Beware of HIPAA Zealots
by With Thanks to Juliann Schaeffer in For The Record, Nov. 2015
Published on Mar 11, 2016
HIPAA is all about providing privacy protection without putting up barriers to patient care in the process.
Is there anyone in the hospital who hasn't heard of HIPAA? The law's privacy and security regulations, meant to protect patients' rights to their own health information are well known - or are they? Thanks to fears of regulatory fines and insufficient or irregular training, it seems not everyone in health care is up to speed on what HIPAA's privacy aspect really says and means.
Such misinterpretation of HIPAA can create communication hurdles for patients and may even impede good clinical care. Neither was ever intended or imagined as a consequence to protecting patients' rights. HIPAA was intended to make health care delivery more efficient by encouraging electronic transmission of information. Although it sets standards for sharing protected health information (PHI) and shielding it from unauthorized uses, the law is more about portability. The "P" in HIPAA does not stand for privacy. The privacy protections are simply part of the administrative simplification provisions of the law.
HIPAA was never intended to cloud clinical judgment by preventing providers from sharing information regarding a patient's care with others involved in that care. Nor was its purpose to keep family members, others identified by the patient, and patients themselves from getting information. The Office of Civil Rights (OCR), responsible for enforcing HIPAA says "The HIPAA privacy rules at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family member, friend, or other persons identified by a patient, in the patient's care or payment for health care."
While intended to address the unauthorized sharing of PHI, the law has morphed into something more. So much so that instead of seeing HIPAA as a vehicle for securing their information, most people, including case managers and health care providers, now view HIPAA as a barrier to sharing information with anyone other than the patient - and even sometimes the patient. In fact patient complaints regarding access to their own health records is the 3rd most frequent complaint made to the OCR. HIPAA has been misapplied as a barrier to communication with the very people who have a relationship with the patient and some who will be responsible for managing or providing care in the community. When a family member asks almost any quesiton relating to a family member's care and treatment, too often they are likely to hear: "I can't tell you because of HIPAA." End of conversation.
It's impossible to quantify the number of instances of providers unnecessarily blocking the exchange of PHI in the name of HIPAA. According to our experiences, however, it's fairly common for health care providers to withhold information "because of HIPAA" when they really have no reason to. For example, often family members are not in the patient's hospital room when the physician shares information about changes in the patient's post discharge medication regimen. It's common for patients not to remember details after they return home. Unless an effort is made to pro-actively reach out and share that information with family members, medication errors may occur resulting in a return to the ED or readmission.
Care management professionals aren't intentionally refusing patients or caregivers information that's necessary for optimal patient care, but HIPAA overrreaches occur nontheless. Why? Lack of training and fear or reprisal are two likely reasons. Reprisal by the OCR is rare. A patient can file a complaint with OCR but most fines are for egregious lapses in security policy and procedures, not from providers sharing too much patient information with a layperson. The cautious case manager should rather do more sharing than not enough.
Medical staffs are woefully uneducated about HIPAA and are typically surprised when they learn about the rules that they should have been following since 2003! Physicians demonstrate their lack of HIPAA knowledge by often reporting that the law "interferes with my ability to treat patients or with their caregivers or payers." There seems to be the belief that the patient must sign reams of forms before the doctor, nurse or care manager can share any information with a family member and that's simply not so. As long as the patient is competent and awake, they can just tell the doctor is OK to share info with a friend or relative.
HIPAA training is often a 5 minute, two slide presentation given as part of hospital orientation. The training slide may include basic bullet points such as "You can't share information with unauthorized people" which does not properly educate staff on what they can do or offer scenarios that demonstrate the proper course of action in typical hospital situations. Physicians typically avoid any training offerings and have very little idea about what HIPAA really means.
Sharing information with individuals who are closely involved in a person's care is essential to quality care and better outcomes. Case managers must understand the intent of the law and they must help patients and families avoid becoming victims of overzealous HIPAA enforcement. We recommend everyone read a copy CMS's HIPAA Fact Sheet.