Thank you for the opportunity to present to this committee. My name is Keith D. Van de Castle, MD, MBA, MPH. I graduated from the University of Tennessee Medical School where I received the Golden Scalpel award as the one student in the class with the Brightest Future in Medicine . I trained in Family Medicine. I next worked in a clinic in Myrtle Beach, South Carolina where I regularly saw patients who came to the clinic there to discuss their personal health care that they did not feel comfortable discussing in their hometown. Patients amazed me with their stories about how they had suffered from a lack of privacy and the consequences that occurred from these breaches in confidentiality. I next practiced in a Federally Designated Rural Underserved area as a solo practitioner. Many patients refused to get their care in that town because of privacy concerns and instead would drive 30 minutes to see other physicians. Many patients told me stories of how healthcare information about them had been spread around.

I went back to school in 1995 and first learned about HIPAA. I realized that physicians and rural hospitals were going to need assistance with the cultural changes necessary for HIPAA compliance. I quit my job and went to school full-time in 1996 to study HIPAA. I received a Master’s in Public Health with the emphasis area of Health Policy and Administration, specifically HIPAA. I also received an MBA studying the business case of how a small rural hospital and my small clinic were going to be able to comply with HIPAA. I was fortunate to find that the University of Southern Mississippi that would let me pursue a course of study in almost all my courses focusing on HIPAA.

After completing school, I set myself up as a business called DoctorVillage.com providing solutions for physicians and hospitals with information security. I sold this business and went to work for a larger information security firm called JAWZ, specifically to build a HIPAA compliance offering. I was able to attend over a hundred HIPAA conferences and met many people who I thought understood the complex cultural change that HIPAA would bring. I was honored to get to know Dr. Bill Braithewaite and he and I had numerous meetings.

I decided to form a company with several other physicians who I met at these HIPAA conferences. I have been honored to work with a high caliber of physicians including Ted Cooper, MD, National Director of Confidentiality and Security for Kaiser Permanente, Alfredo Czerwinski, MD, Chief Medical Officer for Sutter’s 5000 physicians, and over 20 other physicians. I partnered up with instructional design experts and we built a privacy compliance training offering using real world case studies to teach the real changes that will occur in the physician’s practice. We offer our training for each different type of physician customized to their specialty and their entire office staff downloaded to their computer for only $50 per physician, cheaper in bulk. Being a small organization without significant funding, we have not reached the masses, but our clients are all thrilled with the high quality of the offering they have received and the fact that we customize according to their own policies and procedures for free if they are a large group. The American Association of Independent Health Delivery Systems, a large group of IPAs and PHOs, and the National Association of Managed Care Physicians have officially endorsed my training.:p>

I travel extensively talking to medical groups around the country and probably speak to more physicians and office managers than any other physician. I have traveled over 500,000 miles speaking to groups about HIPAA and have given over 250 talks to groups on HIPAA. I was honored to get to do the national web cast on HIPAA for the American College of Physician Executive’s 13,000 members. I now have been honored to be a privacy officer for many physicians across the country.

As I go around the country giving talks, I have given out my home office and home phone numbers. I regularly get 3-4 calls a week from people who are involved in privacy lawsuits. Also, at each talk several people come up afterwards and tell me stories of events that have happened that they know about personally. I now have a record of 119 healthcare privacy violations that have either been involved in a court case or there was a cash payout.

As I hear these stories and all the details involved in them, I have to tell you that I am deeply embarrassed for some of my physician colleagues. The cavalier attitude of many in healthcare towards patient privacy is shocking. The flagrant abuses of the system are everywhere and occur throughout the United States. I regularly ask physicians this question “If you had to have a radical prostatectomy that could leave you infertile, and your insurance would cover to send you to another facility besides the one you practice in, and the care was equivalent, how many of you would rather go to your own facility?” In over 100 different locations, the answer has been that less than 2% would like to go to their own facility. When asked why, the answer is always the same – “I know how much this kind of information is shared beyond the need for medical care.” I ask healthcare employees how many of them know a surgical tech that decided to go elsewhere for their surgery for privacy reasons. Last week at a meeting of over 100 people in D.C., over 80% of people raised their hands. The same is true for nurses delivering a baby at their hospital.

When I was in my residency, one of our attending Ob/Gyn faculty Sue got pregnant. Sue weighed 120 lbs. when 9 months pregnant and worked until the day before her delivery. Sue delivered an 8 lb. 2 oz. baby by vaginal birth. Sue had always told women to stay in the hospital for the two days that insurance would pay for after the birthing so that they could rest up. Her nurse came and told her that no less than 11 people stopped her to ask about whether Sue had an episiotomy or whether she tore while delivering while the nurse went and had lunch in the cafeteria. Sue left after only 10 hours because she was so embarrassed that so many people wanted to know about her personals when it was really not medically necessary.

These stories should embarrass anyone who is a healthcare provider and a physician. By the same token, I feel pride in my profession when I see how hard the majority of providers are working to assist their patients every day. I talk to providers who tell me stories every day of the sincere desire to maintain privacy.

I got a call 2 weeks ago from a physician who is being sued for $100,000.00 because a nurse who used to work for him a year ago talked about a patient without revealing their name. Three weeks ago I received a call from an office that lost 14 paper charts. Two days ago I received a call from an emergency room dealing with a privacy issue at 11:30 p.m. earlier this week,

This week I got a call from a physician being sued. The physician had seen a patient twice before for heart problems related to his cocaine use. The physician was seeing the patient a third time for the same problem. This time the wife was in the room. The patient had the usual tests and the physician entered the room and the patient said, “What’s up, doc?” The physician then told the pt. that the chest pain problem this time was related again to his cocaine use. The physician should have asked the pt. if it was okay to discuss the case and his findings with his wife present, but instead launched into the whole report. The physician said he thought that the pt. implied consent when he asked, “What’s up, doc?” with his wife present. The wife is asking for a divorce and the custody of their children.

The most frequently asked questions I am being asked at my presentations are:

1. What are we going to do about the security of paper charts? Many practices want to know what they can and cannot do. I have been advising physicians that paper charts are okay and that they do not need to be locked up every night. I will tell you that when I was in practice, I came in one night from class and saw my cleaning staff sitting reading several charts.
2. Is it okay to keep charts in a box outside the door? I tell folks that they can do this, but should turn the name away from the hall. If a patient asks not to have their chart placed this way, they should try to accommodate this, but otherwise it is okay.
3. I’ve heard that pharmaceutical representatives should not be allowed back in clinic areas. I tell clinicians that they should sign an agreement with their rep’s to cover several areas. One, they agree not to peek or read charts. Second, they agree not to recognize anyone or speak to him or her personally. Third, they should sign an agreement that any information they overhear is not disclosed now or in the future and the above agreements. Rep’s are a source of information for physicians, however reliable, and a source that helps to keep physicians up to date on new medicines. While this access increases the cost of healthcare, it is important, can be done prudently, and is of value to the patients to keep their practitioners knowledgeable. It is also a break in a day where most of your energy is going out to have someone there to provide some energy, calorie rich food and pens to the caregivers.
4. What about minors? This is a struggling question for all practitioners. I know that HIPAA simply refers to state law here, but this really needs some clarification.
5. What about educating the general public? There can be no HIPAA compliance without an educated public. Please try to give providers a simple handout that they can provide their patients. This is absolutely critical and would save a tremendous amount of energy on the part of small providers especially. Everyone in the country is trying to duplicate this effort. I would like to assist in drafting a simple, clear message that would save each provider the headache and all the time necessary to draft their own.
6. The policy on accepting restrictions is one that is a major concern for small practitioners. How can they remember all these restrictions and still do their jobs? How can they do this and not get in legal trouble eventually? I have been telling every group I talk with to avoid the quicksand that the government is trying to impose with this policy. Do the minimum necessary to comply with HIPAA. It is a fine thing in principle, but the reality of it is that no one will be able to keep these straight. Your first day of orientation at a practice is to try and learn all the restrictions that the practice has accepted because they thought they had to under HIPAA. Make one mistake and someone will need to have lunch with an attorney. I tell clinicians to tell their patients that as an individual clinician they do not have the authority to accept a restriction, but that if the patient will put their request in writing that they will submit it to a committee who reviews the possible restrictions. The committee will basically decide not to accept any restrictions. One hospital system of 13,000 employees told me that they decided after learning of this that it would “take a whale of a tale” to convince them to accept any restrictions. This policy works well for movie stars and such, but to promote it to the general public is nothing less than an invitation to ratchet up the cost of privacy compliance by double and create an even more litigious climate in healthcare. I beg of you to consider making clear that this policy is only for those who truly have a serious need and a deep reason to accept this. I tell providers that the way around it is simply to say “I will do everything in my power to help keep the information you request as private as possible and will work diligently to make sure that X does not get access to this information, but unfortunately I have to work with humans, so I can’t agree to promise that this won’t happen”.
7. What about reasonable standards for people that need to carry healthcare information with them like home healthcare workers? I tell clinicians to carry a lock box in their trunk and then put the charts in there while traveling. If they take them in a house, keep them with you at all times, or else take the lock box with you. For people who insist on taking charts to their house, place them in a locked room and limit access. Please provide guidance on this.
8. What are the modifications I need to make in my office? I have visited dozens of offices and tried to assist each of them with this. It would save a tremendous amount of time to achieve compliance if there could be a simple video done which explains some of the most obvious things that need to be done and left the other choices up to the individual practice. Another suggestion would be to put out a list of suggested changes that could easily be made. I tell each office to put up at least 3 or 4 signs that say employees only around areas where patient information is kept.