About The Potential Of Specific Provisions Of The HIPAA Privacy Rule To Improve Protection Of Health Information Privacy Will greatly improve

Will improve somewhat

Will not improve

Don’t know

Number

Percent

Number

Percent

Number

Percent

Number Percent

Written authorization for nonroutine uses of health information 274

29.9

350

38.2

163

17.8

129

14.1

Prohibiting insurer requests for psychotherapy notes

278

30.5

267

29.2

115

12.6

253

27.7

Language about privacy in contracts with other organizations

158

17.2

379

41.4

22

24.6

154

16.8

Designation of privacy officer

66

7.2

298

32.5

400

43.6

153

16.7

Provide patients with a written description of privacy policies

62

6.7

267

29.1

445

48.5

144

15.7

Variable

SOURCE: Authors’ survey of physicians’ views on the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. NOTES: N = 933. Respondents were asked, “To what extent will each of the following provisions improve the protection of health information privacy?”

other than treatment, payment, and “health care operations”) will “greatly” or “somewhat” improve privacy protection. The requirement viewed as least useful for privacy protection was the provision of a written Notice of Privacy Practices (NPP) to patients. n Organizational performance regarding privacy. Most of the physician respondents reported that their hospital or practice was “good” or “very good” at protecting the confidentiality of medical records (73.0 percent), ensuring that privacy practices did not interfere with physicians’ ability to care for patients (65.5 percent), and ensuring that privacy practices did not interfere with physicians’ ability to consult with colleagues about patients (65.3 percent) (data not shown). n Effects of privacy protections on organizational performance. Exhibit 4 presents multinomial regression models for the three organizational outcomes measured. The odds ratio for a given independent variable in the model compares physicians’ probability of characterizing organizational performance as “very good” or “good” (combined) on a given outcome with that of assessing performance on that outcome as “fair,” “poor,” or “very poor” (combined). After all other covariates were adjusted for, organizations with more procedural privacy practices in place (which include privacy training, clear explanations of penalties for breaches of confidentiality, and linking employees’ level of access to information to their job responsibilities) were rated 6.8 times more likely than those with fewer such practices in place to be doing a “good” or “very good” job of protecting medical privacy, 5.3 times more likely to not interfere with physicians’

838

May/ June 2005

P r i vac y

Ru le

EXHIBIT 4 Associations Between Health Care Organizations’ (HCOs’) Implementation Of HIPAA Privacy Rule Requirements And Three Organizational Performance Outcomes, 2002– 03 Outcome: odds ratioa (95% CI)

Variable

HCO’s privacy policies do not HCO able to interfere with protect doctors’ ability to confidentiality of medical records provide best care

Administrative practice index (reference group: 0 or 1 measure implemented) 2 or 3 measures implemented 1.40 (0.83–2.37) Procedural practices index (reference group: 0 or 1 measure implemented) 2 or 3 measures implemented Paper medical records (PMR) security index (reference group: 2 or fewer measures implemented) 3 or 4 measures implemented Policy dissemination index (reference group: 2 or fewer policies disseminated) 3 or 4 policies disseminated 5 or 6 policies disseminated Knowledge of organization’s privacy policy (reference group: low knowledge) High

HCO’s privacy policies do not interfere with doctors’ ability to consult with colleagues

0.84 (0.54–1.31)

0.90 (0.58–1.41)

6.81**** (3.58–12.97)

5.33**** (3.25–8.73)

4.87**** (2.96–8.00)

2.11*** (1.36–3.26)

1.16 (0.79–1.72)

1.22 (0.82–1.81)

2.01*** (1.24–3.26) 3.18**** (1.72–5.92)

1.63** (1.03–2.58) 1.96** (1.15–3.32)

1.80** (1.12–2.89) 1.77** (1.04–3.01)

0.94 (0.50–1.77)

1.39 (0.76–2.53)

1.15 (0.63–2.12)

SOURCE: Authors’ survey of physicians’ views on the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. NOTE: N = 933. a Odds ratios compare physicians’ probability of responding “very good” or “good” (combined) with that of responding “fair,” “poor,” or “very poor” (combined) grouped by the variables presented in the exhibit. **p < .05 ***p < .01 ****p < .001

ability to care for patients, and 4.9 times more likely to not interfere with physicians’ ability to consult with colleagues (Exhibit 4). Similarly, better training on privacy policies was correlated with doing a “good” or “very good” job on each of the three outcomes. Implementation of administrative practices (designation of a privacy officer, conducting security audits, and providing a complaint mechanism) was not associated with performance on any of the three outcomes.

Discussion n

Privacy and quality. Initially, the findings we have presented appear to be contradictory. On the one hand, most physicians believe that the Privacy Rule as a whole and a few of its key provisions do not improve the protection of confidential

H E A L T H A F F A I R S ~ Vo l u m e 2 4 , N u m b e r 3

839

D ata Wat c h

“Compliance with the rule could be a marker of organizations’ overall capacity to provide high-quality care.” health information, and some worry that compliance with the rule might hinder medical research. On the other hand, many physicians report that several specific Privacy Rule requirements will improve privacy protection, and they rate organizations that meet a greater number of these requirements more positively. Most importantly, the physicians gave the organizations that are meeting more Privacy Rule requirements higher ratings in terms of one key area of concern: physicians’ ability to interact with colleagues to provide high-quality care. There are at least three possible explanations for this tension in our findings. First, while we asked physicians about the level of implementation of Privacy Rule practices within their practice settings, we did not ask whether these practices were implemented in direct response to the rule. Physicians may be skeptical of the benefits to be gained from implementation of the Privacy Rule because the procedures required by most of its effective provisions were already in place or because physicians perceived them to be in place. It is worth noting that the impetus for the Privacy Rule was a concern that electronic health information would not be adequately protected, given the call for increasing computerization of health information in HIPAA’s administrative simplification provision. Only a third of physicians in this sample reported using EMRs, so the majority of physicians could be underestimating the potential of the rule to increase privacy protection for electronic health information. However, because physicians believe that the Privacy Rule contains both effective and ineffective provisions, interpretation of an overall rating is more complex. The second explanation has to do with some physicians’ general attitudes toward medical privacy, the Privacy Rule, or the regulation of health care. Physicians’ perception that the Privacy Rule will not greatly improve privacy protections may stem from a belief that their ethical and professional obligations, not regulatory mandates, assure patients’ privacy and confidentiality. Indeed, some physicians might not object to the rule’s contents so much as its manifestation of regulatory intervention in the practice of medicine. For the nearly half of physicians who do not perceive violations of medical privacy to be a major problem, even modest burdens to improve privacy protection might seem excessive. Some physicians may also have misperceptions about the rule’s requirements and believe them to be more draconian or expensive to implement than they really are. Third, the correlation between the implementation of privacy practices required by the Privacy Rule and improved quality of care might reflect unmeasured intermediary characteristics of the organizations. That it, those organizations positioned to readily comply with rule requirements might also be capable of meeting many other standards for quality of care, perhaps because of an organi-

840

May/ June 2005

P r i vac y

Ru le

zational culture that takes both patients’ privacy and quality of care very seriously. While our analyses accounted for some organizational characteristics, measuring organizational culture is difficult. Compliance with the rule could be a marker of organizations’ overall capacity to provide high-quality care. n Study limitations. Our study should be interpreted in light of several important limitations. First, the study population is not representative of the total population of U.S. physicians. Our sample was younger and included higher proportions of whites and U.S. medical school graduates than the total U.S. physician population. Despite the statistical significance of these differences, however, their magnitude was small, and these variables were not significant in our multivariate models. Second, it is possible that respondents had stronger feelings than nonrespondents about the subject matter. However, given the small percentage of respondents (25 percent) who were very concerned about privacy violations, it is unlikely that the majority of respondents hold extreme views about privacy. Third, our results could reflect a degree of social desirability bias. For instance, physicians were asked to characterize their knowledge of organizational policies and of the Privacy Rule. If physicians overstated their knowledge, we may have seen inflated estimates of the effect size of this variable in our multivariable model. However, it is unclear what the direction of this potential source of bias might be with regard to our outcome variables. If the extent of organizational performance were overstated, for example, differences based on Privacy Rule compliance would have been more difficult to detect. Finally, the survey followed closely upon the publication of the last set of revisions to the Privacy Rule in August 2002. Physicians could have based their knowledge of the rule on its penultimate version, which was much more burdensome than the final one. This may partly account for the negative attitudes toward the Privacy Rule as well as for some of the disparity observed between these attitudes and physicians’ positive assessments of the rule’s functioning. n Policy implications. Our data are consistent with the GAO’s conclusion that Privacy Rule implementation has not hindered the provision of health care. Moreover, our finding that Privacy Rule compliance is associated with better medical record privacy protection suggests that the rule may facilitate confidentiality and privacy protection. In view of these results, the time is right to begin to move beyond assessments of Privacy Rule compliance toward a focus on the effects of the rule on privacy protection and quality of care. The GAO has begun to do this by examining the numbers of formal complaints of privacy violations filed with the Office for Civil Rights at the U.S. Department of Health and Human Services as a measure of the rule’s functioning. Industry surveys also report on the numbers of privacy breaches. However, such statistics are difficult to interpret because there is no baseline measure to act as a comparison. There is a need for the development of reliable indicators of the effects of compliance on quality of care, conduct of medical research, and practitioners’ work patterns.

H E A L T H A F F A I R S ~ Vo l u m e 2 4 , N u m b e r 3

841

D ata Wat c h

Our finding that physicians view the Privacy Rule and some of its provisions negatively is troubling. Physicians may be less likely to share health information if they perceive privacy protections to be inadequate. They may also be less willing to implement requirements that they perceive as ineffective. Increased attention to the training, engagement, and participation of individual physicians and professional organizations in Privacy Rule implementation efforts is necessary to ensure meaningful protections for the privacy of health information. This research was supported by the American Medical Association and the Johns Hopkins University Phoebe R. Berman Bioethics Institute and Johns Hopkins Institute for Information Security. The authors gratefully acknowledge the help of Kelsey Brodsho and Jeanne Uehling with survey administration and thank Ezekiel Emanuel and David Buchanan for their insightful comments on earlier drafts. The opinions expressed here are those of the authors and do not represent the positions or policies of the organizations with which they are affiliated. NOTES 1. 2.

3. 4. 5.

6. 7. 8.

9.

10. 11. 12.

842

U.S. Department of Health and Human Services, “Standards for Individually Identifiable Health Information,” 45 CFR, Parts 160–164, 14 April 2001. L. Meckler, “New Patient Privacy Rules Take Effect,” Boston Globe, 24 April 2003; L. Landro, “HealthPrivacy Act Poses Problems,” Wall Street Journal, 24 April 2003; S. Lewis, “Patient Care Suffers under Privacy Law,” Detroit News, 29 March 2004; M. Kissinger, “Fears over Privacy Law Compromising Care,” Milwaukee Journal Sentinel, 9 November 2003; R. Stein, “Patient Privacy Rule Brings Wide Confusion,” Washington Post, 18 April 2003; and M. Sorkin, “Privacy Law Has Unforeseen Implications,” St. Louis Post-Dispatch, 29 June 2003. HIMSS/Phoenix Health Systems, “U.S. Healthcare Industry HIPAA Compliance Survey Results: Winter 2005,” www.hipaadvisory.com/action/surveynew/winter2005.htm (28 March 2005). U.S. Government Accountability Office, Health Information: First-Year Experiences under the Federal Privacy Rule, September 2004, www.gao.gov/cgi-bin/getrpt?GAO-04-965 (10 December 2004). G. Siegal, N. Siegal, and Y. Weisman, “Physicians’ Attitudes toward Patients’ Rights Legislation,” Medicine and Law 20, no. 1 (2001): 63–78; and A.R. Van Haeringen, M. Dadds, and K.L. Armstrong, “The Child Abuse Lottery—Will the Doctor Suspect and Report? Physicians Attitudes towards and Reporting of Suspected Child Abuse and Neglect,” Child Abuse and Neglect 22, no. 3 (1998): 159–169. D. Mechanic, “Physician Discontent: Challenges and Opportunities,” Journal of the American Medical Association 290, no. 7 (2003): 941–946. M.M. Mello et al., “Caring for Patients in a Malpractice Crisis: Physician Satisfaction and Quality of Care,” Health Affairs 23, no. 4 (2004): 42–53. J.J. Lindenthal and C.S. Thomas, “A Comparative Study of the Handling of Confidentiality,” Journal of Nervous and Mental Disease 168, no. 6 (1980): 361–369; and D.H. Novack et al., “Physicians’ Attitudes toward Using Deception to Resolve Difficult Ethical Problems,” Journal of the American Medical Association 261, no. 20 (1989): 2980–2985. American Medical Association Ethical Force Program, The Domain of Health Care Information Privacy—Protecting Identifiable Health Care Informational Privacy: A Consensus Report on Eight Content Areas for Performance Measure Development, December 2000, www.ama-assn.org/ama/upload/mm/369/ef_privacy_rpt.pdf (19 January 2005). Louis Harris Associates, “Health Information Privacy Survey” (New York: Harris/Equifax, 1993). D. Hosmer and S. Lemeshow, Applied Logistic Regression, 2d ed. (New York: John Wiley and Sons, 2000), 321. American Medical Association, Physician Characteristics and Distribution in the U.S., 2004 Edition (Chicago: AMA, 2004).

May/ June 2005