Beware of HIPAA Zealots
By Juliann Schaeffer
For The Record
Vol. 27 No. 11 P. 22
Fear of federal punishment and lack of training can lead health care professionals to overstep the law's boundaries.
Doctors, nurses, patients, even the checkout clerk at the hospital cafeteria: Is there anyone who comes in contact with the health care system who hasn't heard of HIPAA? The law's privacy and security regulations, meant to protect patients' rights to their own health information, are well known—or are they? In part thanks to fears of regulatory fines coupled with insufficient or irregular training, it seems not everyone in health care is up to speed on what HIPAA's privacy aspects really say and mean.
Such insufficient know-how or misinterpretation of HIPAA can create communication hurdles for patients and may even impede good clinical care. Neither was ever intended or imagined as a consequence to protecting patients' rights. Experts say complete and continuing training is the consummate prescription to ensure such overreach doesn't occur or continue.
HIPAA's Intended Purpose
According to Carol Levine, director of the Families and Health Care Project of the United Hospital Fund, HIPAA was intended to make health care delivery more efficient by encouraging electronic transmission of information (then in its infancy) and to increase access to health insurance by making it easier to transfer from one employer to another (portability).
Although it sets standards for sharing protected health information (PHI) and shielding it from unauthorized uses, the law is more about portability, Levine says. "The 'P' in HIPAA does not stand for 'privacy,'" she says. "The privacy protections are part of the administrative simplification provisions."
Nevertheless, privacy protections are paramount. "Somebody doesn't need to know you have cancer unless you want them to know that," says Angela Rose, MHA, RHIA, CHPS, FAHIMA, director of HIM practice excellence at AHIMA. "The same goes for if you're pregnant. It stems from an individual's right to privacy, regardless of what the information contains."
Patients have the right to keep their information safe from individuals and agencies, including identity thieves, marketers, scandal-seekers, and others who might use it for their own purposes, Levine says. However, HIPAA was never intended to cloud clinical judgment by preventing providers from sharing information regarding a patient's care with others involved in that care. Nor was its purpose to keep family members, others identified by the patient, and patients themselves from gleaning information, she adds.
The Office for Civil Rights (OCR), responsible for enforcing HIPAA, says: "The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient's care or payment for health care."
"This is not an open invitation to distant or estranged relatives to get information," Levine says. "The person has to be someone identified by the patient and involved in care. The one caveat: Information cannot be shared if the patient objects. If the patient cannot communicate, information can be shared if it can reasonably be inferred that the patient would not object."
While intended to address the unauthorized sharing of personal medical information, the privacy aspects of HIPAA, in certain instances, have morphed into something more. So much so that instead of seeing HIPAA as a vehicle for securing their information, Levine says most people, including health care providers, now view HIPAA as a barrier to sharing information with anyone other than the patient—and even sometimes the patient.
In fact, patient complaints regarding access to their own health records is the third most heard complaint made to the OCR. (The most frequent complaint pertains to improper uses and disclosures of PHI.) For sure, HIPAA's a balancing act, but certain instances showcase how HIPAA can be taken out of context.
Levine testified on this subject before the US House of Representatives' Energy and Commerce Subcommittee on Oversight and Investigations in 2013. During testimony, she said: "Although it was not the intent of the law, HIPAA has been interpreted and misapplied as a barrier to communication with the very people who have a deep and often lifelong relationship with the patient and who will be responsible for managing or providing care in the community. When a family member asks almost any question relating to a family member's care and treatment, this is what they too often are likely to hear: 'I can't tell you because of HIPAA.' End of conversation."
According to Levine, the way HIPAA has been misinterpreted makes it seem as though the law is intended to protect health care providers and facilities from families, who are often portrayed as dysfunctional, selfish, greedy, or worse.
Kelly McLendon, RHIA, CHPS, president of Health Information Xperts, believes instances of HIPAA overreach are uncommon. Where it does occur, he posits that the interplay of federal HIPAA specifics with state regulations may be a factor.
"State law can be stronger than HIPAA and override HIPAA," McLendon says. "This does happen regularly, and it's important to distinguish between state law causing issues and HIPAA." Such privacy misinterpretations can be prevented or halted through strong policies and procedures and effective training, he notes.
A Blockage or a Valve?
During a 2013 interview Levine conducted with former OCR head Leon Rodriguez for the American Society on Aging, Rodriguez viewed HIPAA more as a valve than a blockage. "For example, if a patient doesn't object to a provider sharing information with a family member, then that is permissible under HIPAA. HIPAA does not require patients to sign a release to allow family members to be present when the patient is receiving care or talking to doctors," he said.
If a patient does object, providers are asked to use their best judgment to ascertain the individual circumstances of the situation to determine whether a disclosure is warranted. "So, it's meant to be a common sense scale," Rodriguez said.
It's impossible to quantify the number of instances of providers unnecessarily blocking the exchange of PHI in the name of HIPAA. However, firsthand accounts have emerged, including one from Levine herself.
"When my sister went to an emergency department with excruciating pain, she called and asked me to go with her," she recounts. "This was at a major academic medical center in New York. The triage nurse told her to follow her into an office. I helped her up and as I started to go with her, the nurse looked at me rather fiercely and said, 'You stay here. I can only talk to the patient. HIPAA rules.'"
Even after Levine's sister made it clear it was OK, the nurse stood her ground, says Levine, who recalls being intimidated. "When my sister came out of the room, I asked what the nurse had wanted to know, and she said, 'Oh, just the usual: my health insurance and my doctor's name.' Nothing private at all."
Oddly enough, while Levine's sister waited on a gurney for hours in the emergency department, privacy took a backseat. "We heard conversations between staff and patients and between staff about patient information that should never have been public," Levine says.
According to Rose, it's fairly common for health care organizations to withhold information "because of HIPAA" when they really have no reason to. "HIPAA is very particular in what can or cannot be released and who it can be released to, but I think when someone doesn't understand the full extent of what the law is trying to do, they end up overinterpreting," she says.
For example, problems can occur when family members or caregivers aren't present for postdischarge medical instructions. Whether due to cognitive issues or "posthospital syndrome," a temporary condition caused by stress and disorientation, Levine says it's common for discharged patients to return home and fail to remember the instructions given by their doctor or nurse.
"Failing to fully inform and instruct the person who is responsible for providing care at home is certainly a problem and can lead to unnecessary hospitalizations or rehospitalizations as well as other poor outcomes," she says. "Sometimes staff get around having conversations with family members by saying, 'I told your mother about her medications,' even though Mom can't remember or understand. Or you could be told to make sure Mom takes her medications but not what they are for."
An Overarching Fear
Health care professionals aren't intentionally refusing patients or caregivers information that's necessary for optimal patient care, but HIPAA overreaches occur nonetheless. Why? Lack of training and a fear of reprisal are two likely reasons.
"The most common fears are that staff members will be sued, fined huge amounts, lose their jobs, go to prison," Levine says, noting these concerns are largely overstated and exaggerated. She says fears of being sued by a patient are exaggerated. A patient can file a complaint with the OCR but HIPAA doesn't contain a provision to file a lawsuit, which would have to be handled in state court. Most fines levied by the OCR stem from egregious lapses in security policy and procedures, not from physicians sharing too much patient information with a layperson.
With OCR's HIPAA audits moving full steam ahead, Rose says cautious health care professionals would rather do more than not enough. However, she says they're often trying to enforce something that doesn't exist within the law. "And in the end, that could violate a person's rights in other ways that have nothing to do with HIPAA," Rose says.
"Last year there was an incident on the news where a little boy, maybe 18 months old, was with his mother in the doctor's office," she continues. "The mother was filming in the doctor's office with her phone, narrating the visit or whatnot. The physician's office cried HIPAA and said she couldn't film. Regardless of why (their reasoning was unclear), they separated the woman from her child and then demanded to have her phone so that they could delete the video.
"That's one example of extreme behavior where there were probably more rights violated that had nothing to do with HIPAA, but they were done in its name."
In August, The Wall Street Journal reported a case in which a patient had trouble accessing her medical records after her identity was stolen to obtain medical care. "She was not allowed access to her own medical record to protect the thief's privacy," Levine says.
Better Training for All
Besides a general fear of recriminations from the OCR, lack of training plays a key role in overzealous HIPAA enforcement. "Medical staffs are woefully uneducated about HIPAA," says Mike Semel, president and chief compliance officer for Semel Consulting, which conducts HIPAA security risk analyses and compliance assessments. "Our projects include an interactive presentation about HIPAA's Privacy, Security, Data Breach, and Omnibus rules, and it amazes me how surprised people are about rules they should have been following since 2003. We still find practices that are using Notices of Privacy Practices that should have been replaced in 2013. I always ask myself, 'How can a medical professional not know about regulations that apply to their industry?'"
Semel says physicians demonstrate their lack of HIPAA knowledge by often telling him how much they hate the law because it interferes with their ability to treat patients. "There's nothing that blocks communications with the patients or their authorized representatives or with other caregivers or payers," he says. "Yes, there are some forms to fill out to authorize communications but if the patient is awake and competent, they can just tell the doctor it's OK to share info with a caregiver or relative.
"I see this all the time when I take my 91-year-old mom to the doctor," he adds. "Through our assessments, I also see practices that think they need to complete reams of paperwork when the patient is there and says it's OK to speak in front of a relative."
Rose recommends organizations conduct training at employee orientation and annually thereafter. However, with the industry undergoing rapid changes in both technology and regulations, she says organizations should strongly consider increasing that frequency. For example, in-depth training should be conducted whenever systems, processes, or laws are modified. "Your employees need to understand and know what your organizational culture of privacy and security of patient information is, whether you're a janitor or a CEO," Rose says.
Semel says the frequency of HIPAA training is less important than the quality of education. "When we audit medical practices to see if their staffs are receiving HIPAA education, two things usually stand out," he says. "First is that the training is not thorough and is not taken seriously. Like required OSHA [Occupational Safety and Health Administration] training to teach people how to prevent injuries, HIPAA is often a five-minute, two-slide presentation just to get the training requirement out of the way."
A typical HIPAA training slide may include basic bullet points such as "You can't share information with unauthorized people," a strategy that Semel says does not properly educate staff on what they can do or offer scenarios that demonstrate the proper course of action in typical situations.
"The other thing that stands out is that staff are trained but the doctors avoid the training and have very little idea about what HIPAA really means," he says.
When physicians joke to Semel about how many HIPAA violations he noticed while sitting in the waiting room, he doesn't take it lightly. "I remind them that they have my name, birth date, Social Security number, address, and other data that could be used to steal my identity, and I believe it's part of my patient care that they secure the data," Semel says, adding that inadequate IT security is more of a concern than having a physician talk about his care with another professional.
It's important to educate patients as well, says Rose, noting how medical settings can be intimidating. "There's a certain disconnect between the frequent advice to have someone accompany you to a doctor's visit or an emergency department or hospital admission and then shutting that person out of the conversation," Levine says. "As my own experience indicates, family members, even those with health care knowledge, can be intimidated and fail to speak up, sometimes out of fear that the patient will be treated badly as a result."
To avoid becoming a victim of overzealous HIPAA enforcement, Levine recommends patients enter health care encounters armed with a thorough understanding of their rights. "I encourage family members to bring, along with a medication list and other information, a copy of our Next Step in Care guide on HIPAA, something that they can show to a staff member that indicates they know the rules," she says. "If there is still resistance, I would ask to speak to the privacy officer or the administrator on call. And then after the incident, I would write to the CEO and suggest that this is poor quality care and reflects badly on the institution's reputation as a patient- and family-centered facility."
According to McLendon, the best way to debunk a suspicious HIPAA claim is to request a copy of the provider's policies and procedures (a HIPAA requirement). Another option is to ask the health care professional to quote the statute they're basing their position on, he says.
Ensuring Privacy, Sustaining Trust
As a longtime privacy advocate, Levine believes strong protections for PHI are essential to building and sustaining trust between providers and patients. However, she acknowledges that sharing information with individuals who are closely involved in a person's care also is essential to quality care and better outcomes.
To ensure both ends are met sufficiently, Levine says common sense and good judgment rather than reflexive statements that fail to serve the patient's best interests should guide health care decisions, including those related to HIPAA.
It's about balancing privacy protections with security without putting up barriers to patient care in the process, Levine says. "There is certainly a need for better security of health care information; most experts agree that the health care industry is among the worst in this area," she says. "But that doesn't translate to failure to talk to families about individual patients."
— Juliann Schaeffer is a freelance health writer and editor based in Alburtis, Pennsylvania.
Next Step in Care family caregiver guide on HIPAA, available at http://www.nextstepincare.org/uploads/File/Guides/HIPAA/HIPAA.pdf