Putting Patients First: How HIPAA Changed the Health Information Landscape

When it comes to the protection of patient information, Jane Rogers, RHIA, has spent her impressive career in health information management (HIM) advocating for institutional change. From being an active member of AHIMA, to testifying in front of the US House of Representatives and Senate, Rogers has set herself apart as a true public servant.

In 1976, Rogers joined the staff of the American Medical Record Association (now AHIMA) as the state liaison representative. At that time, AMRA did not have an office in Washington, DC, and hired a consulting firm in DC to represent the profession. In the years following the Privacy Act of 1974 and release of the Privacy Commission Report of 1977, there were a number of bills in Congress addressing health information privacy.

“The association identified a need to have a credentialed staff member represent the profession and work with the consulting firm,” Rogers says. Therefore, in 1978, Rogers became the director of legislative affairs for AMRA and served as staff member to the AMRA Federal Advisory Panel. She traveled between the Chicago headquarters and Washington, DC, and represented AMRA at Congressional hearings and the Peer Standards Review Organization (PSRO) meetings, in addition to other meetings of interest to the profession.

Rogers recognized a great opportunity to represent the association, which effortlessly synced with her interest in the legal aspects of HIM. She entered the profession and became an RHIA under the influence of her father, Joe O. Rogers, JD, who was a health administrator and a healthcare attorney at the University of Oklahoma Medical Center and later the director of Medicare for the state of Oklahoma.

During her 52 years involved with AHIMA, Rogers has accomplished a laudable amount in her efforts to improve the protection of patient information. The HIPAA and HITECH Acts provided protection for health information and medical records and have enabled and supported the adoption of health information technology and the electronic health record (EHR). “I believe that patients and healthcare institutions have been well served by increased security of health information and use of the EHR. In the past, I know that our profession was very cautious of, if not opposed to, electronic medical data, data banks, and certainly the concept of the health information exchange (HIE) that we experience today,” Rogers says.

With the growth and improvement in confidentiality and security guidelines and the use of electronic data availability, technology has become essential to patient care. In support of health information privacy, security and general healthcare legislation, Rogers has served on the Advocacy & Legislative Committee of the Texas Health Information Management Association (TXHIMA) since 2018.

Advocacy in Action

Prior to the existence of the HIPAA, there were no federal limits on how healthcare providers, employers, or insurers collected and shared health information, both within and outside of a specific healthcare system. The absence of a protective law became a major impetus for the enactment of HIPAA.

“There was substantial variation between the states on many aspects of medical records law. Because there was no national health privacy law, patients had to depend on state law, if and when it applied,” Rogers says.

As a result of the Privacy Act of 1974, the US Congress introduced multiple pieces of legislation in the House of Representatives and the Senate on privacy and confidentiality of patient protected health information. AMRA acted in two ways: First, it published the “Confidentiality of Patient Health Information, A Position Statement of the American Medical Record Association” in December 1977; and second, it initiated the AMRA Health Advisory Panel. The AMRA executive director, director of professional services and board of directors representatives served on the panel. Rogers was staff to the panel and Lorraine Volz, RRA, served on the panel as a board member and as president of AMRA.

On April 9, 1979, the US House of Representatives Committee on Governmental Operations formally addressed potential legislation to protect the privacy of medical records. Rogers, along with Lorraine Volz, RRA, director of the medical record department of the Thomas Jefferson University Hospital in Philadelphia, appeared before the House of Representatives to testify against the lack of statutes protecting patient confidentiality.

“We recognized, over the years, an increased demand for the release of medical records for use other than patient care, such as payment of healthcare services, public health, research, employers, insurance companies, judicial processes, credit investigations, and accrediting, licensing, and certifying agencies,” Rogers says. “With the expansion of technology, linkage with computer files for release of information also came into play. Overall, the different types of consent for releasing records became a major issue.”

According to Rogers, the evolution of the paper medical record to EHRs, the digital age of computers, networks of shared information, regional HIEs, and the increased need to maintain state and national data banks for public health purposes have increased the need to maintain vigilance over privacy and security of health information. HIPAA regulations have also evolved since 1996 and have generally met the challenge to maintain privacy and security.

During that same year on August 3, Rogers, Carolyn Cave, RRA, executive director of AMRA, and Lorraine Volz testified again to the US Senate Committee on Governmental Affairs. At the core of their testimony they posited better solutions for fulfilling the obligations to provide needed information to serve the patient, the provider, and the community while protecting the patient. The inherent dilemma also included confidentiality versus payment for services on a timely basis to assure cash flow, confidentiality versus insurance, employment, credit and other services, and confidentiality versus economics.

It was the opinion of AMRA leaders that federal legislation was needed to provide basic legal provisions for health information privacy and security to serve as information for the public about use of their information and for states to use as a base for state legislation. In the AMRA testimony before the House of Representatives on April 9, 1979, Rep. Robert F. Drinan stated: “It is a different type of experience these days when somebody recommends more regulation and another federal bureaucracy. So we welcome you and thank you for your testimony.”

“Overall, I think our testimony made an impact, because we were able to get to know people and had representation in Washington,” Rogers says. “Our congressional representatives and senators cannot have a grasp on everything that they're hit with. They hear the good, the bad, the ugly, and then they have to investigate through people in the industries coming in telling them, ‘Well, this is a problem for us.’ That’s where AMRA came in and said that they could help by enacting legislation.”

The Impact of COVID-19 on Patient Information

In the 47 years since the enactment of the Privacy Act in 1974 and implementation of HIPAA in 1996, the challenge remains to defend the patient’s civil right to maintain privacy of their medical record and health information. With the onset of the pandemic in early 2020, US hospital systems saw greater demand for patient information, and HIPAA issued “waivers” on sanctions and penalties. Rogers, being active in her retirement, immediately recognized the broader impact that COVID-19 would have on the transfer of medical records.

“The COVID-19 and 2020 public health emergency created a plethora of demands on the health system and patient information,” Rogers says. “These demands included, but were not limited to, changes in healthcare delivery through telemedicine and mobile units, changes to payment provisions and systems, the need to address expansion of healthcare in rural areas and to economically disadvantaged populations, and more.”

COVID-19, in conjunction with the declaration of a public health emergency in 2020, presented a great challenge to the HIPAA Privacy and Security rules and to the determination of the US health system and health information management and computer professionals to maintain patient privacy. Today, the HIPAA Privacy Rule has specific provisions for public health emergencies and permits disclosures to public health authorities, emergency personnel, providers, health systems, and health plans without authorization. Provisions are made for exchange of information about patients in order to care for the patient and to prevent or lessen a serious imminent threat to the health and safety of a person or the public.

Rogers has dedicated much of her time during the COVID-19 pandemic to conducting research for a comprehensive guide to HIPAA and COVID-19 titled, “Guide to HIPAA, Civil Rights & COVID-19” for TXHIMA.

An Optimistic Look Ahead

To Rogers, the contributions of AHIMA and HIM professionals in the area of patient protected health information privacy and security have provided monumental changes and safeguards through support of federal and state legislation and the HIPAA privacy and security regulations. These contributions have promoted the civil rights of patients and have enabled us to meet the evolution of the patient medical record from paper to the EHR and digital age. New challenges are ahead for the delivery of health care, expansion of health data sharing, and creation of better cybersecurity systems. Rogers has no doubt HIM professionals are up to the task; they must always demand a seat at the table in Congress and wherever decisions are made in support of patient health information privacy and security.