The Health Insurance Portability and Accountability Act (HIPAA) is a familiar document to anyone who’s had a medical appointment or procedure in the last couple of decades. It defines standards for the use and dissemination of health-care information, and directs how organizations must protect electronic medical records. It’s championed as a protector of privacy rights, but even professionals wrongly use it as almost a code of silence.
As explained by the New York Times, medical providers misuse, abuse and otherwise erect barriers in the name of HIPAA that can have frustrating or harmful consequences for patients.
For example:
- Helen Wyvill, 72, lived in a continuing care retirement community. When her friend didn’t show up for a standing swim date, and wasn’t in her apartment, Wyvill asked if she had gone to a hospital, if friends could visit or call, if anyone was taking care of her dog.
No one at the facility would provide any information because of HIPAA.
- Patricia Gross met a close friend in the café of a hospital where Gross’ husband was dying of cancer. Their conversation was about his pain treatment and her distress about it. A woman seated nearby told her that it was improper to discuss details of a patient’s treatment in public, that it was a HIPAA violation.
- When Ericka Gray was out of town on business, her 85-year-old mother went to an ER with back pain. Gray repeatedly phoned to alert the staff to her medical history, such as her mother’s impaired memory, which might mean she’d forget to inform them of her medication allergies. The staff refused to take the information, citing HIPAA.
By the time Gray found a nurse willing to listen, her mother had been prescribed a drug she was allergic to. Luckily, it hadn’t yet been administered.
HIPAA is a key privacy protection measure. But it doesn’t keep concerned family and friends, like Wyvill, from finding out where a patient is. It doesn’t prevent loved ones affected by a patient’s plight from seeking support from others. It doesn’t prevent people with relevant patient information from providing it.
But, for example, it is supposed to prevent medical personnel from discussing patients in a public hospital elevator; to prevent the release of lab results to anyone without patients’ or legal caregivers’ permission; to stop insurance companies from divulging identifiable patient medical information to pharmaceutical companies. These things make sense.
But, as Carol Levine told The Times, HIPAA has “become an all-purpose excuse for things people don’t want to talk about.” She’s director of the United Hospital Fund’s Families and Health Care Project. It publishes a HIPAA guide for family caregivers.
HIPAA does not prohibit health-care providers from sharing information with family, friends or caregivers unless the patient specifically objects. If the patient is unavailable or incapacitated, providers are supposed to use “professional judgment” to disclose pertinent information to a relative or friend if it’s “in the best interests of the individual.” A provider’s judgment, however, may not override a patient’s objection to the release of information if he or she is not incapacitated.
HIPAA applies only to health-care providers, health insurers, outfits that store and manage health data and their business associates. Too many people wander far afield from these applications, including, according to The Times, a minister who refused to name ailing parishioners in the church bulletin.
But a church – like Gross, the distraught spouse – is not a “covered entity” under the law.
Of course, good taste and good manners should apply when discussing someone’s personal information, but that’s true for everything, not just health status.
So, The Times asked, what is and isn’t covered by HIPAA?
Family members may provide information, as Gray tried to do. Keeping information confidential might close your mouth, but it does not close your ears to someone with important information.
An assisted living facility or nursing home may report a death, and also may give someone’s general condition and location, if the patient remains within the facility. If, as Wyvill suggested, residents want administrators to keep a list of people to inform if they’ve gone to a hospital, that’s fine under HIPAA.
Providers have the flexibility to disclose information in the patient’s interest, but they don’t have to, and because they’re wary of HIPAA violations, if a certain patient’s situation is complicated or unclear, they probably won’t.
That’s why caregivers who are a patient’s personal representatives should have a health-care proxy or power of attorney; such documents, prepared in advance by patients and caregivers, authorize, among other things, the release of information, and in those cases, providers must comply.
Under HIPAA, patients consent needn’t be in writing; an oral request will suffice for a relative or friend to receive information. But health-care facilities legally may require a signature on a form, and many do.
The consequences of an unintended HIPAA violation can be serious, but they seldom occur. In the event of a breach or perceived breach, patients may file a complaint with HHS.
HIPAA also is used inappropriately when patients and authorized caregivers are prevented access to patients’ own health records. All patients have the right to view and possess a copy of their records, although providers may charge copying fees.
But it’s not just the law that’s subject to confusion. As The Times noted, “Within families, decisions about how much health information to share, and with whom, often become complicated, as a recent study in JAMA Internal Medicine found. When researchers working to design online patient portals convened two sets of focus groups – one for people over age 75, another for family caregivers – they heard the usual tension between older adults’ need for assistance and their desire for autonomy.”
Seniors don’t want to be a burden to the younger generation, whose members say the burden is not knowing about their medical issues. Seniors might want help, but they don’t want to take orders. They don’t want to feel spied on. So, they might tell their younger loved ones about some of the medications they take – but not all. And that dynamic often changes with increasing disability or a health crisis.
Explained one story source, “Say a senior has a serious medical condition – a stroke, for instance – and requires a lot of help and support. He could recover enough to want to take back control of his health information. It may go back and forth.”
These situations and the discussions they invite are just part of family life. But the law draws a much straighter line. Just because providers might be reluctant to offer information, that doesn’t mean HIPAA says that less is more. As one health-care attorney noted, “HIPAA is more common-sense than people give it credit for.”