January 27, 2016
HIPAA, Part II: When Providers Hide Behind a ‘Code of Silence’
BY Mary Mahoney
HIPAA, the Health Insurance Portability and Accountability Act of 1996, governs the use of personal health information. When a patient is asked to sign a Notice of Privacy Practices at the hospital or doctor’s office, for example, they acknowledge having read regulations that allow their medical records to be disclosed to several entities, from a health insurer and well-meaning relatives to, possibly, a co-worker or acquaintance.
Not everyone is bound by HIPAA’s privacy and disclosure requirements. But those who are deemed to be covered entities must follow certain rules. Nevertheless, many health-care providers, including both people and institutions, have been found to use HIPAA as a blanket cover-yourself-from-liability tool.
A July 2015 story in The New York Times, aptly headlined “HIPAA’s Use as Code of Silence Often Misinterprets the Law,” cites examples of health-care providers who refuse to accept information about a hospitalized patient from a relative about the patient’s allergies to medications. In fact, there is no rule against sharing that information.
Behavioral health is one area where the privacy issue can be particularly sensitive. In June 2015, House Representative Doris Matsui, D-California, introduced a bill called Including Families in Mental Health Recovery Act 2015. It is really more of a reminder that the Privacy Rule, in fact, allows for much more leeway than is generally thought. The U.S. Department of Health & Human Services website FAQ suggests some pretty broad loopholes:
“Q: Does HIPAA allow a health-care provider to communicate with a patient’s family, friends or other persons who are involved in the patient’s care?
“A: Yes. In recognition of the integral role that family and friends play in a patient’s health care, the HIPAA Privacy Rule allows these routine – and often critical – communications between health-care providers and these persons. Where a patient is present and has the capacity to make health care decisions, health-care providers may communicate with a patient’s family members, friends or other persons the patient has involved in his or her health care or payment for care, so long as the patient does not object. See 45 CFR 164.510(b).”
The Health & Human Services site goes on to list many other cases where a covered entity may disclose information. Cover entitles include health insurance companies, labs that test blood and radiology departments that conduct X-Ray and other tests. Some patients don’t realize that these covered entities may also disclose their mental-health condition to a friend or relative.
The sort of all-purpose privacy exemption clause called “for Notification and other purposes” permits a covered entity to disclose to a friend or relative based on the patient’s “informal permission.” It’s not clear what informal permission constitutes, but a signed authorization is not required. What if an ex-spouse in a contentious divorce calls pretending to be the patient? That spouse could, theoretically, get the patient’s records, location and general condition.
Written authorization, on the other hand, is needed to disclose information not otherwise covered by the privacy tule. In those cases, covered entities must have a signed permission slip from the patient that specifies, what, when and to whom the information should be given.
There are 12 national priority purposes that don’t require permission or authorization. They include disease control, abuse cases, and judicial or administrative proceedings to identify a suspect, to ascertain worker’s compensation and more. Since these recipients are not covered entities, they may in turn do whatever they want with the information. Even psychotherapy notes may be exempt from required authorization if the therapist is being sued.
Most violations are unintended. They include outside data hacking, carelessness, lack of encryption and improper records disposal. Recently, CVS pharmacy paid $2.5 million to settle a case in which it was accused of tossing health information into a dumpster.
Some violations may be malicious, such as getting inadvertent access to the records of a hospitalized celebrity and then sharing those records online. The American Medical Association lists penalties of up to $1.5 million, but they can be higher: The New York and Presbyterian Hospital paid a $3.3 million fine for disclosing records of 6,800 patients to Google and other
Internet search engines when a computer server was “errantly reconfigured.”
Next I’ll look at how to better manage health-care decisions around HIPAA’s rules.